nf_conntrack: table full, dropping packet Topic is solved

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
Parkour_Lama
Posts: 26
Joined: Sat Sep 12, 2020 2:02 pm

nf_conntrack: table full, dropping packet

Post by Parkour_Lama »

Hello,
As the title says, after about 4 days or so of uptime, my log is flooded with the same message.

This Article really cleared the basics, but since I'm not very knowledgeable about this, I wanted to confirm.

Is this supposed to happen? I'm not open to the internet so it shouldn't be caused by a DDOS attack, the table is just full due to regular traffic?
Option 1, which is completely removing nf_conntrack support seems to be the only permanent solution, I don't want to increase the max size at the cost of memory as the RasPi is already limited in that field, Besides I suppose that'll just give the same error when it's filled up as well.

Am I risking anything major/important by proceeding? Will there is a noticeable tradeoff in features?
Thanks in advance.
User avatar
Joulinar
Posts: 4536
Joined: Sat Nov 16, 2019 12:49 am

Re: nf_conntrack: table full, dropping packet

Post by Joulinar »

If I'm not mistaken, this is coming from iptables and I'm not sure if it is a good idea to unlimited the max number of connection.

Would be better to find out why you have so many open connections. Did you checked the current number?

Code: Select all

/sbin/sysctl net.netfilter.nf_conntrack_count
To reduce the number, you could try to shorten the timeout values

Code: Select all

net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
maybe even to a lower value.

https://kodeslogic.medium.com/how-to-fi ... fedc6c463d
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Parkour_Lama
Posts: 26
Joined: Sat Sep 12, 2020 2:02 pm

Re: nf_conntrack: table full, dropping packet

Post by Parkour_Lama »

The output of

Code: Select all

/sbin/sysctl net.netfilter.nf_conntrack_count
is 65536, which is the same that max. allocated by

Code: Select all

/sbin/sysctl -a|grep -i nf_conntrack_max
Could you please elaborate on checking open connections?
As for programs, I don't have port forwarding so I use Pitunnel as a failsafe. Other than that, it's just nextcloud and deluge.
And reguarding timeout values, I've shortened them all to 60 and applied changes with sysctl -p, but no change so far.

Unfortunately your article won't open for me at the time of writing, so I haven't been through it.
Aren't the values/entries supposed to be automatically cleared? Otherwise won't they just keep piling up over time and lead to the same error?
User avatar
Joulinar
Posts: 4536
Joined: Sat Nov 16, 2019 12:49 am

Re: nf_conntrack: table full, dropping packet

Post by Joulinar »

What happen if you stop deluge? Maybe there are to many open torrents/connections?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Parkour_Lama
Posts: 26
Joined: Sat Sep 12, 2020 2:02 pm

Re: nf_conntrack: table full, dropping packet

Post by Parkour_Lama »

That... actually works!
The values seen to be dropping slowly over the hours, it's currently at 64906.

So deluge is requesting too many connections over a certain period of time, I suppose reducing the max global connections would counter this?

Thanks for you help! :D
User avatar
Joulinar
Posts: 4536
Joined: Sat Nov 16, 2019 12:49 am

Re: nf_conntrack: table full, dropping packet

Post by Joulinar »

not sure if there is something you can do in deluge.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Parkour_Lama
Posts: 26
Joined: Sat Sep 12, 2020 2:02 pm

Re: nf_conntrack: table full, dropping packet

Post by Parkour_Lama »

Alright, I'll just ask in the deluge forums.
Post Reply