Fórum Debian

Versão Completa: Erros interface de rede
Você está atualmente visualizando uma versão simplificada do conteúdo. Visualizar a versão completa com formatação.
Srs,

Estou usando a versão Debian GNU/Linux 6.0 \n \l 6.0.4 para um servidor de rede usando apenas iptables para rotear/compartilhar a internet e estou percebendo muitos erros na interfaces conforme abaixo:


eth1 Link encap:Ethernet Endereço de HW 00:10:18:77:76:10
inet end.: x.x.x.x Bcast: x.x.x.x Masc: x.x.x.x
endereço inet6: fe80::210:18ff:fe77:7610/64 Escopo:Link
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:7424498757 errors:365192 dropped:1362735569 overruns:0 frame:365192
TX packets:4827503799 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:5290647511716 (4.8 TiB) TX bytes:1787958805865 (1.6 TiB)
IRQ:16 Memória:fa000000-fa012800

eth2 Link encap:Ethernet Endereço de HW 00:10:18:77:76:12
inet end.: x.x.x.x Bcast:x.x.x.x Masc:x.x.x.x
UP BROADCASTRUNNING MULTICAST MTU:1500 Métrica:1
RX packets:4877085859 errors:272 dropped:272 overruns:0 frame:272
TX packets:5961674054 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:1000
RX bytes:1803036038692 (1.6 TiB) TX bytes:5201440066942 (4.7 TiB)
IRQ:17 Memória:fc000000-fc012800

lo Link encap:Loopback Local
inet end.: 127.0.0.1 Masc:255.0.0.0
endereço inet6: ::1/128 Escopo:Máquina
UP LOOPBACKRUNNING MTU:16436 Métrica:1
RX packets:27 errors:0 dropped:0 overruns:0 frame:0
TX packets:27 errors:0 dropped:0 overruns:0 carrier:0
colisões:0 txqueuelen:0
RX bytes:2296 (2.2 KiB) TX bytes:2296 (2.2 KiB)

No dmesg também esta exibindo a mensagem abaixo :


[484572.092589] __ratelimit: 35 callbacks suppressed
[484572.092593] nf_conntrack: table full, dropping packet.
[484572.106835] nf_conntrack: table full, dropping packet.
[484572.144275] nf_conntrack: table full, dropping packet.
[484572.249409] nf_conntrack: table full, dropping packet.
[484579.414728] nf_conntrack: table full, dropping packet.
[484579.951002] nf_conntrack: table full, dropping packet.
[484580.821773] nf_conntrack: table full, dropping packet.
[484582.383525] nf_conntrack: table full, dropping packet.

Vocês teriam alguma dica para eu avaliar o motivo desses erros ?

Segue abaixo a configuração do meu computador:

processor : 3
vendor_id : GenuineIntel
cpu family : 6
model : 23
model name : Intel® Core™2 Quad CPU Q9550 @ 2.83GHz
stepping : 7
cpu MHz : 1998.000
cache size : 6144 KB

MemTotal: 3869048 kB
MemFree: 2217820 kB
Buffers: 14932 kB
Cached: 1388504 kB
SwapCached: 0 kB

[ 0.615613] eth1: Broadcom NetXtreme II BCM5709 1000Base-T (C0) PCI Express found at mem fa000000, IRQ 16, node addr 00:10:18:77:76:10
[ 0.619661] eth2: Broadcom NetXtreme II BCM5709 1000Base-T (C0) PCI Express found at mem fc000000, IRQ 17, node addr 00:10:18:77:76:12

mii-tool
eth1: negotiated 1000baseT-FD flow-control, link ok
eth2: negotiated 1000baseT-FD flow-control, link ok

Conto com a ajuda de vocês !
Buenas rapaz, conseguistes algum retorno sobre este teu problema? Estou encarando uma situação bastante semelhante.

Sds,
Bom dia !

Na verdade ninguém deu resposta alguma e as mensagens de erro na interface diminuiram significativamente quando alterei alguns parâmetros de kernel para performance.

As mensagens abaixo, continuam a aparecer, mas o servidor esta trabalhando sem problemas.

[484572.092589] __ratelimit: 35 callbacks suppressed
[484572.092593] nf_conntrack: table full, dropping packet.

Segue abaixo parâmetros que alterei no kernel para obter melhor performance.

sysctl -w net.ipv4.neigh.default.gc_interval=15
sysctl -w net.ipv4.neigh.default.gc_thresh1=16384
sysctl -w net.ipv4.neigh.default.gc_thresh2=32768
sysctl -w net.ipv4.neigh.default.gc_thresh3=65535
sysctl -w net.core.somaxconn=20480
sysctl -w net.core.netdev_max_backlog=2048
sysctl -w net.ipv4.tcp_fin_timeout=10
sysctl -w net.ipv4.tcp_tw_recycle=1
sysctl -w net.ipv4.tcp_tw_reuse=1
sysctl -w net.ipv4.tcp_syn_retries=1
sysctl -w net.ipv4.tcp_synack_retries=1
sysctl -w net.ipv4.tcp_max_syn_backlog=2048

Abraço
Se postar as regras do IPTables fica mais fácil ajudar.
Poste também o conteúdo do arquivo /etc/sysctl.conf. Pode ser que alguns valores de parâmetros passados ao kernel não estejam corretos.
Segue o Iptables

Chain INPUT (policy DROP 602K packets, 48M bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
1618K 192M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
30823 14M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
8 480 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=64
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp option=128
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x13 limit: avg 1/sec burst 5
1329 43120 DROP udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:33435:33525
0 0 DROP all -- eth1 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/8 0.0.0.0/0
115 19191 DROP all -- * * 0.0.0.0/0 224.0.0.0/8
0 0 DROP all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 10.0.0.0/8
0 0 DROP all -- * * 172.16.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 172.16.0.0/16
0 0 DROP all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 192.168.0.0/24
109K 7930K ACCEPT all -- * * 186.232.246.1 0.0.0.0/0
0 0 ACCEPT tcp -- * * 201.48.78.230 201.48.78.229 tcp dpt:179 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10255 state NEW
70476 6898K ACCEPT udp -- * * 186.232.246.0/26 0.0.0.0/0 udp dpt:161 state NEW

Chain FORWARD (policy DROP 54M packets, 15G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
13G 9920G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 178.216.144.75 0.0.0.0/0
9989 559K DROP all -- * * 0.0.0.0/0 178.216.144.75
14764 723K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:135
144 8925 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:135
86 4120 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:137
399K 32M DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
117K 5832K DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
222 14600 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:139
842K 42M DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
473 29234 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:445
97139 29M DROP all -- * * 10.0.0.0/8 0.0.0.0/0
9954K 762M DROP all -- * * 0.0.0.0/0 10.0.0.0/8
1309 295K DROP all -- * * 172.16.0.0/16 0.0.0.0/0
102K 8236K DROP all -- * * 0.0.0.0/0 172.16.0.0/16
54610 6951K DROP all -- * * 192.168.0.0/16 0.0.0.0/0
7591K 626M DROP all -- * * 0.0.0.0/0 192.168.0.0/16
15M 1380M ACCEPT all -- * * 186.232.246.0/24 0.0.0.0/0
484K 80M ACCEPT all -- * * 0.0.0.0/0 186.232.246.0/24

Segue o sysctl.conf

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4.neigh.default.gc_interval = 15
net.ipv4.neigh.default.gc_thresh1 = 16384
net.ipv4.neigh.default.gc_thresh2 = 32768
net.ipv4.neigh.default.gc_thresh3 = 65535
net.core.somaxconn = 40960
net.core.netdev_max_backlog = 4096
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_max_syn_backlog = 4096
Para efeito de teste faça um backup do arquivo, em seguida comente todas as opções referentes a ipv4 e ipv6:

Código:
sysctl -w
sysctl -p
URL de Referência