From b2ec31cc3d2990a9c0dd447e73506287fd120d09 Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Tue, 22 Oct 2019 11:08:18 +0200
Subject: [PATCH] increase default nf_conntrack_max to kernel default

for nf_conntrack_max the kernel uses by default the value:
(nf_conntrack_buckets value * 4) and nf_conntrack_buckets
is set to 2^16 for machines with more than 4GB memory, so the
resulting default would be 2^18 == 262144.

As PVE hoists are expected to have more than such a, nowadays rather
small, amount of memory, update the default to match the one which
would be normally used anyway.

[0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
---
 src/PVE/Firewall.pm | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 1319bfb..aa637c2 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1262,6 +1262,7 @@ our $host_option_properties = {
 	description => "Maximum number of tracked connections.",
 	type => 'integer',
 	optional => 1,
+	default => 262144,
 	minimum => 32768,
     },
     nf_conntrack_tcp_timeout_established => {
@@ -4218,7 +4219,7 @@ sub apply_ruleset {
 sub update_nf_conntrack_max {
     my ($hostfw_conf) = @_;
 
-    my $max = 65536; # reasonable default
+    my $max = 262144; # reasonable default (2^16 * 4), see nf_conntrack-sysctl docs
 
     my $options = $hostfw_conf->{options} || {};
 
-- 
2.39.2