Increasing ip_conntrack_max safely?

Solution 1:

First, ask yourself a question: does your setup require connection tracking? If it is just a server and firewalling/NAT is done somewhere else, then you can probably disable conntrack all together.

Second, check if your conntrack entries make sense. Sometimes conntrack tables are filled with rubbish because of some network or firewall mis-configuration. Usually those are entries for connections which were never fully established. That may happen e.g. when the server gets incoming connection SYN packets, but the server replies are always lost somewhere on the network.

The only machines I had a 'ip_conntrack: table full' messages and which needed ip_conntrack_max increase (instead of fixing configuration), where routers doing NAT for quite big networks (thousands of endpoints).

If you know you need conntrack and it really needs to be bigger than it is, the increase the number until you get no more 'table full' messages. And watch the memory usage.

Some statistics about memory allocation for conntrack objects can be found in the /proc/slabinfo file.

Solution 2:

The path with "netfilter" is the old way of referring to the same setting. You can edit either file.

# cat /proc/sys/net/ipv4/ip_conntrack_max  
655360
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
655360
# echo 655361  > /proc/sys/net/ipv4/ip_conntrack_max
# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
655361