2 分鐘閱讀 | 最後修改: 0001-01-01, 0:00:00 am

Analyzer sys-nf-conntrack

Name

sys-nf-conntrack - current config of nf-conntrack and its recommend value

This analyzer collects the current nf_conntrack values and calcuate the recommended configuration value base on the system resources. When the nf_conntrack table is full, the kernel can no longer create new entries for incoming connections. Any new connection that arrives at this point will be dropped silently at the network layer — no RST, no ICMP unreachable, just a black hole. From the client’s perspective the connection simply hangs until it times out.

Resource Category

Network I/O.

Application Type & Technical Stack

  • All

Command Line Syntax

The analyzer can be invoked directly on the command-line via the orxray utility from the openresty-xray-cli software package.

Alternatively, the analyzer can also be invoked manually or automatically on the web console UI of OpenResty XRay (like on the Advanced web page).

# PID is the target process PID.
orxray analyzer run sys-nf-conntrack -p PID

# trace a shell command directly
orxray analyzer run sys-nf-conntrack -c SHELL_CMD

# PGID is the process group ID or any process's PID within the target process
# group.
orxray analyzer run sys-nf-conntrack -p -PGID

# trace any processes started from the specified executable path.
orxray analyzer run sys-nf-conntrack --exe /path/to/exe/file

Tracing Multiple Processes

Supported.

Output Formats

  • Tables
  • Plain Texts

Output Example

[
  {
    "type": "table",
    "title": "nf_conntracek System Check Report",
    "subtitle": "Current and the recommend values",
    "data": [
      [ "Metric", "Current", "Recommended", "Status" ],
      [ "Current entries (max)", 8, "-", "-" ],
      [ "Max entries (max)", 262144, 4082112, "OK (<60%)" ],
      [ "Hash buckets", 262144, 1020528, "-" ],
      [ "Usage", "0%", "<60%", "OK (<60%)" ],
      [ "dmesg table full hits", 0, 0, "OK - no drops" ],
      [ "System memory", "63783 MB", "-", "-" ]
    ]
  },
  {
    "type": "table",
    "title": "TCP Timeouts",
    "subtitle": "Current and recommended values",
    "data": [
      [ "Parameter", "Current (s)", "Recommended (s)", "Note" ],
      [ "nf_conntrack_tcp_timeout_established", 432000, 600, "Most impactful on table capacity" ],
      [ "nf_conntrack_tcp_timeout_time_wait", 120, 30, "Fast TIME_WAIT recycle" ],
      [ "nf_conntrack_tcp_timeout_close_wait", 60, 30, "Passive close" ],
      [ "nf_conntrack_tcp_timeout_fin_wait", 120, 30, "Active close FIN" ],
      [ "nf_conntrack_tcp_timeout_close", 10, 10, "Both sides closed" ],
      [ "nf_conntrack_tcp_timeout_syn_sent", 120, 10, "Prevent SYN backlog" ],
      [ "nf_conntrack_tcp_timeout_syn_recv", 60, 10, "Prevent SYN flood buildup" ],
      [ "nf_conntrack_tcp_timeout_last_ack", 30, 10, "Last ACK wait" ]
    ]
  },
  {
    "type": "table",
    "title": "UDP / ICMP / Other Timeouts",
    "subtitle": "Current and recommended values",
    "data": [
      [
        "Parameter", "Current (s)", "Recommended (s)", "Note" ],
      [ "nf_conntrack_udp_timeout", 30, 20, "Generic UDP" ],
      [ "nf_conntrack_udp_timeout_stream", 120, 60, "Bidirectional UDP stream" ],
      [ "nf_conntrack_icmp_timeout", 30, 5, "ICMP" ],
      [ "nf_conntrack_generic_timeout", 600, 60, "Other protocols" ]
    ]
  },
  {
    "type": "table",
    "title": "Recommended Configuration",
    "subtitle": "Current and recommended values",
    "data": [
      [ "command" ],
      [ "# Write to /etc/sysctl.d/99-conntrack.conf and apply:\nnet.netfilter.nf_conntrack_max = 4082112\nnet.netfilter.nf_conntrack_buckets = 1020528\nnet.netfilter.nf_conntrack_tcp_timeout_established = 600\nnet.netfilter.nf_conntrack_tcp_timeout_time_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_close_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_close = 10\nnet.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10\nnet.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10\nnet.netfilter.nf_conntrack_tcp_timeout_last_ack = 10\nnet.netfilter.nf_conntrack_udp_timeout = 20\nnet.netfilter.nf_conntrack_udp_timeout_stream = 60\nnet.netfilter.nf_conntrack_icmp_timeout = 5\nnet.netfilter.nf_conntrack_generic_timeout = 60\n" ],
      [ "# Run sysctl -p to apply config\nsysctl -p /etc/sysctl.d/99-conntrack.conf\n" ]
    ]
  }
]

Author

The OpenResty Inc. Team.

Copyright (C) by OpenResty Inc. All rights reserved.