From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 22 Oct 2019 09:08:18 +0000 (+0200)
Subject: increase default nf_conntrack_max to kernel default
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=b2ec31cc3d2990a9c0dd447e73506287fd120d09;ds=sidebyside

increase default nf_conntrack_max to kernel default

for nf_conntrack_max the kernel uses by default the value:
(nf_conntrack_buckets value * 4) and nf_conntrack_buckets
is set to 2^16 for machines with more than 4GB memory, so the
resulting default would be 2^18 == 262144.

As PVE hoists are expected to have more than such a, nowadays rather
small, amount of memory, update the default to match the one which
would be normally used anyway.

[0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1319bfb..aa637c2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1262,6 +1262,7 @@ our $host_option_properties = {
 	description => "Maximum number of tracked connections.",
 	type => 'integer',
 	optional => 1,
+	default => 262144,
 	minimum => 32768,
     },
     nf_conntrack_tcp_timeout_established => {
@@ -4218,7 +4219,7 @@ sub apply_ruleset {
 sub update_nf_conntrack_max {
     my ($hostfw_conf) = @_;
 
-    my $max = 65536; # reasonable default
+    my $max = 262144; # reasonable default (2^16 * 4), see nf_conntrack-sysctl docs
 
     my $options = $hostfw_conf->{options} || {};