You are not logged in.
Hi,
On my VPS powered by KVM kernel parameter net.netfilter.nf_conntrack_tcp_timeout_established gets overwritten by something during/right after boot. In my /etc/sysctl.d/custom.conf I have
net.netfilter.nf_conntrack_tcp_timeout_established = 7200 after reboot the value is set to default 432000. Executing sysctl --system does change it to 7200 until next reboot. Other parameters in /etc/sysctl.d/custom.conf do change without explicitly running sysctl --system. I suspect that something resets net.netfilter.nf_conntrack_tcp_timeout_established to default after /etc/sysctl.d/custom.conf is applied. Any idea what that can be?
I use systemd-networkd for network configuration. Also, have conntrack-tools and iptstate installed. Removing them doesn't change this behaviour.
Thanks
P.S. Nothing in /usr/lib/sysctl.d/*.conf.
Name : linux
Version : 5.2.6.arch1-1
Name : systemd
Version : 242.84-1
Name : conntrack-tools
Version : 1.4.5-1
Name : iptstate
Version : 2.2.6-3
# conntrack-tools related
# systemctl is-enabled conntrackd.service
disabled
Last edited by linux_too_stronk (2019-08-09 15:04:52)
Offline
OK, the same behaviour observed on debian 10 but not on centos 7 and fedora 30. Reloading nf_conntrack and/or other related kernel modules resets the net.netfilter.nf_conntrack_tcp_timeout_established parameter. Looks like the module is loaded after sysctl.
This can be reproduced on centos 7 with stopping (unloads nf_conntrack and related modules) and starting (loads them back) firewalld.service. The values are fine after reboot which means in centos 7 nf_conntrack module loads before sysctl. Interestingly enough, on fedora 30 this procedure does not reset conntrack tcp timeout even though firewalld.service and /usr/sbin/firewalld files are the same on those OSes. Probably something else is different in the chain of those python scripts.
For now, this dirty little hack will do.
$ cat /etc/systemd/system/conntrack-hack.service
[Unit]
Description=conntrack tcp timeout hack
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7200 net.netfilter.nf_conntrack_generic_timeout=120
[Install]
WantedBy=multi-user.target
# systemctl daemon-reload
# systemctl enable conntrack-hack.service
Offline
So yeah, the problem is that nf_conntrack loads on iptables-restore </etc/iptables/iptables.rules which is way too late. The fix is either .service file above or insert nf_conntrack at boot:
$ cat /etc/modules-load.d/conntrack.conf
# gotta go faster than sysctl
nf_conntrack
Offline