checking number of conntrack table entries differs with the method used

Issues related to configuring your network
Post Reply
Posts: 1
Joined: 2018/09/10 01:06:56

checking number of conntrack table entries differs with the method used

Post by MichaelK » 2018/09/10 01:38:04

Hi All,

System is centos
There are two ways to check the nf_conntrack table entries, and I am getting different results with each of them after the firewall has been running for a day or so.

Method 1
wc -l /proc/net/nf_conntrack
shows a reasonable number for the traffic through the firewall
# wc -l /proc/net/nf_conntrack
5639 /proc/net/nf_conntrack

Method 2
conntrack -C (using the conntrack-tools)
# conntrack -C

If I do
conntrack --flush
Method 1 (line count) shows very low numbers and flush appears to have worked.
Method 1 shows the previous number minus the number of entries removed from the /proc/net/nf_conntrack table.
Using the figures above it would show 16474.

If left alone, the number reported by conntrack -C keeps increasing and packets are dropped when it reaches net.nf_conntrack_max.
As a temporary reprieve I have increased the maximum as follows as a temporary measure in sysctl.conf I added.

# Increase the nf_conntrack maximum from 65536 to 524288
net.nf_conntrack_max = 524288

If anyone has experienced a similar issue and has knowledge please help.

I'd be interested if anyone has a suggestion for trouble shooting this as

System details are as follows:-
Centos 6.10 with updates current to approximately 1.5 months previous as reboots are a challenge with 24hr operation.

# uname -a
Linux 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/redhat-release
CentOS release 6.10 (Final)
# rpm -q iptables
rpm -q conntrack-tools

Please point me to the relevant netfilter forum if this may be better asked there.

My first post here, but now I'm registered I hope to be of assistance to others.


Post Reply