On Wed, Jun 22, 2011 at 12:08:42PM -0400, der Mouse wrote:
> > Here is error that i got from kernel:
>
> > net_ratelimit: 686 callbacks suppressed
> > nf_conntrack: table full, dropping packet.
> > nf_conntrack: table full, dropping packet.
> > nf_conntrack: table full, dropping packet.
>
> I don't recognize those messages, but they look to me as though you're
> doing some kind of stateful firewalling and it ran out of internal
> table space.
What's happening there is that Linux's connection tracking code is
filling up its state table, and logging that it's happened
("nf_conntrack: table full, dropping packet"). However, it's doing that
so quickly, that the rate-limiting for the logging is kicking in, and
saying that there were lots more log messages that weren't actually
logged ("net_ratelimit: 686 callbacks suppressed").
> You really don't want to do that for an NTP pool host if you can help
> it; running an NTP pool member uses a _lot_ of flows. If you can't
> help it, you probably need to push your firewall's state table size up
> substantially. (If you can't do that either, it may be you just don't
> have a network setup that's suitable for hosting a pool member.)
A modern Linux system will likely be doing connection tracking unless
you've explicitely disabled it. There's probably some way to do that
globally, but doing so would break his ability to do NAT. There's also
some firewall rules that you can add to exclude specific packets from
the connection tracking; see my earlier email for the details on that.
> > I did not use any firewall delays, only one postrouting rule to nat
> > my internal network.
>
> If you really must NAT your NTP pool host, you might try doing a
> passthrough rule for port 123, so it can run stateless. If you can't
> do that, about all I can suggest is to push up the size of your NAT's
> state table and hope.
>From his post over on the Questions list, I'm pretty sure that he's not
running his pool server behind NAT, but that his pool server is also the
router for his internal network, and that's what the NAT rule is for.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
