Persisting nf_conntrack_max Across Reboots

In /proc I have two entries for nf_conntrack_max:

/proc/sys/net/netfilter/nf_conntrack_max
/proc/sys/net/nf_conntrack_max

The seem to point to the same value as changing one also changes the other. With both of these set in /etc/sysctl.conf:

net.netfilter.nf_conntrack_max=65528
net.ipv4.netfilter.ip_conntrack_max=65535

The value remains 32764 after a reboot so the changes are not working. Has anyone run into this before? My guess would be that these values are applied before the modules relevant are loaded but was hoping maybe someone already knows the solution.

Solution 1:

it's because /proc/sys/net/nf_conntrack_max is rely on the module nf_conntrack. but this module will not be loaded by default when system started.

but if you run

iptables -t nat -L

or

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

this module will load automatically and set to the max number that your system support (the max number is 65536 if you ram is > 4G, but it's vary in different system.) you can set it to a bigger number (like 6553600) in /etc/sysctl.conf).

Solution:

add one line at the end of the file /etc/modules:

nf_conntrack

this modules would be loaded on system start before sysctl executed.

Solution 2:

Because it should be:

net.netfilter.nf_conntrack_max = 65535

And now you can set this without restarting with: sysctl -p /etc/sysctl.conf