如何解决系统报错:nf_conntrack: table full, dropping packets
|
|
问题
在系统日志中(/var/log/messages),有时会看到大面积的下面的报错:- nf_conntrack: table full, dropping packet
在 CentOS 下,默认的连接跟踪表大小是 65536,可以通过下面的命令查看:- cat /proc/sys/net/netfilter/nf_conntrack_max
解决方法
显然,调大最大值的限制就可以了。不过更大的限制意味着可以承接更多连接,意味着要耗费更多资源,这点要注意。
查看当前有多少活跃连接:- cat /proc/sys/net/netfilter/nf_conntrack_count
- echo 524288 > /proc/sys/net/netfilter/nf_conntrack_max
- net.netfilter.nf_conntrack_max = 524288
- net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
- net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
- net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
平时使用 categraf(https://github.com/flashcatcloud/categraf) 监控就可以了,categraf 提供了 input.conntrack 采集插件,可以采集 conntrack 的信息,建议采集配置如下:
conf/input.conntrack/conntrack.toml:- files = [
- "ip_conntrack_count",
- "ip_conntrack_max",
- "nf_conntrack_count",
- "nf_conntrack_max"
- ]
- dirs = [
- "/proc/sys/net/ipv4/netfilter",
- "/proc/sys/net/netfilter"
- ]
- # ignore errors
- quiet = true
- conntrack_ip_conntrack_count / ip_conntrack_max > 0.8
conf.d/p.journaltail/journaltail.toml:- [[instances]]
- # journalctl -S -${time_span}
- time_span = "1m"
- # relationship: or
- keywords = ["Out of memory", "nf_conntrack: table full, dropping packets"]
- # check rule name
- check = "Critical System Errors"
- # # gather interval
- interval = "30s"
- [instances.alerting]
- ## Enable alerting or not
- enabled = true
- ## Same functionality as Prometheus keyword 'for'
- for_duration = 0
- ## Minimum interval duration between notifications
- repeat_interval = "5m"
- ## Maximum number of notifications
- repeat_number = 3
- ## Whether notify recovery event
- recovery_notification = true
- ## Choice: Critical, Warning, Info
- default_severity = "Warning"
来源:https://www.cnblogs.com/ulricqin/p/17476210.html
免责声明:由于采集信息均来自互联网,如果侵犯了您的权益,请联系我们【E-Mail:cb@itdo.tech】 我们会及时删除侵权内容,谢谢合作! |
|
|
|
|
|
发表于 2023-6-13 01:08:30
举报
回复
分享
|
|
|
|
|
