Tuning the nf_conntrack_max setting

From trapsink.com
Jump to: navigation, search


Overview

The kernel parameter for the maximum number of network connections tracked when the nf_conntrack has been loaded is dynamic based on the amount of RAM in the system; in practice this has shown to be a value too low for a high traffic server and result in dropped packets.

Updating the module loading

The iptables oriented nf_conntrack module may or may not be loaded at boot; if there are no rules requiring it to be loaded, it will be skipped. However as soon as a rule is added which requires it, such as this simple one:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

...the module will be loaded by the kernel. There is no mechanism or design via sysctl to apply a tuning value in /etc/sysctl.conf or /etc/sysctl.d/*.conf in this scenario in most major Linux distributions; as such, the process must happen when the module loading itself occurs. This can be accomplished via the modprobe subsystem.

Create the file /etc/modprobe.d/nf_conntrack.conf like so:

cat << EOF >> /etc/modprobe.d/nf_conntrack.conf
install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack ; echo 262144 > /proc/sys/net/nf_conntrack_max
EOF

The value 262144 is roughly 4 times the default normally seen on a 1-2GB RAM server and is setting an upper limit on the number of hash table entries; it is not a preallocation and only used as needed. If the kernel module is already loaded, after creating the above file run the "echo 262144 > /proc/sys/net/nf_conntrack_max" manually to adjust immediately.

References