Technical Discussion
  >> DSL Hardware Discussion


Register (or login) on our website and you will not see this ad.


  Print Thread
Standard User DaveDave57
(newbie) Sun 25-Oct-15 08:25:11
Print Post

conntrack expectation table full issues (nf_conntrack)


[link to this post]
 
Hi
I'm having problems with "nf_conntrack: expectation full errors" in the Billion 8800NL (2.32e) syslog.

What seems odd is that they are generated simply by web page accesses (eg www.theregister.co.uk, but pretty much any "busy" web site seems to do it), and to the extent that I get them __ratelimit-ed too - no bit torrents running.
Also perplexisng is that the problem appears when the page is accessed from some machines on my network, but not others (independent of being wireless for instance).

I'm a couple of decades out of practice with unix-stuff now, but having spent a few hours delving into the router and various web pages I now have some observations but no real insight or cure:

* The expectation table seems small (cat /proc/sys/net/netfilter/nf_conntrack_expect_max) at 32 entries, but I can't find much info about what is normal.
* When I open just www.theregister.co.uk, the main conntrack table shows 400+ entries (both cat /proc/net/ip_conntrack and cat /proc/net/nf_conntrack_expect), seems a lot, but they decay fairly soon, this happens when I access the page from a machine that both causes expectation full errors and one that doesn't.
* Having increased the expectation table (echo NN > /proc/sys/net/netfilter/nf_conntrack_expect_max, where I tried NN= 64 then 128) I can see that this single page can generate over 100 expectation entries (when accessed from some but not all machines that is).
* Looking at the contents of the expectation table immediately after the page opens ( cat /proc/net/ip_conntrack_expect, and cat /proc/net/nf_conntrack_expect being similar but slightly different in form) and taking the dport numbers shown and looking for the matching lines in the main conntrack table I see that these are mainly for 53 (DNS) and 443 (SSL) connections.

So now I'm wondering:

* What effect does having entries dropped from the expectation table have on the actual browsing, the pages seem to display correctly after all.
* Should I be surprised that DNS and SSL connections end up in the expectation table (I thought it was for the likes of FTP).
* And if DNS and SSL traffic does end up there, why does the problem manifest itself when the web page is accessed from some machines and not others.
* Is the nf_conntrack_expect_max = 32 just too low a value, and what are the memory consequences of increasing it to, say, 1000+ (to cope with multiple page opening), and can I make that remembered through a reboot?

Any help appreciated.
  Print Thread

Jump to