[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] connection-tracking tables full on SuSE 9.0 with SuSEfirewall2



Hi everyone,

I found messages like this on my SuSE 9.0 box that runs SuSEfirewall2:

Sep  2 10:16:06 mylinux kernel: NET: 38 messages suppressed.
Sep  2 10:16:06 mylinux kernel: ip_conntrack: table full, dropping packet.
Sep  2 10:16:12 mylinux kernel: NET: 31 messages suppressed.
Sep  2 10:16:12 mylinux kernel: ip_conntrack: table full, dropping packet.

As I read that one can raise the maximum of connections to be tracked I did the following:

# echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max

Now the logfile-entries have disappeard. I checked /proc/net/ip_conntrack and there are about 800 lines in it. So I wounder why packets got droped just 5 minutes ago when the limit was set to about 16.000? And why did some packages get through and others not (I could log into the machine with ssh with no problems)? Is there maybe a limit for each iptables-rule that calculates from ip_conntrack_max divided by the number of rules? And one last question - is 65535 the maximum for ip_conntrack_max or could it be set higher?

Thanks and greetings,

Ralf


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here