linux 报错 kernel: nf_conntrack: falling back to vmalloc 解决方法

CentOS Linux release 7.6.1810 (Core) 

Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

解决报错:kernel: nf_conntrack: falling back to vmalloc

1、重启防火墙中,发现/var/log/messages有如下消息:

Dec 30 18:52:17 localhost systemd: Starting firewalld - dynamic firewall daemon...
Dec 30 18:52:18 localhost systemd: Started firewalld - dynamic firewall daemon.
Dec 30 18:52:18 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Dec 30 18:52:18 localhost kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
Dec 30 18:52:18 localhost kernel: Ebtables v2.0 registered
Dec 30 18:52:18 localhost kernel: nf_conntrack version 0.5.0 (65536 buckets, 262144 max)

.................................................................................................................................................................

Dec 30 19:04:51 localhost kernel: nf_conntrack: falling back to vmalloc.
Dec 30 19:04:51 localhost kernel: nf_conntrack: falling back to vmalloc.
Dec 30 19:04:52 localhost kernel: nf_conntrack: falling back to vmalloc.
Dec 30 19:04:52 localhost kernel: nf_conntrack: falling back to vmalloc.

2、说明当前nf_conntrack模块buckets设置为:

net.netfilter.nf_conntrack_buckets = 65536

net.netfilter.nf_conntrack_max = 262144

net.nf_conntrack_max = 262144

也可以通过下述命令查看

[root@localhost sysctl.d]# sysctl -a | grep nf_conntrack
sysctl: reading key "net.ipv6.conf.all.stable_secret"
sysctl: reading key "net.ipv6.conf.default.stable_secret"
sysctl: reading key "net.ipv6.conf.em1.stable_secret"
sysctl: reading key "net.ipv6.conf.em2.stable_secret"
sysctl: reading key "net.ipv6.conf.em3.stable_secret"
sysctl: reading key "net.ipv6.conf.em4.stable_secret"
sysctl: reading key "net.ipv6.conf.lo.stable_secret"
sysctl: reading key "net.ipv6.conf.p4p1.stable_secret"
sysctl: reading key "net.ipv6.conf.p4p2.stable_secret"
net.netfilter.nf_conntrack_acct = 0
net.netfilter.nf_conntrack_buckets = 65536
net.netfilter.nf_conntrack_checksum = 1
net.netfilter.nf_conntrack_count = 72
net.netfilter.nf_conntrack_dccp_loose = 1
net.netfilter.nf_conntrack_dccp_timeout_closereq = 64
net.netfilter.nf_conntrack_dccp_timeout_closing = 64
net.netfilter.nf_conntrack_dccp_timeout_open = 43200
net.netfilter.nf_conntrack_dccp_timeout_partopen = 480
net.netfilter.nf_conntrack_dccp_timeout_request = 240
net.netfilter.nf_conntrack_dccp_timeout_respond = 480
net.netfilter.nf_conntrack_dccp_timeout_timewait = 240
net.netfilter.nf_conntrack_events = 1
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.netfilter.nf_conntrack_expect_max = 1024
net.netfilter.nf_conntrack_frag6_high_thresh = 4194304
net.netfilter.nf_conntrack_frag6_low_thresh = 3145728
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_helper = 1
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_log_invalid = 0
net.netfilter.nf_conntrack_max = 262144
net.netfilter.nf_conntrack_sctp_timeout_closed = 10
net.netfilter.nf_conntrack_sctp_timeout_cookie_echoed = 3
net.netfilter.nf_conntrack_sctp_timeout_cookie_wait = 3
net.netfilter.nf_conntrack_sctp_timeout_established = 432000
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_acked = 210
net.netfilter.nf_conntrack_sctp_timeout_heartbeat_sent = 30
net.netfilter.nf_conntrack_sctp_timeout_shutdown_ack_sent = 3
net.netfilter.nf_conntrack_sctp_timeout_shutdown_recd = 0
net.netfilter.nf_conntrack_sctp_timeout_shutdown_sent = 0
net.netfilter.nf_conntrack_tcp_be_liberal = 0
net.netfilter.nf_conntrack_tcp_loose = 1
net.netfilter.nf_conntrack_tcp_max_retrans = 3
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_timestamp = 0
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.nf_conntrack_max = 262144
[root@localhost sysctl.d]#

3、出现报错localhost kernel: nf_conntrack: falling back to vmalloc.说明nf_conntrack buckets设置过大,按半数减小,进行测试

[root@localhost ~]# echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
[root@localhost ~]# sysctl -w net.nf_conntrack_max=131072
[root@localhost ~]# sysctl -w net.netfilter.nf_conntrack_max=131072

观察 /var/log/messages还是有报错,继续按半数减小。

[root@localhost ~]# echo 16384 > /sys/module/nf_conntrack/parameters/hashsize
[root@localhost ~]# sysctl -w net.nf_conntrack_max=65536
[root@localhost ~]# sysctl -w net.netfilter.nf_conntrack_max=65536

观察 /var/log/messages已经没有报错。

4、修改配置文件,防止重启防火墙或重启系统后配置失效。

[root@localhost ~]# cat /etc/rc.local 
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# Please note that you must run 'chmod +x /etc/rc.d/rc.local' to ensure
# that this script will be executed during boot.

touch /var/lock/subsys/local
echo 16384 > /sys/module/nf_conntrack/parameters/hashsize
[root@localhost ~]# 

总觉得将语句echo 16384 > /sys/module/nf_conntrack/parameters/hashsize加入开机启动项的方式比较土鳖,不知道还有什么好的方法?

[root@localhost ~]# cat /etc/sysctl.d/99-sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.netfilter.nf_conntrack_max=65536
[root@localhost ~]# 

 

 

你可能感兴趣的:(linux 报错 kernel: nf_conntrack: falling back to vmalloc 解决方法)