[pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Oct 22 11:14:11 CEST 2019
for nf_conntrack_max the kernel uses by default the value:
(nf_conntrack_buckets value * 4) and nf_conntrack_buckets
is set to 2^16 for machines with more than 4GB memory, so the
resulting default would be 2^18 == 262144.
As PVE hoists are expected to have more than such a, nowadays rather
small, amount of memory, update the default to match the one which
would be normally used anyway.
[0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
src/PVE/Firewall.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1319bfb..aa637c2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1262,6 +1262,7 @@ our $host_option_properties = {
description => "Maximum number of tracked connections.",
type => 'integer',
optional => 1,
+ default => 262144,
minimum => 32768,
},
nf_conntrack_tcp_timeout_established => {
@@ -4218,7 +4219,7 @@ sub apply_ruleset {
sub update_nf_conntrack_max {
my ($hostfw_conf) = @_;
- my $max = 65536; # reasonable default
+ my $max = 262144; # reasonable default (2^16 * 4), see nf_conntrack-sysctl docs
my $options = $hostfw_conf->{options} || {};
--
2.20.1
More information about the pve-devel
mailing list