What does the message in kernel.log:
nf_conntrack_alloc: Can't alloc conntrack
nf_conntrack_alloc
is decomposed to this:
nf
- NetFilter - Kernel-based IP filtering usually accessed through the iptables
user-space toolconntrack
- connection tracking or flow analysis administered with conntrack_tools
alloc
- a request to "allocate" space in memory, in this case to track a connection - the opposite is dealloc
Cannot alloc conntrack
means that the attempt to allocate memory to track a new network connection failed. Connections can mean a lot more than TCP connections. ICMP, SIP, and UDP can all count towards your limits. The June 2006 issue of ;login defines connection tracking like this:
Basically, the connection tracking system stores information about the state of a connection in a memory structure that contains the source and destination IP addresses, port number pairs, protocol types, state, and timeout. With this extra information, we can define more intelligent filtering policies.
Each new connection goes onto a connection tracking table which has a limited number of entries. If and when that connection table fills up, the oldest entry is dropped. This means that old connections may suddenly disconnect if too many connections are established.
There is a system tunable called nf_conntrack_max
that defaults to 32767, if I've read around correctly. You can tune this to a larger number, like 65535 according to this page here at serverfault.com. (sysctl -w net.netfilter.nf_conntrack_max=65535
) See the list of values in /proc/sys/net/netfilter
.
That said, an article by Paul Roberts states that if the table was really filling up, you should see the message nf_conntrack: table full, dropping packet
. So, given this, you may actually have a system with too much memory allocated for other things, and connection tracking is feeling the brunt of the shortage. Consider either shutting down a service or increasing the RAM. If you are in a limited memory scenario, you may need to look at symbol stripping and other tricks to get more memory available to you.
kmem_cache_alloc in net/netfilter/nf_conntrack_core.c nf_conntrack_alloc() return NULL. The kernel was unable to allocate memory.
Check free memore(cat /proc/meminfo and slabtop).