> net.netfilter.nf_conntrack_max=1048576
> net.netfilter.nf_conntrack_buckets=1048576
>
> But it only does for nf_conntrack_max. I did overwrite it by going to
> /sys/modules/nf_conntrack/parameters/hashsize and it did take it on the
> second try. The first time it complained about file descriptors. The
> second time it seemed to set it, which I verified by looking at
> /proc/sys/net/netfilter/nf_conntrack_buckets.
>
> Is there a way to set this on startup?
Oh yes sorry, you can't set it in sysctl.conf then, since the
module must probably already be loaded if you can use that. Try
the module load parameters instead (options ip_conntrack hashsize=XXXX
in /etc/modprobe.d/somefile worked in older kernels).
I am actually just patching the numbers in to the kernel version myself,
since I don't want to have a module-based kernel on my firewall box.
Thomas
Attachment:
signature.asc
Description: Digital signature
