NF tunning not applied at boot time

stefws

Renowned Member
Jan 29, 2015
302
4
83
Denmark
siimnet.dk
Have this config file on hypervisor/host nodes:

root@n2:~# cat /etc/sysctl.d/netfilter_tune.conf

# tune net filter to track more connections than default
# nf_conntrack_max => also raise hashsize in rc.local
net.netfilter.nf_conntrack_max = 196608
net.netfilter.nf_conntrack_generic_timeout = 300
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 60
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 120

But after boot still find default values and wonder why:

root@n2:~# sysctl -a 2>/dev/null | grep nf_conntrack | grep timeout
net.netfilter.nf_conntrack_frag6_timeout = 60
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_icmpv6_timeout = 30
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
 
possibly a race between loading the module and setting its sysctl values?
 
and howto possible avoid this...

if you are currently loading the conntrack modules implicitly via iptables, load them explicitly at boot (e.g., via /etc/modprobe.d or /etc/modules-load.d) and the sysctl value should be set after loading. you probably have to update your initramfs after adding the modules if you want to load them in the initramfs already.
 
Hm don't seem to be able to find what goes into /etc/modprobe.d/what-ever-name-choosen.conf to make nf_conntrack load early at boot...
manpage seem says: <command> <module_name> [options] only not whether command=install would force a load or just simply specify what command to use when loading is triggered. G isn't helpful either. Any hints are welcome, TIA!
 
Also wondering why below pve.conf requested sysctl settings are different, might it be because we use the pve-firewall and thus needs bridge to call out to host iptables before parse packets to VM guests?

root@n4:~# cat /etc/sysctl.d/pve.conf
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
fs.aio-max-nr = 1048576

root@n4:~# sysctl -a | grep net.bridge.bridge-nf-
net.bridge.bridge-nf-call-arptables = 0
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
...

root@n4:~# pveversion --verbose
proxmox-ve: 4.4-105 (running kernel: 4.4.98-5-pve)
pve-manager: 4.4-22 (running version: 4.4-22/2728f613)
pve-kernel-4.4.98-3-pve: 4.4.98-103
pve-kernel-4.4.98-5-pve: 4.4.98-105
lvm2: 2.02.116-pve3
corosync-pve: 2.4.2-2~pve4+1
libqb0: 1.0.1-1
pve-cluster: 4.0-54
qemu-server: 4.0-115
pve-firmware: 1.1-11
libpve-common-perl: 4.0-96
libpve-access-control: 4.0-23
libpve-storage-perl: 4.0-76
pve-libspice-server1: 0.12.8-2
vncterm: 1.3-2
pve-docs: 4.4-4
pve-qemu-kvm: 2.9.1-6~pve4
pve-container: 1.0-104
pve-firewall: 2.0-33
pve-ha-manager: 1.0-41
ksm-control-daemon: 1.2-1
glusterfs-client: 3.5.2-2+deb8u3
lxc-pve: 2.0.7-4
lxcfs: 2.0.6-pve1
criu: 1.6.0-1
novnc-pve: 0.5-9
smartmontools: 6.5+svn4324-1~pve80
zfsutils: 0.6.5.9-pve15~bpo80
openvswitch-switch: 2.6.0-2
 
Hm don't seem to be able to find what goes into /etc/modprobe.d/what-ever-name-choosen.conf to make nf_conntrack load early at boot...
manpage seem says: <command> <module_name> [options] only not whether command=install would force a load or just simply specify what command to use when loading is triggered. G isn't helpful either. Any hints are welcome, TIA!
Will try adding nf_conntrack to /etc/modules-load.d/modules.conf...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!