36 lines
1.8 KiB
Markdown
36 lines
1.8 KiB
Markdown
# Tuning nf_conntrack
|
|
|
|
## Contents
|
|
|
|
- [Overview](#overview)
|
|
- [Updating the module loading](#updating-the-module-loading)
|
|
- [References](#references)
|
|
|
|
|
|
## Overview
|
|
|
|
The kernel parameter for the maximum number of network connections tracked when the _nf\_conntrack_ has been loaded is dynamic based on the amount of RAM in the system; in practice this has shown to be a value too low for a high traffic server and result in dropped packets.
|
|
|
|
## Updating the module loading
|
|
|
|
The iptables oriented `nf_conntrack` module may or may not be loaded at boot; if there are no rules requiring it to be loaded, it will be skipped. However as soon as a rule is added which requires it, such as this simple one:
|
|
|
|
```
|
|
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
```
|
|
|
|
...the module will be loaded by the kernel. There is no mechanism or design via sysctl to apply a tuning value in `/etc/sysctl.conf` or `/etc/sysctl.d/*.conf` in this scenario in most major Linux distributions; as such, the process must happen when the module loading itself occurs. This can be accomplished via the modprobe subsystem.
|
|
|
|
Create the file `/etc/modprobe.d/nf_conntrack.conf` like so:
|
|
|
|
```
|
|
cat << EOF >> /etc/modprobe.d/nf_conntrack.conf
|
|
install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack ; echo 262144 > /proc/sys/net/nf_conntrack_max
|
|
EOF
|
|
```
|
|
|
|
The value **262144** is roughly 4 times the default normally seen on a 1-2GB RAM server and is setting an upper limit on the number of hash table entries; it is not a preallocation and only used as needed. If the kernel module is already loaded, after creating the above file run the `echo 262144 > /proc/sys/net/nf_conntrack_max` manually to adjust immediately.
|
|
|
|
## References
|
|
|
|
- <https://major.io/2014/01/07/nf-conntrack-table-full-dropping-packet/>
|