0004877: net.ipv4.netfilter.ip_conntrack values get reset to default after iptables service restart

echo the following values to proc<br /> <br /> echo 345600 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established<br /> echo 300000 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max<br /> ----------------------------------------------------------------------<br /> set the same values in sysctl.conf<br /> <br /> [root@dj2 ~]# cat /etc/sysctl.conf <br /> # Kernel sysctl configuration file for Red Hat Linux<br /> #<br /> # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and<br /> # sysctl.conf(5) for more details.<br /> <br /> # Controls IP packet forwarding<br /> net.ipv4.ip_forward = 0<br /> <br /> # Controls source route verification<br /> net.ipv4.conf.default.rp_filter = 1<br /> <br /> # Do not accept source routing<br /> net.ipv4.conf.default.accept_source_route = 0<br /> <br /> # Controls the System Request debugging functionality of the kernel<br /> kernel.sysrq = 0<br /> <br /> # Controls whether core dumps will append the PID to the core filename<br /> # Useful for debugging multi-threaded applications<br /> kernel.core_uses_pid = 1<br /> <br /> # Controls the use of TCP syncookies<br /> net.ipv4.tcp_syncookies = 1<br /> <br /> # Controls the maximum size of a message, in bytes<br /> kernel.msgmnb = 65536<br /> <br /> # Controls the default maxmimum size of a mesage queue<br /> kernel.msgmax = 65536<br /> <br /> # Controls the maximum shared segment size, in bytes<br /> kernel.shmmax = 68719476736<br /> <br /> # Controls the maximum number of shared memory segments, in pages<br /> kernel.shmall = 4294967296<br /> <br /> fs.file-max = 65535<br /> <br /> #4 days<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 345600 <br /> net.ipv4.netfilter.ip_conntrack_max = 300000<br /> <br /> ----------------------------------------------------------------<br /> <br /> do a service iptables restart<br /> <br /> ----------------------------------------------------------------<br /> Values are set back to defaults by the restart.<br /> <br /> [root@dj2 ~]# sysctl -a | grep conntrack<br /> net.ipv4.ip_conntrack_max = 300000<br /> net.ipv4.netfilter.ip_conntrack_tcp_max_retrans = 3<br /> net.ipv4.netfilter.ip_conntrack_tcp_be_liberal = 0<br /> net.ipv4.netfilter.ip_conntrack_tcp_loose = 1<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300<br /> net.ipv4.netfilter.ip_conntrack_log_invalid = 0<br /> net.ipv4.netfilter.ip_conntrack_generic_timeout = 600<br /> net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30<br /> net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180<br /> net.ipv4.netfilter.ip_conntrack_udp_timeout = 30<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60<br /> net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120<br /> net.ipv4.netfilter.ip_conntrack_checksum = 1<br /> net.ipv4.netfilter.ip_conntrack_buckets = 8192<br /> net.ipv4.netfilter.ip_conntrack_count = 53090<br /> net.ipv4.netfilter.ip_conntrack_max = 65536<br /> <br /> -----------------------------------------------------------------<br /> <br /> 65536 is a pretty low value and with this bug conntrack table fills very quickly.