Bug 144875 - ip_conntrack table full
ip_conntrack table full
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
3
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Dave Jones
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-12 04:02 EST by Stephen Collier
Modified: 2015-01-04 17:15 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-31 13:13:44 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Collier 2005-01-12 04:02:58 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
ip_conntrack table full dropping packets. Going back to
kernel-2.6.9-1.724_FC3 fixes the problems. It seems to be related to
https://lists.netfilter.org/pipermail/netfilter-devel/2004-December/017908.html
. It seems to not be releasing the connections from the table even
after they are long gone.

Version-Release number of selected component (if applicable):
kernel-2.6.10-1.737_FC3

How reproducible:
Always

Steps to Reproduce:
1. use iptable with ip_conntrack
2. large number of connections (mail gateway)
3. run for a few hours
    

Actual Results:  drops packets

Additional info:
Comment 1 Thomas Woerner 2005-01-12 05:23:37 EST
This is a kernel problem. 
Assigning to kernel.
Comment 2 Jason Eisert 2005-01-13 17:18:03 EST
I have confirmed this as a problem as well.
Comment 3 Jason Eisert 2005-01-14 10:54:22 EST
Does the 

Connnection track/rst fix			(Martin Josefsson)

Correct this problem in the kernel release

kernel-2.6.10-1.741_FC3
Comment 4 Zing 2005-01-19 23:00:31 EST
kernel-2.6.10-1.741_FC3 works for me.

# cat /proc/net/ip_conntrack|wc -l
1055

much better than the ~32000 i would get with -737
Comment 5 Jason Eisert 2005-01-25 10:03:25 EST
kernel-2.6.10-1.741_FC3 appears to still have the bug.
Comment 6 Trevor Cordes 2005-01-27 17:26:16 EST
Yes, 741 still has the bug for sure.  It bit me too just recently. 
Unreplied TCP connections will hang around for 5 days and quickly fill
the 32k (depending on your RAM) table size.  I was doing nmap scans of
my own network and it would fill up the table in no time!

This is a very bad bug that under many normal conditions will cause
dropped connections to/from a system, resulting in intermittent and
hard to diagnose networking issues.
Comment 7 Stephen Collier 2005-01-28 17:39:21 EST
I installed 741 last night, it seems to be OK, I am getting back to
the 150 or so table, not the 32000. I will confirm next week when full
load comes on the server on a weekday.
Comment 8 Stephen Collier 2005-01-31 04:51:17 EST
kernel-2.6.10-1.741_FC3 has been running fine all day today. It has
resolved my ip_conntrack bug.

# cat /proc/net/ip_conntrack|wc -l
83

much better than 32000
Comment 9 Trevor Cordes 2005-02-01 10:19:14 EST
This bug is NOT fixed as of 741!  My test from Jan 27 still has the
entries from that date.

To easily fill up your table with entries that don't expire for way
too long:

nmap -S 192.168.100.1 -sP 192.168.100.2-254

(change 192.168.100 to your internal subnet/ip)

each run of that command adds a couple hundred entries to the table:

cat /proc/net/ip_conntrack | wc

and they don't go away for at least days.

Tested and verified on: 2.6.10-1.741_FC3smp

Note You need to log in before you can comment on or make changes to this bug.