经过一番挖掘后,我注意到Ping无法正常工作,有时它能够成功Ping通,然后几秒钟后我们得到错误Ping:sendmsg:不允许 *** 作.
它也无法解析subdomain.domain.com.
iptables -L没有显示任何规则. iptables –flush没有帮助.
有任何想法吗?
root@some-test:~# Ping 107.1.1.1Ping 107.1.1.1 (107.1.1.1) 56(84) bytes of data.64 bytes from 107.1.1.1: icmp_seq=1 ttl=63 time=0.425 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=6 ttl=63 time=0.390 ms64 bytes from 107.1.1.1: icmp_seq=7 ttl=63 time=0.533 ms64 bytes from 107.1.1.1: icmp_seq=8 ttl=63 time=0.357 ms64 bytes from 107.1.1.1: icmp_seq=9 ttl=63 time=0.343 ms64 bytes from 107.1.1.1: icmp_seq=10 ttl=63 time=0.380 ms64 bytes from 107.1.1.1: icmp_seq=11 ttl=63 time=0.398 ms64 bytes from 107.1.1.1: icmp_seq=12 ttl=63 time=0.423 ms64 bytes from 107.1.1.1: icmp_seq=13 ttl=63 time=0.293 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=16 ttl=63 time=0.371 ms64 bytes from 107.1.1.1: icmp_seq=17 ttl=63 time=0.374 ms64 bytes from 107.1.1.1: icmp_seq=18 ttl=63 time=0.305 ms64 bytes from 107.1.1.1: icmp_seq=19 ttl=63 time=0.259 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=24 ttl=63 time=0.370 ms64 bytes from 107.1.1.1: icmp_seq=25 ttl=63 time=0.316 ms64 bytes from 107.1.1.1: icmp_seq=26 ttl=63 time=0.412 ms64 bytes from 107.1.1.1: icmp_seq=27 ttl=63 time=0.512 ms64 bytes from 107.1.1.1: icmp_seq=28 ttl=63 time=0.375 ms64 bytes from 107.1.1.1: icmp_seq=29 ttl=63 time=0.352 ms64 bytes from 107.1.1.1: icmp_seq=30 ttl=63 time=0.331 ms64 bytes from 107.1.1.1: icmp_seq=31 ttl=63 time=0.290 ms64 bytes from 107.1.1.1: icmp_seq=32 ttl=63 time=0.353 ms64 bytes from 107.1.1.1: icmp_seq=33 ttl=63 time=0.378 ms64 bytes from 107.1.1.1: icmp_seq=34 ttl=63 time=0.523 ms64 bytes from 107.1.1.1: icmp_seq=35 ttl=63 time=0.351 ms64 bytes from 107.1.1.1: icmp_seq=36 ttl=63 time=0.302 ms64 bytes from 107.1.1.1: icmp_seq=37 ttl=63 time=0.496 ms64 bytes from 107.1.1.1: icmp_seq=38 ttl=63 time=0.377 ms64 bytes from 107.1.1.1: icmp_seq=39 ttl=63 time=0.357 ms64 bytes from 107.1.1.1: icmp_seq=40 ttl=63 time=0.396 msPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permittedPing: sendmsg: Operation not permitted64 bytes from 107.1.1.1: icmp_seq=52 ttl=63 time=0.372 ms64 bytes from 107.1.1.1: icmp_seq=53 ttl=63 time=0.412 ms64 bytes from 107.1.1.1: icmp_seq=54 ttl=63 time=0.321 ms64 bytes from 107.1.1.1: icmp_seq=55 ttl=63 time=0.366 ms64 bytes from 107.1.1.1: icmp_seq=56 ttl=63 time=0.379 ms64 bytes from 107.1.1.1: icmp_seq=57 ttl=63 time=0.395 ms64 bytes from 107.1.1.1: icmp_seq=58 ttl=63 time=0.488 ms64 bytes from 107.1.1.1: icmp_seq=59 ttl=63 time=0.513 ms64 bytes from 107.1.1.1: icmp_seq=60 ttl=63 time=0.435 ms^C--- 107.1.1.1 Ping statistics ---60 packets transmitted,39 received,35% packet loss,time 59008msrtt min/avg/max/mdev = 0.259/0.385/0.533/0.067 ms解决方法@H_404_14@ 我认为问题是因为conntrack中的连接数超过 – 然后在旧的过期之前无法建立新的连接.可能你可以在dmesg中看到类似的东西:
[1824447.285257] nf_conntrack: table full,dropPing packet.[1824447.522502] nf_conntrack: table full,dropPing packet.
你可以看到当前最大的conntrack:
undefine@uml:~$sudo sysctl net.nf_conntrack_maxnet.nf_conntrack_max = 65536
和当前的conntrack计数:
undefine@uml:~$sysctl net.netfilter.nf_conntrack_countnet.netfilter.nf_conntrack_count = 157
您可以使用conntrack -L(来自conntrack包的工具)显示Currenct连接.看看那里并检查它们的类型是有用的 – 有些可能是不必要的.
你有三个可能性:
>不要使用conntrack(简单 – 不要使用nat表并卸载nf_conntrack模块
>为outgoint连接禁用conntrack(在原始表中使用-j NOTRACK用于有问题的连接
>增加连接数:
undefine @ uml:〜$sudo sysctl net.nf_conntrack_max = 512000net.nf_conntrack_max = 512000或者将net.nf_conntrack_max = 512000放入/etc/sysctl.conf,然后调用sysctl -w重新加载它.
总结以上是内存溢出为你收集整理的linux – ping:sendmsg:不允许 *** 作(有时)全部内容,希望文章能够帮你解决linux – ping:sendmsg:不允许 *** 作(有时)所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)