firewall packet drop at nf_conntrack

M

mada

Member
Aug 16, 2017
99
3
13
37
i have like 18 Cluster server they all shared all firewall rules all ok expect one node once open the firewall all connection drops and in the logs

Code: 
Oct  4 05:31:29 xx kernel: [250319.678513] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:29 xx kernel: [250319.678799] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.679641] net_ratelimit: 7997 callbacks suppressed

Oct  4 05:31:34 xx kernel: [250324.679655] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.679796] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.680716] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.680754] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.681193] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.682704] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.683504] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.685001] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.687650] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:34 xx kernel: [250324.688099] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:39 xx kernel: [250329.683568] net_ratelimit: 7848 callbacks suppressed

Oct  4 05:31:39xx kernel: [250329.683581] nf_conntrack: nf_conntrack: table full, dropping packet

Oct  4 05:31:39 xx kernel: [250329.690224] nf_conntrack: nf_conntrack: table full, dropping packet

once turnoff the firewall the packet back to normal.


Code: 
pveversion --v
proxmox-ve: 5.4-2 (running kernel: 4.15.18-21-pve)
pve-manager: 5.4-13 (running version: 5.4-13/aee6f0ec)
pve-kernel-4.15: 5.4-9
pve-kernel-4.15.18-21-pve: 4.15.18-48
pve-kernel-4.15.18-20-pve: 4.15.18-46
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: not correctly installed
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-12
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-55
libpve-guest-common-perl: 2.0-20
libpve-http-server-perl: 2.0-14
libpve-storage-perl: 5.0-44
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.1.0-7
lxcfs: 3.0.3-pve1
novnc-pve: 1.0.0-3
proxmox-widget-toolkit: 1.0-28
pve-cluster: 5.0-38
pve-container: 2.0-40
pve-docs: 5.4-2
pve-edk2-firmware: 1.20190312-1
pve-firewall: 3.0-22
pve-firmware: 2.0-7
pve-ha-manager: 2.0-9
pve-i18n: 1.1-4
pve-libspice-server1: 0.14.1-2
pve-qemu-kvm: 3.0.1-4
pve-xtermjs: 3.12.0-1
qemu-server: 5.0-54
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
 
Hi,
you might want to increase the max number of connections to track in the firewall setting of the node. Also make sure the established connections are legit.
 
You must log in or register to reply here.
Top Bottom