| 1 | = 2012-05-29 = |
| 2 | |
| 3 | == hadoop.nchc.org.tw == |
| 4 | |
| 5 | * 錯誤訊息:nf_conntrack: table full, dropping packet. |
| 6 | {{{ |
| 7 | ~$ dmesg | grep |
| 8 | [1146203.787306] nf_conntrack: table full, dropping packet. |
| 9 | [1146203.787880] nf_conntrack: table full, dropping packet. |
| 10 | [1146203.790825] nf_conntrack: table full, dropping packet. |
| 11 | [1146203.791307] nf_conntrack: table full, dropping packet. |
| 12 | [1146203.791503] nf_conntrack: table full, dropping packet. |
| 13 | [1146203.791818] nf_conntrack: table full, dropping packet. |
| 14 | [1146203.791987] nf_conntrack: table full, dropping packet. |
| 15 | [1146208.785365] nf_conntrack: table full, dropping packet. |
| 16 | [1146208.785635] nf_conntrack: table full, dropping packet. |
| 17 | [1146208.786510] nf_conntrack: table full, dropping packet. |
| 18 | }}} |
| 19 | * [參考] [http://www.pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/ Resolving “nf_conntrack: table full, dropping packet.” flood message in dmesg Linux kernel log] |
| 20 | * [原因] 阻斷攻擊(DDoS) |
| 21 | * [解法] 修改 sysctl 增加 ip_conntrack_max 、降低 ip_conntrack_generic_timeout |
| 22 | {{{ |
| 23 | net.ipv4.netfilter.ip_conntrack_max=16384 |
| 24 | net.ipv4.conf.default.arp_ignore=1 |
| 25 | net.ipv4.conf.all.arp_ignore=1 |
| 26 | net.ipv4.ip_forward=1 |
| 27 | net.ipv4.icmp_echo_ignore_broadcasts=1 |
| 28 | net.ipv4.icmp_ignore_bogus_error_responses=1 |
| 29 | net.ipv4.tcp_ecn=1 |
| 30 | net.ipv4.tcp_fin_timeout=30 |
| 31 | net.ipv4.tcp_keepalive_time=120 |
| 32 | net.ipv4.tcp_syncookies=1 |
| 33 | net.ipv4.tcp_timestamps=0 |
| 34 | net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=300 |
| 35 | net.ipv4.netfilter.ip_conntrack_udp_timeout=60 |
| 36 | net.ipv4.netfilter.ip_conntrack_udp_timeout_stream=180 |
| 37 | net.ipv4.netfilter.ip_conntrack_generic_timeout = 120 |
| 38 | net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000 |
| 39 | }}} |