Use Ubuntu 24.04 (Noble Numbat) with Vagrant
Andreas Vöst
6 days
Migrate Redis data with RIOT
Andreas Vöst
26 days
ACM certificate not showing up in CloudFront
Claus-Theodor Riegg
4 years
Pay attention to trailing slashes when using rsync
Kim Klotz
3 years
GitLab: Test Mailing from the Rails Console
Moritz Kraus
2 months
Linux Memory Metrics
Andreas Vöst
2 months
restart puppetserver after changing custom functions
Kim Klotz
8 years
Do not use Python virtualenv anymore
Andreas Vöst
2 months
Setup readonly rails console
Kim Klotz
3 months
manual haproxy backend failover
Claus-Theodor Riegg
8 years
Playbook: fetch container logs from journald
Moritz Kraus
1 year
Identify network cards for linux network interfaces
Emma Heinle
4 months
Set a fixed PGAPPNAME when using PgBouncer in transaction mode
Kim Klotz
4 months
netfilter's Connection Tracking system (nf_conntrack)
Andreas Vöst
3 years
Use sudo with rsync
Andreas Vöst
5 months
VIA Macros for German Umlauts on US-ANSI keyboards
Andreas Vöst
7 months
Useful jq commands
Andreas Vöst
7 months
Redis Sentinel manual failover
Claus-Theodor Riegg
8 years
GitLab CI: debugging failed jobs
Marc Dierig
9 months
Useful PostgreSQL commands
Claus-Theodor Riegg
7 years
What are these numbers in /etc/fstab for?
Moritz Kraus
10 months
Restoring old Postgres dumps with pg_restore v11 and higher
Claus-Theodor Riegg
5 years
GitLab: Push without triggering CI Pipeline
Emma Heinle
11 months
Use pg_repack to do a VACUUM FULL without holding an exclusive lock during processing
Kim Klotz
11 months

netfilter's Connection Tracking system (nf_conntrack)

Posted . Visible to the public. Repeats.

What is netfilter's Connection Tracking system?

The connection tracking system Show archive.org snapshot often referenced as nf_conntrack is part of the Netfilter framework. It allows the Linux kernel to keep track of all logical network connections and sessions. In combination with iptables this feature is used to achieve a stateful firewall.

Why to care about nf_conntrack?

All connections are stored in the connection tracking table. The size of the tracking table is based on the memory of the system. A node with 4 GB RAM will get a maximum table size of 64 KB.

On most systems the default settings are fine. However if you're running a VM host which has a lot of virtual machines running which by themselves have a lot of connections the connection tracking table can get filled. This could happen if you're running virtual load balancers on your VM hosts.

If the table is full and there are still many new connections coming in the kernel will start to drop packages. You might not be able to establish new connections and dmesg will output messages like:

2021-06-29T09:21:01,266251+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267799+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267806+02:00 nf_conntrack: nf_conntrack: table full, dropping packet

Interact with nf_conntrack

It's possible to interact with nf_conntrack directly via the /proc/sys/net/netfilter/nf_conntrack_* variables Show archive.org snapshot or through a userspace tool like conntrack.

Get the maximum size of the connection tracking table 

$ cat /proc/sys/net/netfilter/nf_conntrack_max

Get the size of the currently allocated flow entries 

$ cat /proc/sys/net/netfilter/nf_conntrack_count

Raise the connection tracking table size to 512 KB 

$ sudo sysctl -w net.nf_conntrack_max=524288

Attention: If you're using Proxmox the sysctl value will get restored after a short moment. Change the option nf_conntrack_max in the host specific firewall configuration Show archive.org snapshot instead.

List all connection tracking table entries 

$ sudo conntrack -L

Check for temporary entries

These entries will be deleted Show archive.org snapshot as soon as the system runs out of connection tracking entries.

$ sudo conntrack -L | grep 'UNREPLIED'
blog.cloudflare.com
Andreas Vöst
Say thanks4
Last edit
Andreas Vöst
Keywords
conntrack
License
Source code in this card is licensed under the MIT License.
Privacy policy Terms of service Imprint
This website uses short-lived cookies to improve usability.
or learn more