Messages net_ratelimit: X callbacks suppressed

Once I found the following messages in the dmesg log:

nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
net_ratelimit: 10 callbacks suppressed
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
nf_conntrack: nf_conntrack: table full, dropping packet
net_ratelimit: 3 callbacks suppressed

If there are a lot of entries in dmesg, then you can write them to a file and then see:

dmesg -T
dmesg -T | less
dmesg -T > ixnfo.com.txt

As you can see, I showed two messages:

net_ratelimit: 10 callbacks suppressed
net_ratelimit: 3 callbacks suppressed

These messages are not an error, but mean that several messages were not recorded, in my example 10 messages were missed, and then 3 more. This is a mechanism to protect against message flooding, from denial of service attacks, in my case there was a ddos attack of the NTP Amplification type on the NAT server and the following message was repeated very often:

nf_conntrack: nf_conntrack: table full, dropping packet

Let’s look at the system parameters (on the example of the default value, which means that more than 10 messages cannot be recorded in a period of 5 seconds):

cat /proc/sys/net/core/message_cost
5
cat /proc/sys/net/core/message_burst
10

An example of changing or disabling protection, the larger the value, the fewer messages will be recorded (but you don’t need to disable it, I don’t recommend disabling it):

sysctl -w net.core.message_cost=8

echo "net.core.message_cost = 0" >> /etc/sysctl.conf
sysctl -p

By the way, there were more than 4,000,000 connections in the conntrack table, the number of which exceeded the limit I specified, because of this, duplicate messages appeared.

See also my article:
Tuning nf_conntrack

Leave a comment

Leave a Reply