1

I have 3 private dedicated server as Load balancer. And then there is IP Addr Public sign to this private dedicated server. Suddenly, one of these 3 LB servers got nf_conntrack: table full, dropping packet

My dedicated server spec is 32 Core; 256 GB. I read some nf_conntrack and finally i am planning to increase the conntrack_max to about 4 millions. But i need a more recommendation from you all who have experience and expert in Server Performance.

When do we need conntrack ? Meanwhile, this is dedicated server with private ip not a NAT gateway. Should i remove conntrack ?

Nicky Puff
  • 11
  • 1

1 Answers1

1

Linux netfilter has several uses, stateful firewall, NAT and general packet mangling. Stateful firewall is likely to exist in out of the box configurations on not-routers, but it could be something else.

As a host level firewall is useful, and it would be difficult to remove conntrack completely, size it properly so this limit is not hit.

Estimate the total number of flows over 2 minutes. Log application connections, use conntrack-tools or packet capture. Multiply by some safety ratio to get the order of magnitude necessary. 4 million is a high number, but plausible. Each consumes a few hundred bytes of memory, but 1 or 2 GB isn't a big deal on a box with a couple hundred GB.

In addition to dropping the new value for net.netfilter.nf_conntrack_max in /etc/sysctl.d/, resize the nf_conntrack hashsize. Roughly conntrack max / 4, round up to power of 2.

For some details including for old kernels, see RHEL KB 8721 ip_conntrack or nf_conntrack : table full, dropping packet

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • thanks john, i am studying the docs right now. If you have additional information. I am so glad to give it here. – Nicky Puff Mar 27 '20 at 03:23