Ehm, you're original question was about setting conntrack values :-) Originally you couldn't change the hash bucket number after the ipt_conntrack module had been loaded, you needed to do that at load time (for instance through /etc/sysctl.cnf), but I gather that current netfilter versions allow changing the number of hash buckets at runtime through: /sys/module/ip_conntrack/parameters/hashsize Setting #hash buckets=conntrack max should be fine that's what we do as well. Maybe you want to carefully reduce some of the /proc/sys/net/ipv4/netfilter/ip_conntrack_*timeout* parameters to reduce the number of entries in the connection tracking hash.
Attachment:
signature.asc
Description: Digital signature
