for nf_conntrack_max the kernel uses by default the value: (nf_conntrack_buckets value * 4) and nf_conntrack_buckets is set to 2^16 for machines with more than 4GB memory, so the resulting default would be 2^18 == 262144.
As PVE hoists are expected to have more than such a, nowadays rather small, amount of memory, update the default to match the one which would be normally used anyway. [0]: https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt Signed-off-by: Thomas Lamprecht <t.lampre...@proxmox.com> --- src/PVE/Firewall.pm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 1319bfb..aa637c2 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1262,6 +1262,7 @@ our $host_option_properties = { description => "Maximum number of tracked connections.", type => 'integer', optional => 1, + default => 262144, minimum => 32768, }, nf_conntrack_tcp_timeout_established => { @@ -4218,7 +4219,7 @@ sub apply_ruleset { sub update_nf_conntrack_max { my ($hostfw_conf) = @_; - my $max = 65536; # reasonable default + my $max = 262144; # reasonable default (2^16 * 4), see nf_conntrack-sysctl docs my $options = $hostfw_conf->{options} || {}; -- 2.20.1 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
