In /proc
I have two entries for nf_conntrack_max:
/proc/sys/net/netfilter/nf_conntrack_max /proc/sys/net/nf_conntrack_max
The seem to point to the same value as changing one also changes the other. With both of these set in /etc/sysctl.conf
:
net.netfilter.nf_conntrack_max=65528 net.ipv4.netfilter.ip_conntrack_max=65535
The value remains 32764 after a reboot so the changes are not working. Has anyone run into this before? My guess would be that these values are applied before the modules relevant are loaded but was hoping maybe someone already knows the solution.
it's because
/proc/sys/net/nf_conntrack_max
is rely on the modulenf_conntrack
. but this module will not be loaded by default when system started.but if you run
or
this module will load automatically and set to the max number that your system support (the max number is 65536 if you ram is > 4G, but it's vary in different system.) you can set it to a bigger number (like 6553600) in
/etc/sysctl.conf
).Solution:
add one line at the end of the file
/etc/modules
:this modules would be loaded on system start before
sysctl
executed.Because it should be:
And now you can set this without restarting with: sysctl -p /etc/sysctl.conf
I don't use Ubuntu, but thinking about this in my CentOS frame-of-mind, I came up with the same hypothesis that you did-- the sysctls are being applied too early. Some searching revealed that this has been a filed bug since 2006.
It looks like putting another symlink in at priority > S40 to run the procps init script again would probably do what you need. Per the bug summary, it looks like some re-architecting of the Ubuntu sysctl methodology is in order (and, amusingly, the bug was assigned to somebody who didn't know it was assigned and can't help with it).
The reply by Ethan Xu is one solution, but if you don't want to load nf_conntrack at boot, you can set
nf_conntrack_max
later upon module load, as documented by sysctl and already proposed in a systemd issue: