iptables connection tracking table full

I’ve recently experienced that my workstation (Ubuntu Jaunty Jackalope, 9.04, x86_64) “hangs” periodically when my internet browser, Mozilla Firefox, has a lot of active tabs.
In my case I had > 100 active tabs in more than 20 windows. I know I should have closed some of them but that is not an option right now.

The problem reveiled itself doing a dmesg on my workstation

# dmesg

[1737157.057528] nf_conntrack: table full, dropping packet.
[1737157.160357] nf_conntrack: table full, dropping packet.
[1737157.260534] nf_conntrack: table full, dropping packet.
[1737157.361837] nf_conntrack: table full, dropping packet.
[1737157.462305] nf_conntrack: table full, dropping packet.
[1737157.564270] nf_conntrack: table full, dropping packet.
[1737157.666836] nf_conntrack: table full, dropping packet.
[1737157.767348] nf_conntrack: table full, dropping packet.
[1737157.868338] nf_conntrack: table full, dropping packet.
[1737157.969828] nf_conntrack: table full, dropping packet.
[1737162.214064] __ratelimit: 53 callbacks suppressed

This bahaviour looks like Denial-Of-Service and is caused by a full iptables connection_table.

The default size of the iptables connection tracing table is

# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536

The solution I went for was to double the size of connection table to 131072 and restarted firefox.

# echo "131072" > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

This value is a 32-bit integer so the table size can be quite large and you will need much more RAM before you can use this size.

To make this solution permanent I added the following line to /etc/sysctl.conf

net.ipv4.netfilter.ip_conntrack_max = 131072

You can test this by executing the following command

# sysctl -p
131072

This command loads the /etc/sysctl.conf settings.

One Comment

  1. Aleksei K 15. October 2013