On Sun, 18 Jun 2023 14:34:31 +0000 public1020 <public1020@xxxxxxxxx> wrote: > The system is IPv4 and intranet only, suppose I'm going to increase the hash size, You should definitely increase the capacity of the conntrack table. I would just add that many rulesets have no particular need for traffic traversing the loopback interface to be tracked. Should this apply to you, some memory can be saved by implementing a rule such as "-t raw -A OUTPUT -o lo -j CT --notrack". -- Kerin Millar