Re: [bug report, linux 6.15-rc4] A large number of connections in the SYN_SENT state caused the nf_conntrack table to be full.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 28 May 2025, ying chen wrote:

On Wed, May 28, 2025 at 9:10 PM Florian Westphal <fw@xxxxxxxxx> wrote:

ying chen <yc1082463@xxxxxxxxx> wrote:
Hello all,

I encountered an "nf_conntrack: table full" warning on Linux 6.15-rc4.
Running cat /proc/net/nf_conntrack showed a large number of
connections in the SYN_SENT state.
As is well known, if we attempt to connect to a non-existent port, the
system will respond with an RST and then delete the conntrack entry.
However, when we frequently connect to non-existent ports, the
conntrack entries are not deleted, eventually causing the nf_conntrack
table to fill up.

Yes, what do you expect to happen?
I understand that the conntrack entry should be deleted immediately after receiving the RST reply.

No, the conntrack entry will be in the CLOSE state with the timeout value of /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_close

Best regards,
Jozsef

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux