Linux nftables Connection Tracking Table Full — What It Means & How to Fix It

Fix Linux nf_conntrack table full error causing dropped connections when the connection tracking table exceeds its maximum size. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: nf_conntrack tracks all active network connections for stateful firewalling and NAT. When the table fills up, new connections are dropped with 'table full, dropping packet' in dmesg. The default maximum entries (nf_conntrack_max) may be too low for high-traffic servers. Each entry consumes approximately 300 bytes of kernel memory. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: High number of concurrent connections (web servers, load balancers, NAT gateways). DDoS attack or port scan creating many tracked connections. Long connection timeouts keeping stale entries in the table. nf_conntrack_max set too low for the server's workload. Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check current table usage: cat /proc/sys/net/netfilter/nf_conntrack_count and /nf_conntrack_max. Increase the maximum: sysctl -w net.netfilter.nf_conntrack_max=524288. Reduce timeouts for inactive connections: sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600. Make permanent by adding to /etc/sysctl.conf: net.netfilter.nf_conntrack_max = 524288. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.