In a situation where a VM is generating a huge number of inbound or outbound connections, it is possible for the ip_conntrack table to become full and for the packets to be dropped. This situation is rarely seen under normal traffic, but the event of a DOS attack can often cause this behavior.
To stop packets from a particular source IP from keeping track of the state of the connections, we can do the following:
iptables -t raw -I PREROUTING -s <source_ip> -j NOTRACK
We would suggest at least to do this for the Control Panels management IP address to ensure that the CP and HVs are able to communicate. You may also wish to put in place additional entries for any SAN IPs on your storage network, and for your backup server IP(s) to ensure traffic flowing over those networks is also not affected.
Those entries, once created, could be placed into /etc/rc.local for static HVs, or CustomConfig for cloudboot HVs. Note that OnApp Integrated Storage traffic has this disabled by default, so there is no need to add additional entries, where this is in use.
Comments
1 comment
Dear James,
We found on one of the HV got this issue with error in dmesg
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
nf_conntrack: table full, dropping packet.
HTB: quantum of class 10024 is big. Consider r2q change.
1.How we can find source and destination IP connection does file /proc/net/nf_conntrack have this source destination connection ip?
2.please explain in detail we have iscsi SAN attached on our HV please share exact steps to apply on our storage network so it will not affect communication between HV and storage target.
Please sign in to leave a comment.