initial import

md/tuning_nf_conntrack.md

@@ -0,0 +1,36 @@
+# Tuning nf_conntrack
+
+## Contents
+
+  - [Overview](#overview)
+  - [Updating the module loading](#updating-the-module-loading)
+  - [References](#references)
+
+
+## Overview
+
+The kernel parameter for the maximum number of network connections tracked when the _nf\_conntrack_ has been loaded is dynamic based on the amount of RAM in the system; in practice this has shown to be a value too low for a high traffic server and result in dropped packets.
+
+## Updating the module loading
+
+The iptables oriented `nf_conntrack` module may or may not be loaded at boot; if there are no rules requiring it to be loaded, it will be skipped. However as soon as a rule is added which requires it, such as this simple one:
+
+```
+iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+```
+
+...the module will be loaded by the kernel. There is no mechanism or design via sysctl to apply a tuning value in `/etc/sysctl.conf` or `/etc/sysctl.d/*.conf` in this scenario in most major Linux distributions; as such, the process must happen when the module loading itself occurs. This can be accomplished via the modprobe subsystem.
+
+Create the file `/etc/modprobe.d/nf_conntrack.conf` like so:
+
+```
+cat << EOF >> /etc/modprobe.d/nf_conntrack.conf
+install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack ; echo 262144 > /proc/sys/net/nf_conntrack_max
+EOF
+```
+
+The value **262144** is roughly 4 times the default normally seen on a 1-2GB RAM server and is setting an upper limit on the number of hash table entries; it is not a preallocation and only used as needed. If the kernel module is already loaded, after creating the above file run the `echo 262144 > /proc/sys/net/nf_conntrack_max` manually to adjust immediately.
+
+## References
+
+  - <https://major.io/2014/01/07/nf-conntrack-table-full-dropping-packet/>