Persisting nf_conntrack_max Across Reboots

Question

In /proc I have two entries for nf_conntrack_max:

/proc/sys/net/netfilter/nf_conntrack_max
/proc/sys/net/nf_conntrack_max

The seem to point to the same value as changing one also changes the other. With both of these set in /etc/sysctl.conf:

net.netfilter.nf_conntrack_max=65528
net.ipv4.netfilter.ip_conntrack_max=65535

The value remains 32764 after a reboot so the changes are not working. Has anyone run into this before? My guess would be that these values are applied before the modules relevant are loaded but was hoping maybe someone already knows the solution.

@Stu: Nope, I just got lazy and wrote a cron job to set these :-P — Kyle Brandt, Apr 07 '11 at 10:24

Ethan Xu · Accepted Answer · 2017-05-11T16:43:38.503

it's because /proc/sys/net/nf_conntrack_max is rely on the module nf_conntrack. but this module will not be loaded by default when system started.

but if you run

iptables -t nat -L

or

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

this module will load automatically and set to the max number that your system support (the max number is 65536 if you ram is > 4G, but it's vary in different system.) you can set it to a bigger number (like 6553600) in /etc/sysctl.conf).

Solution:

add one line at the end of the file /etc/modules:

nf_conntrack

this modules would be loaded on system start before sysctl executed.

thank you :) - although I also had a bad config which stopped it loading — Christian, Mar 30 '16 at 23:58

score 3 · Answer 2 · answered Jul 20 '12 at 10:57

3

Because it should be:

net.netfilter.nf_conntrack_max = 65535

And now you can set this without restarting with: sysctl -p /etc/sysctl.conf

answered Jul 20 '12 at 10:57

Maciej Lasyk

31
3

score 2 · Answer 3 · edited Apr 13 '18 at 05:53

I don't use Ubuntu, but thinking about this in my CentOS frame-of-mind, I came up with the same hypothesis that you did-- the sysctls are being applied too early. Some searching revealed that this has been a filed bug since 2006.

It looks like putting another symlink in at priority > S40 to run the procps init script again would probably do what you need. Per the bug summary, it looks like some re-architecting of the Ubuntu sysctl methodology is in order (and, amusingly, the bug was assigned to somebody who didn't know it was assigned and can't help with it).

score 0 · Answer 4 · answered Feb 24 '21 at 16:07

The reply by Ethan Xu is one solution, but if you don't want to load nf_conntrack at boot, you can set nf_conntrack_max later upon module load, as documented by sysctl and already proposed in a systemd issue:

# /etc/udev/rules.d/24-nf_conntrack_max.rules

ACTION=="add", SUBSYSTEM=="module", KERNEL=="nf_conntrack", \
  RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/netfilter/nf_conntrack_max"

# /etc/sysctl.d/24-nf_conntrack_max.conf
net.netfilter.nf_conntrack_max=6553600

Persisting nf_conntrack_max Across Reboots

4 Answers4

Linked