nf_queue log messages


#1

I have an E3 1230 based system doing NAT for about 150 devices and I’m seeing entries in my log like this:

Jan 14 20:38:14 x kernel: [2056231.839942] nf_queue: full at 1024 entries, dropping packets(s)

They tend to appear most often during “high” traffic (200Mbps+) periods, but do appear during “normal” traffic (30-100Mbps) periods. I’ll see 4 or 5 entries over a period of a few minutes, a few groups of this. 6-7 events like this on a typical day.

I haven’t been able to find a whole lot of info, but I gather a packet queue is overflowing because it can’t be processed fast enough. However, I’ve never seen CPU usage over a few percent. It’s hard to fathom this load even remotely taxing the system.

No real-world problems reported by users, but still looks like something that shouldn’t be happening. The device count and traffic will only increase.

Config attached if anyone has any ideas. Maybe I’ve committed some firewall/NAT taboo . . .

Version: VyOS 1.1.6 Description: VyOS 1.1.6 (helium) Copyright: 2015 VyOS maintainers and contributors Built by: maintainers@vyos.net Built on: Mon Aug 17 03:58:33 UTC 2015 Build ID: 1508170358-a3033d5 System type: x86 64-bit Boot via: image HW model: x HW S/N: x HW UUID: x Uptime: 22:48:30 up 23 days, 21:54, 3 users, load average: 0.05, 0.04, 0.05


#2

Hi,

That’s probably due to your conntrack table.
Try do a

That will probably show a high usage.

The fix is to bump the table-size higher.

Be carefull not raising it to high, as it will use more memory.

You might also wan’t to check your arp table, which could be to low aswell, if you have hosts with multiple IP’s.

Which can be raised with


#3

Thanks, I have looked into those things - all well within tolerances and plenty of buffer. This particular message seems to be related to some sort of hard-coded queue length.