how do I disable the nf_conntrack kernel module in CentOS 5.3 without recompiling the kernel

Question

I'm running CentOS 5.3 and want to disable the nf_conntrack module to improve network performance for haproxy. I'm running iptables with some simple rules. I don't really need the connection tracking.

I'm running on Rackspace cloud servers, so I can't run a custom kernel. I've tried running modprobe, but that doesn't work.

[mmarano@w1 w1]$ sudo modprobe -n -r nf_conntrack
FATAL: Module nf_conntrack is in use.

[mmarano@w1 w1]$ uname -a
Linux w1.somewhere.com 2.6.24-23-xen #1 SMP Mon Jan 26 03:09:12 UTC 2009 x86_64 x86_64 x86_64 GNU/Linux
[mmarano@w1 w1]$ cat /etc/redhat-release 
CentOS release 5.3 (Final)

I want to continue to run iptables after ripping this out, so I can't quite ditch all of netfilters. Anyone have any thoughts?

score 16 · Answer 1 · answered Oct 09 '09 at 20:17

16

remove any reference to the state module in iptables. So, no rules like

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

the state module requires the nf_conntrack (ip_conntrack) module
remove the following line (if it exists) in /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns"

That module requires ip_conntrack which we are trying to ditch.
reload iptables without your state rules.

sudo iptables -F

# add your real rules
drop the modules. I had to use:

sudo modprobe -r xt_NOTRACK nf_conntrack_netbios_ns nf_conntrack_ipv4 xt_state

sudo modprobe -r nf_conntrack
confirm you don't have a reference to /proc/net/nf_conntrack

answered Oct 09 '09 at 20:17

user22277

261
1
2
6

1

HUGE thanks to Willy Tarreau, creator of haproxy, for awesome help on the haproxy mailing list! – user22277 Oct 09 '09 at 20:18
Does anyone know how you'd reverse step 4 if you needed to? – UpTheCreek Sep 26 '14 at 12:16
When i do "modprobe -rf xt_state" and "modprobe -rf nf_conntrack_ipv6" it say "FATAL: Module xt_state is in use."(on centos), what can i do? – diyism Oct 28 '14 at 06:13
On ubuntu, i can run "iptables -F" and "modprobe -rf xt_state nf_conntrack_ipv4" without any error. – diyism Oct 28 '14 at 06:15
I still get `modprobe: FATAL: Module nf_conntrack is in use` – Dave May 04 '22 at 22:02

score 5 · Answer 2 · answered Oct 08 '09 at 03:31

What about adding the module to /etc/modprobe.d/blacklist.conf?

Have you tried:

rmmod -f modulename

Although:

       -f --force
          This  option can be extremely dangerous: it has no effect unless
          CONFIG_MODULE_FORCE_UNLOAD was set when the kernel was compiled.
          With  this  option, you can remove modules which are being used,
          or which are not designed to be removed, or have been marked  as
          unsafe (see lsmod(8)).

score 4 · Answer 3 · edited Apr 25 '14 at 19:48

If you are running Haproxy, you need two types of rules in iptables to disable conntrack in the port 80: ones for the connections from the clients to your balancer and others from your balancer to the backends.

Here is a valid example:

iptables -t raw -I PREROUTING -p tcp --dport 80 -j NOTRACK
iptables -t raw -I PREROUTING -p tcp  --sport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --dport 80 -j NOTRACK
iptables -t raw -I OUTPUT -p tcp --sport 80 -j NOTRACK

diyism · Answer 4 · 2014-10-28T10:26:03.637

When i do "modprobe -rf xt_state" and "modprobe -rf nf_conntrack_ipv6" it say "FATAL: Module xt_state is in use."(on centos).

"modused" may be useful, it can decrease the usage count of any module: http://www2.informatik.uni-freiburg.de/~danlee/fun/modused/

The key is: service ip6tables stop

and add nf_conntrack, xt_state, iptable_nat, nf_nat, nf_conntrack_ipv4, nf_conntrack_ipv6 into /etc/modprobe.d/blacklist.conf

how do I disable the nf_conntrack kernel module in CentOS 5.3 without recompiling the kernel

4 Answers4

Linked