sidnei
1
Hi all,
I have an vyos 1.3 with 16Gb and an traffic about <10Gb.
I receive in my /var/log/messages:
Apr 9 16:38:35 algar kernel: [213232.978063] nf_conntrack: nf_conntrack: table full, dropping packet
Apr 9 16:38:35 algar kernel: [213232.984020] nf_conntrack: nf_conntrack: table full, dropping packet
Apr 9 16:38:35 algar kernel: [213232.989186] nf_conntrack: nf_conntrack: table full, dropping packet
Apr 9 16:38:35 algar kernel: [213232.989192] nf_conntrack: nf_conntrack: table full, dropping packet
Can I resolve this?
Thanks,
Sidnei
tjh
2
You can!
Look at the following tunables:
set system conntrack table-size
set system conntrack expect-table-size
set system conntrack hash-size
You can see what the current table size is by doing
cat /proc/sys/net/netfilter/nf_conntrack_max
Some Googling of those parameters will help you to tune them, but the immediate fix will be to increase table-size
Dmitry
3
Hi @sidnei. Do you have NAT or stateful firewall on this router?
Maybe better disable conntrack for more performance?
1 Like
sidnei
4
Hi.
I haven’t nat, and my firewall is simple:
show firewall
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name entrada {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action accept
source {
address x.x.x.x/30
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
[edit]
In this case, can I disable conntrack?
Sidnei
Dmitry
5
Hi @sidnei No, this firewall stateful
state {
established enable
related enable
}
sidnei
6
Hello,
I removed the stateful and disable de conntrack.
Resolved the problem.
Thanks all.
Sidnei
1 Like
system
Closed
7
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.