[pve-devel] pve-devel Digest, Vol 17, Issue 18

wangxinhao wangxinhao at 139.com
Tue Oct 11 08:41:57 CEST 2011


pve-devel-request,您好!

	

======= 2011-10-11 12:33:20 您在来信中写道:=======

>Send pve-devel mailing list submissions to
>	pve-devel at pve.proxmox.com
>
>To subscribe or unsubscribe via the World Wide Web, visit
>	http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>or, via email, send a message with subject or body 'help' to
>	pve-devel-request at pve.proxmox.com
>
>You can reach the person managing the list at
>	pve-devel-owner at pve.proxmox.com
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of pve-devel digest..."
>
>
>Today's Topics:
>
>   1. Re: nf_conntrack: table full, dropping packet error
>      (Dietmar Maurer)
>   2. Re: nf_conntrack: table full, dropping packet error
>      (Dietmar Maurer)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 11 Oct 2011 04:04:03 +0000
>From: Dietmar Maurer <dietmar at proxmox.com>
>To: Alexandre DERUMIER <aderumier at odiso.com>,
>	"pve-devel at pve.proxmox.com"	<pve-devel at pve.proxmox.com>
>Subject: Re: [pve-devel] nf_conntrack: table full, dropping packet
>	error
>Message-ID:
>	<24E144B8C0207547AD09C467A8259F753795D687 at lisa.maurer-it.com>
>Content-Type: text/plain; charset="utf-8"
>
>> I had verify with a debian kernel, nf_conntrack in not enable
>> 
>> kvm5:~# cat /proc/net/nf_conntrack
>> cat: /proc/net/nf_conntrack: No such file or directory
>
>Well, it is compile as module on our kernel:
>
>CONFIG_NF_CONNTRACK=m
>
>> Alternativly, we can disable it with kernel option
>> 
>> 
>> Linux Kernel Configuration: Bridged traffic with iptables Networking  --->
>>   Networking support  --->
>>     Networking options  --->
>>       Network packet filtering framework (Netfilter)  --->
>>        [*] Bridged IP/ARP packets filtering
>
>Sorry, but what option is that exactly?
>
>
>
>------------------------------
>
>Message: 2
>Date: Tue, 11 Oct 2011 04:33:00 +0000
>From: Dietmar Maurer <dietmar at proxmox.com>
>To: Alexandre DERUMIER <aderumier at odiso.com>,
>	"pve-devel at pve.proxmox.com"	<pve-devel at pve.proxmox.com>
>Subject: Re: [pve-devel] nf_conntrack: table full, dropping packet
>	error
>Message-ID:
>	<24E144B8C0207547AD09C467A8259F753795D6CE at lisa.maurer-it.com>
>Content-Type: text/plain; charset="utf-8"
>
>Or you increase the number of connections:
>
>net.netfilter.nf_conntrack_max=131072
>
>That seems to be related to the iptables setup you use.
>
>
>
>From: pve-devel-bounces at pve.proxmox.com [mailto:pve-devel-bounces at pve.proxmox.com] On Behalf Of Alexandre DERUMIER
>Sent: Montag, 10. Oktober 2011 12:40
>To: pve-devel at pve.proxmox.com
>Subject: Re: [pve-devel] nf_conntrack: table full, dropping packet error
>
>ok, i found the problem
>
>https://bugzilla.redhat.com/show_bug.cgi?id=512206
>
>so add
>
>net.bridge.bridge-nf-call-ip6tables = 0
>net.bridge.bridge-nf-call-iptables = 0
>net.bridge.bridge-nf-call-arptables = 0
>
>to /etc/sysctl.conf
>
> correct the problem.
>
>
>I don't know if it's related to redhat kernel, but i didn't have see this problem before.
>
>Maybe it can be add by default to proxmox installer?
>
>
>________________________________
>De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
>?: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>Envoy?: Lundi 10 Octobre 2011 12:27:34
>Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
>also
>
>cat  /proc/net/nf_conntrack
>
>give me a lot of guest vm connections references...
>
>...
>ipv4     2 tcp      6 87 TIME_WAIT src=217.109.92.1 dst=10.1.31.220 sport=19132 dport=80 src=10.1.31.220 dst=217.109.92.1 sport=80 dport=19132 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 430860 ESTABLISHED src=82.124.207.13 dst=10.1.31.220 sport=62775 dport=80 src=10.1.31.220 dst=82.124.207.13 sport=80 dport=62775 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 117 TIME_WAIT src=10.1.31.25 dst=10.1.33.145 sport=11396 dport=30 src=10.1.33.145 dst=10.1.31.25 sport=30 dport=11396 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 25 TIME_WAIT src=86.73.246.208 dst=10.1.31.220 sport=51544 dport=80 src=10.1.31.220 dst=86.73.246.208 sport=80 dport=51544 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 7 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=46716 dport=3306 src=10.2.61.26 dst=10.1.31.180 sport=3306 dport=46716 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 2 TIME_WAIT src=41.224.178.3 dst=10.1.31.220 sport=51070 dport=80 src=10.1.31.220 dst=41.224.178.3 sport=80 dport=51070 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 89 TIME_WAIT src=194.167.196.49 dst=10.1.31.220 sport=4416 dport=80 src=10.1.31.220 dst=194.167.196.49 sport=80 dport=4416 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 5 CLOSE src=115.126.169.77 dst=10.1.31.220 sport=53069 dport=80 src=10.1.31.220 dst=115.126.169.77 sport=80 dport=53069 [ASSURED] mark=0 secmark=0 use=2
>ipv4     2 tcp      6 97 TIME_WAIT src=10.1.31.180 dst=10.2.61.26 sport=63674 dport=11211 src=10.2.61.26 dst=10.1.31.180 sport=11211 dport=63674 [ASSURED] mark=0 secmark=0 u^C
>...
>
>Can I safetly disable conntrack module on host ?
>
>
>________________________________
>De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
>?: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>Envoy?: Lundi 10 Octobre 2011 12:23:35
>Objet: Re: [pve-devel] nf_conntrack: table full, dropping packet error
>forget to say : proxmox 1.9
>________________________________
>De: "Alexandre DERUMIER" <aderumier at odiso.com<mailto:aderumier at odiso.com>>
>?: pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>Envoy?: Lundi 10 Octobre 2011 12:21:02
>Objet: [pve-devel] nf_conntrack: table full, dropping packet error
>Hi,
>This morning I see a lot of nf_conntrack error in /var/log/messages.
>
>Is it related to redhat kernel ?
>How can I disabled it ?
>
>
>kvm2:~# iptables -L
>Chain INPUT (policy ACCEPT)
>target     prot opt source               destination
>
>Chain FORWARD (policy ACCEPT)
>target     prot opt source               destination
>
>Chain OUTPUT (policy ACCEPT)
>target     prot opt source               destination
>kvm2:~#  cat /var/log/messages
>
>
>Oct 10 11:55:23 kvm2 kernel: __ratelimit: 285 callbacks suppressed
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:23 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: __ratelimit: 107 callbacks suppressed
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:28 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: __ratelimit: 328 callbacks suppressed
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:35 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: __ratelimit: 83 callbacks suppressed
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:44 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: __ratelimit: 69 callbacks suppressed
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:55:51 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: __ratelimit: 190 callbacks suppressed
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>Oct 10 11:56:18 kvm2 kernel: nf_conntrack: table full, dropping packet.
>
>
>--
>
>
>
>[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]
>
>Alexandre Derumier
>Ing?nieur syst?me
>e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
>T?l : +33 (0)3 20 68 88 90
>Fax : +33 (0)3 20 68 90 81
>45 Bvd du G?n?ral Leclerc
>59100 ROUBAIX - FRANCE
>
>
>
>
>
>
>
>
>
>
>_______________________________________________
>pve-devel mailing list
>pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
>--
>
>
>
>[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]
>
>Alexandre Derumier
>Ing?nieur syst?me
>e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
>T?l : +33 (0)3 20 68 88 90
>Fax : +33 (0)3 20 68 90 81
>45 Bvd du G?n?ral Leclerc
>59100 ROUBAIX - FRANCE
>
>
>
>
>
>
>
>
>
>
>_______________________________________________
>pve-devel mailing list
>pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
>--
>
>
>
>[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]
>
>Alexandre Derumier
>Ing?nieur syst?me
>e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
>T?l : +33 (0)3 20 68 88 90
>Fax : +33 (0)3 20 68 90 81
>45 Bvd du G?n?ral Leclerc
>59100 ROUBAIX - FRANCE
>
>
>
>
>
>
>
>
>
>
>_______________________________________________
>pve-devel mailing list
>pve-devel at pve.proxmox.com<mailto:pve-devel at pve.proxmox.com>
>http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>
>--
>
>
>
>[http://www.odiso.com/library/img/signature/logo-odiso-signaturemail.png]
>
>Alexandre Derumier
>Ing?nieur syst?me
>e-mail :  aderumier at odiso.com<mailto:aderumier at odiso.com>
>T?l : +33 (0)3 20 68 88 90
>Fax : +33 (0)3 20 68 90 81
>45 Bvd du G?n?ral Leclerc
>59100 ROUBAIX - FRANCE
>
>
>
>
>
>
>
>
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL: <http://pve.proxmox.com/cgi-bin/mailman/private/pve-devel/attachments/20111011/ebbab546/attachment.html>
>
>------------------------------
>
>_______________________________________________
>pve-devel mailing list
>pve-devel at pve.proxmox.com
>http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
>
>End of pve-devel Digest, Vol 17, Issue 18
>*****************************************

= = = = = = = = = = = = = = = = = = = =
			

        致
礼!
 
				 
        wangxinhao
        wangxinhao at 139.com
          2011-10-11


More information about the pve-devel mailing list