Skip to content

How to fix nf_conntrack: table full, dropping packet

homepage-banner

What is nf_conntrack?

nf_conntrack is a Linux kernel module that allows the operating system to keep track of all network connections passing through it. It is used to implement Network Address Translation (NAT), firewalling, and other network services. nf_conntrack maintains a table of all active connections, including information about the source and destination IP addresses, port numbers, and connection state.

What Causes the “nf_conntrack: table full” Error?

The nf_conntrack module uses a finite amount of memory to keep track of all active connections. When the number of connections exceeds the amount of memory allocated for the connection tracking table, the system will start dropping new incoming packets, resulting in the “nf_conntrack: table full, dropping packet” error message.

How to Fix the “nf_conntrack: table full” Error

Issue

In kern.log, there are many logs like nf_conntrack: table full, dropping packets.

sysctl -a | grep conntrack

cat /proc/net/nf_conntrack

# Check nf_conntrack_buckets hash table size
cat /proc/sys/net/netfilter/nf_conntrack_buckets

# Check how many active connections are being tracked
cat /proc/sys/net/netfilter/nf_conntrack_count

# Check the current max value of nf_conntrack
cat /proc/sys/net/netfilter/nf_conntrack_max

Fix

sysctl -w net.netfilter.nf_conntrack_max=1048576

echo 262144 > /sys/module/nf_conntrack/parameters/hashsize

echo 1048576 > proc/sys/net/netfilter/nf_conntrack_max

sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600

and also add into /etc/sysctl.conf

net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_tcp_timeout_established = 3600
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60

Conclusion

The “nf_conntrack: table full, dropping packet” error message is a common issue that can occur when running a Linux-based firewall or router. This error is caused by a full connection tracking table, which can be fixed by increasing the amount of memory allocated for the table. By following the steps outlined above, you should be able to resolve this issue and ensure that your system is running smoothly.

Reference

  • https://morganwu277.github.io/2018/05/26/Solve-production-issue-of-nf-conntrack-table-full-dropping-packet
  • https://kodeslogic.medium.com/how-to-fix-nf-conntrack-table-full-dropping-packet-a5fedc6c463d
Leave a message