Setting net.netfilter.nf_conntrack_max on Ubuntu 22.04
On one server I manage, the default net.netfilter.nf_conntrack_max value (65536, IIRC) was not sufficient and I wanted to increase it substantially.
The first thing I did was add a new file in /etc/sysctl.d:
# /etc/sysctl.d/91-cdz-nf_conntrack.conf
net.netfilter.nf_conntrack_max=196608
However, this didn’t seem to apply the new setting when I rebooted the server. Per this ServerFault discussion, this is because the settings from /etc/sysctl.d are applied too early — before the nf_conntrack module is loaded.
That discussion also contains a solution: add a udev rule to run the sysctl in question when the module is loaded. So, in addition to my configuration in /etc/sysctl.d, I added a second new file, /etc/udev/rules.d/91-cdz-nf_conntrack.rules:
# /etc/udev/rules.d/91-cdz-nf_conntrack.rules
ACTION=="add", SUBSYSTEM=="module", KERNEL=="nf_conntrack", \
RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/netfilter/nf_conntrack_max"
I particularly like that this solution still uses the settings from sysctl.d in “the right way,” doesn’t duplicate any actual settings into /etc/udev.rules, and doesn’t otherwise interfere with however the system loads modules.
No idea why Ubuntu doesn’t ship such a rule by default; having a setting that work when you run sysctl -w manually but not when you put it in /etc/sysctl.d is a surprising behavior.