Read more

netfilter's Connection Tracking system (nf_conntrack)

Andreas Vöst
July 01, 2021Software engineer at makandra GmbH
Say thanks4

What is netfilter's Connection Tracking system?

The connection tracking system Show archive.org snapshot often referenced as nf_conntrack is part of the Netfilter framework. It allows the Linux kernel to keep track of all logical network connections and sessions. In combination with iptables this feature is used to achieve a stateful firewall.

Why to care about nf_conntrack?

Illustration online protection

Rails professionals since 2007

Our laser focus on a single technology has made us a leader in this space. Need help?

  • We build a solid first version of your product
  • We train your development team
  • We rescue your project in trouble
Read more Show archive.org snapshot

All connections are stored in the connection tracking table. The size of the tracking table is based on the memory of the system. A node with 4 GB RAM will get a maximum table size of 64 KB.

On most systems the default settings are fine. However if you're running a VM host which has a lot of virtual machines running which by themselves have a lot of connections the connection tracking table can get filled. This could happen if you're running virtual load balancers on your VM hosts.

If the table is full and there are still many new connections coming in the kernel will start to drop packages. You might not be able to establish new connections and dmesg will output messages like:

2021-06-29T09:21:01,266251+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267799+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267806+02:00 nf_conntrack: nf_conntrack: table full, dropping packet

Interact with nf_conntrack

It's possible to interact with nf_conntrack directly via the /proc/sys/net/netfilter/nf_conntrack_* variables Show archive.org snapshot or through a userspace tool like conntrack.

Get the maximum size of the connection tracking table 

$ cat /proc/sys/net/netfilter/nf_conntrack_max

Get the size of the currently allocated flow entries 

$ cat /proc/sys/net/netfilter/nf_conntrack_count

Raise the connection tracking table size to 512 KB 

$ sudo sysctl -w net.nf_conntrack_max=524288

Attention: If you're using Proxmox the sysctl value will get restored after a short moment. Change the option nf_conntrack_max in the host specific firewall configuration Show archive.org snapshot instead.

List all connection tracking table entries 

$ sudo conntrack -L

Check for temporary entries

These entries will be deleted Show archive.org snapshot as soon as the system runs out of connection tracking entries.

$ sudo conntrack -L | grep 'UNREPLIED'
blog.cloudflare.com
License for source code
Posted by Andreas Vöst to makandra Operations (2021-07-01 15:19)
This website uses short-lived cookies to improve usability.
or learn more