tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: conntrack: adjust nf_conntrack_buckets default value

Manually bumping either nf_conntrack_buckets or nf_conntrack_max has
become a common task as our Linux servers tend to serve more and more
clients/applications, so let's adjust nf_conntrack_buckets this to a
more updated value.

Now for systems with more than 4GB of memory, nf_conntrack_buckets
becomes 65536 instead of 16384, resulting in nf_conntrack_max=256k
entries.

Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Marcelo Leitner and committed by
Pablo Neira Ayuso 88eab472 f96fe225

+10 -4
+2 -1
Documentation/networking/nf_conntrack-sysctl.txt
··· 11 11 Size of hash table. If not specified as parameter during module 12 12 loading, the default size is calculated by dividing total memory 13 13 by 16384 to determine the number of buckets but the hash table will 14 - never have fewer than 32 or more than 16384 buckets. 14 + never have fewer than 32 and limited to 16384 buckets. For systems 15 + with more than 4GB of memory it will be 65536 buckets. 15 16 16 17 nf_conntrack_checksum - BOOLEAN 17 18 0 - disabled
+8 -3
net/netfilter/nf_conntrack_core.c
··· 1624 1624 for (i = 0; i < CONNTRACK_LOCKS; i++) 1625 1625 spin_lock_init(&nf_conntrack_locks[i]); 1626 1626 1627 - /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB 1628 - * machine has 512 buckets. >= 1GB machines have 16384 buckets. */ 1629 1627 if (!nf_conntrack_htable_size) { 1628 + /* Idea from tcp.c: use 1/16384 of memory. 1629 + * On i386: 32MB machine has 512 buckets. 1630 + * >= 1GB machines have 16384 buckets. 1631 + * >= 4GB machines have 65536 buckets. 1632 + */ 1630 1633 nf_conntrack_htable_size 1631 1634 = (((totalram_pages << PAGE_SHIFT) / 16384) 1632 1635 / sizeof(struct hlist_head)); 1633 - if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE)) 1636 + if (totalram_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE))) 1637 + nf_conntrack_htable_size = 65536; 1638 + else if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE)) 1634 1639 nf_conntrack_htable_size = 16384; 1635 1640 if (nf_conntrack_htable_size < 32) 1636 1641 nf_conntrack_htable_size = 32;