Persisting nf_conntrack_max Across Reboots

Solution 1:

it's because /proc/sys/net/nf_conntrack_max is rely on the module nf_conntrack. but this module will not be loaded by default when system started.

but if you run

iptables -t nat -L

or

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

this module will load automatically and set to the max number that your system support (the max number is 65536 if you ram is > 4G, but it's vary in different system.) you can set it to a bigger number (like 6553600) in /etc/sysctl.conf).

Solution:

add one line at the end of the file /etc/modules:

nf_conntrack

this modules would be loaded on system start before sysctl executed.

Solution 2:

Because it should be:

net.netfilter.nf_conntrack_max = 65535

And now you can set this without restarting with: sysctl -p /etc/sysctl.conf

---

Solution 3:

I don't use Ubuntu, but thinking about this in my CentOS frame-of-mind, I came up with the same hypothesis that you did-- the sysctls are being applied too early. Some searching revealed that this has been a filed bug since 2006.

It looks like putting another symlink in at priority > S40 to run the procps init script again would probably do what you need. Per the bug summary, it looks like some re-architecting of the Ubuntu sysctl methodology is in order (and, amusingly, the bug was assigned to somebody who didn't know it was assigned and can't help with it).