投稿
  1. 首页
  2. 系统运维

linux – ping:sendmsg:不允许 *** 作(有时)

美工是做什么的 2022-5-24 系统运维 阅读 21

linux – ping:sendmsg:不允许 *** 作(有时),第1张

概述在运行Haproxy的Ubuntu 14.04上,在服务haproxy重新加载之后,Haproxy突然报告其背后的所有服务器. 经过一番挖掘后,我注意到ping无法正常工作,有时它能够成功ping通,然后几秒钟后我们得到错误ping:sendmsg:不允许 *** 作. 它也无法解析subdomain.domain.com. iptables -L没有显示任何规则. iptables –flush没有帮助 在运行Haproxy的Ubuntu 14.04上,在服务haproxy重新加载之后,Haproxy突然报告其背后的所有服务器.

经过一番挖掘后,我注意到Ping无法正常工作,有时它能够成功Ping通,然后几秒钟后我们得到错误Ping:sendmsg:不允许 *** 作.

它也无法解析subdomain.domain.com.

iptables -L没有显示任何规则. iptables –flush没有帮助.

有任何想法吗?

root@some-test:~# Ping 107.1.1.1Ping 107.1.1.1 (107.1.1.1) 56(84) bytes of data.64 bytes from 107.1.1.1: icmp_seq=1 ttl=63 time=0.425 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=6 ttl=63 time=0.390 ms64 bytes from 107.1.1.1: icmp_seq=7 ttl=63 time=0.533 ms64 bytes from 107.1.1.1: icmp_seq=8 ttl=63 time=0.357 ms64 bytes from 107.1.1.1: icmp_seq=9 ttl=63 time=0.343 ms64 bytes from 107.1.1.1: icmp_seq=10 ttl=63 time=0.380 ms64 bytes from 107.1.1.1: icmp_seq=11 ttl=63 time=0.398 ms64 bytes from 107.1.1.1: icmp_seq=12 ttl=63 time=0.423 ms64 bytes from 107.1.1.1: icmp_seq=13 ttl=63 time=0.293 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=16 ttl=63 time=0.371 ms64 bytes from 107.1.1.1: icmp_seq=17 ttl=63 time=0.374 ms64 bytes from 107.1.1.1: icmp_seq=18 ttl=63 time=0.305 ms64 bytes from 107.1.1.1: icmp_seq=19 ttl=63 time=0.259 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=24 ttl=63 time=0.370 ms64 bytes from 107.1.1.1: icmp_seq=25 ttl=63 time=0.316 ms64 bytes from 107.1.1.1: icmp_seq=26 ttl=63 time=0.412 ms64 bytes from 107.1.1.1: icmp_seq=27 ttl=63 time=0.512 ms64 bytes from 107.1.1.1: icmp_seq=28 ttl=63 time=0.375 ms64 bytes from 107.1.1.1: icmp_seq=29 ttl=63 time=0.352 ms64 bytes from 107.1.1.1: icmp_seq=30 ttl=63 time=0.331 ms64 bytes from 107.1.1.1: icmp_seq=31 ttl=63 time=0.290 ms64 bytes from 107.1.1.1: icmp_seq=32 ttl=63 time=0.353 ms64 bytes from 107.1.1.1: icmp_seq=33 ttl=63 time=0.378 ms64 bytes from 107.1.1.1: icmp_seq=34 ttl=63 time=0.523 ms64 bytes from 107.1.1.1: icmp_seq=35 ttl=63 time=0.351 ms64 bytes from 107.1.1.1: icmp_seq=36 ttl=63 time=0.302 ms64 bytes from 107.1.1.1: icmp_seq=37 ttl=63 time=0.496 ms64 bytes from 107.1.1.1: icmp_seq=38 ttl=63 time=0.377 ms64 bytes from 107.1.1.1: icmp_seq=39 ttl=63 time=0.357 ms64 bytes from 107.1.1.1: icmp_seq=40 ttl=63 time=0.396 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=52 ttl=63 time=0.372 ms64 bytes from 107.1.1.1: icmp_seq=53 ttl=63 time=0.412 ms64 bytes from 107.1.1.1: icmp_seq=54 ttl=63 time=0.321 ms64 bytes from 107.1.1.1: icmp_seq=55 ttl=63 time=0.366 ms64 bytes from 107.1.1.1: icmp_seq=56 ttl=63 time=0.379 ms64 bytes from 107.1.1.1: icmp_seq=57 ttl=63 time=0.395 ms64 bytes from 107.1.1.1: icmp_seq=58 ttl=63 time=0.488 ms64 bytes from 107.1.1.1: icmp_seq=59 ttl=63 time=0.513 ms64 bytes from 107.1.1.1: icmp_seq=60 ttl=63 time=0.435 ms^C--- 107.1.1.1 Ping statistics ---60 packets transmitted,39 received,35% packet loss,time 59008msrtt min/avg/max/mdev = 0.259/0.385/0.533/0.067 ms
解决方法@H_404_14@ 我认为问题是因为conntrack中的连接数超过 – 然后在旧的过期之前无法建立新的连接.可能你可以在dmesg中看到类似的东西: 
[1824447.285257] nf_conntrack: table full,dropPing packet.[1824447.522502] nf_conntrack: table full,dropPing packet.

你可以看到当前最大的conntrack:

undefine@uml:~$sudo sysctl net.nf_conntrack_maxnet.nf_conntrack_max = 65536

和当前的conntrack计数:

undefine@uml:~$sysctl net.netfilter.nf_conntrack_countnet.netfilter.nf_conntrack_count = 157

您可以使用conntrack -L(来自conntrack包的工具)显示Currenct连接.看看那里并检查它们的类型是有用的 – 有些可能是不必要的.

你有三个可能性:

>不要使用conntrack(简单 – 不要使用nat表并卸载nf_conntrack模块
>为outgoint连接禁用conntrack(在原始表中使用-j NOTRACK用于有问题的连接
>增加连接数:

undefine @ uml:〜$sudo sysctl net.nf_conntrack_max = 512000net.nf_conntrack_max = 512000或者将net.nf_conntrack_max = 512000放入/etc/sysctl.conf,然后调用sysctl -w重新加载它.

总结

以上是内存溢出为你收集整理的linux – ping:sendmsg:不允许 *** 作(有时)全部内容,希望文章能够帮你解决linux – ping:sendmsg:不允许 *** 作(有时)所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。

欢迎分享,转载请注明来源:内存溢出

原文地址: http://outofmemory.cn/yw/1038353.html

(0)
打赏 微信扫一扫 微信扫一扫 支付宝扫一扫 支付宝扫一扫
美工是做什么的 美工是做什么的 一级用户组
0 0
上一篇 2022-05-24
下一篇 2022-05-24

发表评论

登录后才能评论

评论列表(0条)

保存