default net.netfilter.nf_conntrack_max is too low.

[eth]

I've noticed that the default net.netfilter.nf_conntrack_max is too low and I was hitting connection problems too often. Dropped connections, connection failures, nasty stuff.

I had to manually increase net.netfilter.nf_conntrack_max to 1000000000 in all my proxmox nodes.

Perhaps, the staff could take this information into consideration?
Connections are cheap now. There is no need to limit them.

 

[gkovacs]

Wanted to check the value myself, but sysctl came up empty, the variable does not exist.

Upon further examination, in our recently installed Proxmox 4 cluster, none of the servers have connection tracking enabled in the kernel or a module (or it's not exposed in /proc or sysctl).

There is a conntrack package that can be installed:
https://packages.debian.org/jessie/conntrack

But it shows no connection tracking is happening:

# conntrack -L
conntrack v1.4.2 (conntrack-tools): 0 flow entries have been shown.

Are you using the Proxmox 4.x firewall?

 

[eth]

I'm using the default 4.4-12 install. Under heavy load I started noticing this in the logs:

Mar 17 14:14:01 w13 kernel: [2777496.613245] nf_conntrack: table full, dropping packet

I use the Proxmox firewall only for the "datacenter" (which covers the node I assume), but not on the node or containers.
I had to set the net.netfilter.nf_conntrack_max in the node options to make it persistent: