You are not logged in.

#1 2019-08-08 15:55:08

linux_too_stronk
Member
Registered: 2019-01-14
Posts: 4

[SOLVED]conntrack tcp timeout on established connections reset on boot

Hi,

On my VPS powered by KVM kernel parameter net.netfilter.nf_conntrack_tcp_timeout_established gets overwritten by something during/right after boot. In my /etc/sysctl.d/custom.conf I have
net.netfilter.nf_conntrack_tcp_timeout_established = 7200 after reboot the value is set to default 432000. Executing sysctl --system does change it to 7200 until next reboot. Other parameters in /etc/sysctl.d/custom.conf do change without explicitly running sysctl --system. I suspect that something resets net.netfilter.nf_conntrack_tcp_timeout_established to default after /etc/sysctl.d/custom.conf is applied. Any idea what that can be?

I use systemd-networkd for network configuration. Also, have conntrack-tools and iptstate installed. Removing them doesn't change this behaviour.

Thanks

P.S. Nothing in /usr/lib/sysctl.d/*.conf.

Name            : linux    
Version         : 5.2.6.arch1-1
Name            : systemd
Version         : 242.84-1
Name            : conntrack-tools
Version         : 1.4.5-1
Name            : iptstate
Version         : 2.2.6-3

# conntrack-tools related
# systemctl is-enabled conntrackd.service 
disabled

Last edited by linux_too_stronk (2019-08-09 15:04:52)

Offline

#2 2019-08-08 22:21:05

linux_too_stronk
Member
Registered: 2019-01-14
Posts: 4

Re: [SOLVED]conntrack tcp timeout on established connections reset on boot

OK, the same behaviour observed on debian 10 but not on centos 7 and fedora 30. Reloading nf_conntrack and/or other related kernel modules resets the net.netfilter.nf_conntrack_tcp_timeout_established parameter. Looks like the module is loaded after sysctl.

This can be reproduced on centos 7 with stopping (unloads nf_conntrack and related modules) and starting (loads them back) firewalld.service. The values are fine after reboot which means in centos 7 nf_conntrack module loads before sysctl. Interestingly enough, on fedora 30 this procedure does not reset conntrack tcp timeout even though firewalld.service and /usr/sbin/firewalld files are the same on those OSes. Probably something else is different in the chain of those python scripts.

For now, this dirty little hack will do.

$ cat /etc/systemd/system/conntrack-hack.service
[Unit]
Description=conntrack tcp timeout hack
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/bin/sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=7200 net.netfilter.nf_conntrack_generic_timeout=120

[Install]
WantedBy=multi-user.target

# systemctl daemon-reload
# systemctl enable conntrack-hack.service

Offline

#3 2019-08-09 15:04:31

linux_too_stronk
Member
Registered: 2019-01-14
Posts: 4

Re: [SOLVED]conntrack tcp timeout on established connections reset on boot

So yeah, the problem is that nf_conntrack loads on iptables-restore </etc/iptables/iptables.rules which is way too late. The fix is either .service file above or insert nf_conntrack at boot:

$ cat /etc/modules-load.d/conntrack.conf 
# gotta go faster than sysctl
nf_conntrack

Offline

Board footer

Powered by FluxBB