# Tuning nf_conntrack

## Contents

  - [Overview](#overview)
  - [Updating the module loading](#updating-the-module-loading)
  - [References](#references)


## Overview

The kernel parameter for the maximum number of network connections tracked when the _nf\_conntrack_ has been loaded is dynamic based on the amount of RAM in the system; in practice this has shown to be a value too low for a high traffic server and result in dropped packets.

## Updating the module loading

The iptables oriented `nf_conntrack` module may or may not be loaded at boot; if there are no rules requiring it to be loaded, it will be skipped. However as soon as a rule is added which requires it, such as this simple one:

```
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
```

...the module will be loaded by the kernel. There is no mechanism or design via sysctl to apply a tuning value in `/etc/sysctl.conf` or `/etc/sysctl.d/*.conf` in this scenario in most major Linux distributions; as such, the process must happen when the module loading itself occurs. This can be accomplished via the modprobe subsystem.

Create the file `/etc/modprobe.d/nf_conntrack.conf` like so:

```
cat << EOF >> /etc/modprobe.d/nf_conntrack.conf
install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack ; echo 262144 > /proc/sys/net/nf_conntrack_max
EOF
```

The value **262144** is roughly 4 times the default normally seen on a 1-2GB RAM server and is setting an upper limit on the number of hash table entries; it is not a preallocation and only used as needed. If the kernel module is already loaded, after creating the above file run the `echo 262144 > /proc/sys/net/nf_conntrack_max` manually to adjust immediately.

## References

  - <https://major.io/2014/01/07/nf-conntrack-table-full-dropping-packet/>