Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 204040 - sys-apps/baselayout-1.12.10-r5 - bootmisc not loading net.ipv4.netfilter.ip_conntrack_max value
Summary: sys-apps/baselayout-1.12.10-r5 - bootmisc not loading net.ipv4.netfilter.ip_c...
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] baselayout (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-01-02 11:29 UTC by jergendutch
Modified: 2008-01-02 14:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jergendutch 2008-01-02 11:29:44 UTC 
My sysctl.conf contains net.ipv4.netfilter.ip_conntrack_max = 524288
but bootmisc is either not loading this (unlikely) or there is an ordering problem preventing it becoming active.
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2008-01-02 12:20:04 UTC 
Uh, this is way too much for standard hashsize, won't work. Even if you load the module properly with altered hashsize, this value is so crazy your firewall will become unusably slow way before this limit would be reached. (And note that ~350 bytes per connection of memory (which cannot be swapped) is required per connection).

http://www.wallfire.org/misc/netfilter_conntrack_perf.txt
Comment 2 jergendutch 2008-01-02 13:13:39 UTC 
(524288 * 350 is a ~180 meg hash - can it really not deal with that?)

The problem still exists though - net.ipv4.netfilter.ip_conntrack_max settings in sysctl.conf are being ignored..
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2008-01-02 13:35:17 UTC 
(In reply to comment #2)
> (524288 * 350 is a ~180 meg hash - can it really not deal with that?)

You don't understand, you need to *set* appropriate hashsize if you want such huge number of connections tracked, it won't work w/ the default value. The default is 8192 for boxes w/ 1GB+ of RAM (and CONNTRACK_MAX is 8x the default max hashsize).

echo $HASHSIZE > /sys/module/nf_conntrack/parameters/hashsize (w/ 2.6.20+ kernels).

Read the above-reffered link for more details.
Comment 4 SpanKY gentoo-dev 2008-01-02 13:49:51 UTC 
regardless, it isnt a userspace issue as sysctl does its things by writing the values into the kernel

if the value isnt getting set or "sticking", then the problem is elsewhere

there is no ordering problem as nothing else from Gentoo will write to sysctl
Comment 5 jergendutch 2008-01-02 13:51:30 UTC 
So the problem is not that the sysctl value is being rejected because the netfilter module is not loaded? Okay good. Thanks.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2008-01-02 14:03:56 UTC 
For the original poster, check if the conntrack module is loaded when the sysctl runs. I bet it's not. Other than that, I'd like to strongly discourage you from it. You really don't want to be using conntrack for high performance systems. Just loading the module massively eats into performance and leads to lots of packet loss, this is from experience, running a site with >75K PPS of TCP traffic.

If you're using it for IPVS-NAT, I strongly suggest moving to IPVS-DR instead, yes you'll need an extra machine to implement it, but it will work a lot better.