ip_conntrack table full dropping packet Solution

Others 2019-06-13 10:38:37 views: null

Why 80% of the code can not do farming architect? >>>  hot3.png

When we turned on iptables, there will be such a phenomenon occurs, packet loss. ping words will intermittent packet loss, ifconfig see card dropped: XXX has been increasing, messages log has the following contents: ip_conntrack_table ip_conntrack table full of lead after iptables open loads ip_conntrack module to track the package. By default ip_conntrack_max size of 65536. iptables lead to failure of one case ftp list see: PureFTP read the directory list failed to solve the view ip_conntrack maximum size: 
# cat /proc/sys/net/ipv4/ip_conntrack_max
View the current ip_conntrack Size: 
# wc -l /proc/net/ip_conntrack
Workaround: 1. Change the size ip_conntrack 
# /etc/sysctl.conf 
net.ipv4.netfilter.ip_conntrack_max = 6553600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 300
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 12
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
# sysctl -p  使其生效
This solution, you need to reboot after each iptables, must survive a sysctl -p, it can also be written to the sysctl -p iptables startup script. But ip_conntrack full of hidden dangers still exist. 2. ip_conntrack not loaded module to modify / etc / sysconfig / iptables-config profile 
# vim /etc/sysconfig/iptables-config 
IPTABLES_MODULES=""
/ Etc / sysconfig / iptables configuration state rules do not, such as: 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
After setting these, if there is a scheme set kernel parameters, perform sysctl -p will report the following error: error: "net.ipv4.netfilter.ip_conntrack_max" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_established" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait " is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait" is an unknown key error: "net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait" is an unknown key this case because the module is not loaded ip_conntrack caused. This is not what I want it? Look at whether ip_conntrack loaded modules: ip_conntrack_table-2 the recommended use of the program 2. For reprint please indicate the source: the ip_conntrack dropping the Table Full Packet Solutions   http://www.ttlsa.com/html/2303.html

Reproduced in: https: //my.oschina.net/766/blog/210930

Guess you like

Origin blog.csdn.net/weixin_34346099/article/details/91492978
Recommended
Apache Doris version 2.0.10 is officially released!
Open Source Daily | Big models go to war; big model unicorns are revealed to be selling themselves; Zhou Hongyi suggests that Google open source all its products; the largest open source AI community provides $10 million to share GPUs
Ranking
JS inheritance and monitoring
[ProblemSolving][Ubuntu][LyX] The selected document class ... requires external files that are not available...
Java threads sharing static variable
balancap/SSD-Tensorflow使用及训练预测自己的数据集
Detailed core ES6
JS --- reverse traversal achieved Array array, the array is connected string
How to Uninstall (or Reinstall) Windows 10’s Ubuntu Bash Shell
Linux modify the hostname method
Charging Specification BC v1.2
node的性能和java对比分析
Daily
More
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)

Code World

© 2018 codetd.com