[pve-devel] nf_conntrack: table full, dropping packet error
Dietmar Maurer
dietmar at proxmox.com
Tue Oct 11 10:52:36 CEST 2011
> yes, CONFIG_BRIDGE_NETFILTER is enabled, but depend on nf_conntrack
> module.
>
> so, the nf_conntrack is loaded , but I don't know why .....
>
> Maybe it was already loaded before with debian kernel ? (can you confirm me
> nf_conntrack was loaded with previous debian kernel ?)
>
> If nf_conntrack must really loaded (maybe some users need iptables), I think
> CONFIG_BRIDGE_NETFILTER must be disabled by default.
>
> Conntrack on bridge can be easily saturated on hosts with many vms.
ok, the modile is loaded in /etc/init.d/vz
# modinfo vzrst
filename: /lib/modules/2.6.32-6-pve/kernel/kernel/cpt/vzrst.ko
license: GPL
author: Alexey Kuznetsov <alexey at sw.ru>
srcversion: 173F9B166568B1B971BA164
depends: nf_conntrack,ipv6,nfs,lockd,nf_nat,vzmon
vermagic: 2.6.32-6-pve SMP mod_unload modversions
Obviously 'vzrst' depends on that.
More information about the pve-devel
mailing list