[pve-devel] applied: [PATCH firewall] increase default nf_conntrack_max to kernel default

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Jul 8 09:51:08 CEST 2021

Hello Julien,

On 08.07.21 09:36, wb wrote:
> Hello Thomas,
> Currently with Proxmox, I have a Kubernetes node running on LXC. However, I have encountered an issue on the Container Network Interface (CNI) side and in order for it to work, the parameter /proc/sys/net/netfilter/nf_conntrack_max must be raised.
> You know that the container settings are managed by the hypervisor. However, something prevents to go above 262144. By searching a bit in your code, I found the limitation in Firewall.pm. I raised this value and the CNI works again.
> The last change was in this commit that you made.
> https://lists.proxmox.com/pipermail/pve-devel/2019-October/039748.html
> Is it possible to take into consideration the increase of this parameter in your code?

FYI, you can already override that setting in the node firewall options in the web-interface,
if set manually that vaile will always be preferred, at least as long the value is bigger than
the default of 262144.


More information about the pve-devel mailing list