netfilter's Connection Tracking system (nf_conntrack)

Posted . Visible to the public. Repeats.

What is netfilter's Connection Tracking system?

The connection tracking system Show archive.org snapshot often referenced as nf_conntrack is part of the Netfilter framework. It allows the Linux kernel to keep track of all logical network connections and sessions. In combination with iptables this feature is used to achieve a stateful firewall.

Why to care about nf_conntrack?

All connections are stored in the connection tracking table. The size of the tracking table is based on the memory of the system. A node with 4 GB RAM will get a maximum table size of 64 KB.

On most systems the default settings are fine. However if you're running a VM host which has a lot of virtual machines running which by themselves have a lot of connections the connection tracking table can get filled. This could happen if you're running virtual load balancers on your VM hosts.

If the table is full and there are still many new connections coming in the kernel will start to drop packages. You might not be able to establish new connections and dmesg will output messages like:

2021-06-29T09:21:01,266251+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267799+02:00 nf_conntrack: nf_conntrack: table full, dropping packet
2021-06-29T09:21:01,267806+02:00 nf_conntrack: nf_conntrack: table full, dropping packet

Interact with nf_conntrack

It's possible to interact with nf_conntrack directly via the /proc/sys/net/netfilter/nf_conntrack_* variables Show archive.org snapshot or through a userspace tool like conntrack.

Get the maximum size of the connection tracking table

$ cat /proc/sys/net/netfilter/nf_conntrack_max

Get the size of the currently allocated flow entries

$ cat /proc/sys/net/netfilter/nf_conntrack_count

Raise the connection tracking table size to 512 KB

$ sudo sysctl -w net.nf_conntrack_max=524288

Attention: If you're using Proxmox the sysctl value will get restored after a short moment. Change the option nf_conntrack_max in the host specific firewall configuration Show archive.org snapshot instead.

List all connection tracking table entries

$ sudo conntrack -L

Check for temporary entries

These entries will be deleted Show archive.org snapshot as soon as the system runs out of connection tracking entries.

$ sudo conntrack -L | grep 'UNREPLIED'
Andreas Vöst
Last edit
Andreas Vöst
Keywords
conntrack
License
Source code in this card is licensed under the MIT License.