Bug#800445: nf_conntrack: table full, dropping packet

To: submit@bugs.debian.org
Subject: Bug#800445: nf_conntrack: table full, dropping packet
From: anomie@users.sourceforge.net
Date: Tue, 29 Sep 2015 08:20:53 -0400
Message-id: <[🔎] 20150929122053.GA22072@anomie.yi.org>
Reply-to: anomie@users.sourceforge.net, 800445@bugs.debian.org

Package: linux-image-4.2.0-1-amd64
Version: 4.2.1-2

After booting the kernel image provided by this package and attempting
to connect to the Internet, network access doesn't actually work. The
message "nf_conntrack: table full, dropping packet" is repeatedly
logged.

Comparing the contents of the various /proc/sys conntrack files between
a working 4.1 kernel (from linux-image-4.1.0-2-amd64) and the broken
4.2, the only difference I see is that nf_conntrack_count has a value
"-5". Yes, negative 5. /proc/net/stat/nf_conntrack's "entries" column
matches this with a value of fffffffb. /proc/net/nf_conntrack is empty
on the 4.2 kernel, while it has a handful of expected entries on 4.1.

I have iptables rules set up by shorewall on this machine, including
configuration to forward/masq traffic on the interface used by vde2, in
case that helps reproduce this. Removing all the iptables rules and
removing the nf_conntrack_ipv4 module (and everything that depends on
it, of course) stops the error. Disabling shorewall at boot allows
network functionality and starting shorewall later didn't immediately
cause the problem, but in some experimentation after the system locked
up.

Reply to:

Prev by Date: Bug#800440: Please include BCM4339 SDIO firmware
Next by Date: Bug#800447: linux-image-4.2.0-1-amd64: crash when docking Dell E5540 Haswell laptop in docking station (display port)
Previous by thread: Bug#800440: Please include BCM4339 SDIO firmware
Next by thread: Bug#800447: linux-image-4.2.0-1-amd64: crash when docking Dell E5540 Haswell laptop in docking station (display port)
Index(es):
- Date
- Thread