Faced the problem of applying parameters to nf_conntrack when running Debian 8.1.

If during the work to apply the parameters

net.netfilter.nf_conntrack_max net.netfilter.nf_conntrack_generic_timeout

other values, they immediately apply.

If these values ​​are added to sysctl.conf, then when you start Debian 8.1, these parameters remain with default values.

Those. when you start sysctl, it does not change them, but if, after starting, you use the sysctl -p command, then the values ​​change from the sysctl.conf file.

How to fix it?

    1 answer 1

    According to man sysctl , the system configuration files for this program are:

     /run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf

    it is possible that in some of them these values ​​are redefined.

    perhaps some program / script at system startup (after executing /etc/init.d/procps ) overrides the contents of the pseudo-files you listed.

    it is possible that at the moment of execution /etc/init.d/procps these pseudo-files does not exist yet (as I guess, they are created when loading any of the nf_conntrack * modules).

    How to fix it?

    for example, place the command (s) that changes the pseudo-files you listed in the /etc/rc.local file (above the line exit 0 ). This file is interpreted at the very end of the download.

    • I was thinking about putting commands into /etc/rc.local, but this is a wry way. The system is clean, so hardly any program redefines the values. Conf. Files revised, also did not find the override. It seems that the nf_conntrack module is launched later than the sysctl when it is loaded. But the strangest thing is that such a bug was not fixed, since nat has long been used on linux, especially on debian 8. - nerik
    • if this is the case, and the module creating pseudo-files is loaded after running /etc/init.d/procps , then this is, of course, not a sysctl bug, but you simply demand the impossible from sysctl. - aleksandr barakin
    • @nerik And why is this a bug, in most cases, no one changes these variables. You should probably put the iptables boot before setting up the sysctl settings so that the module boots - Mike
    • Well, why) In off. Documentation says that you need to edit values ​​through sysctl. I do not think that the developers are right wrong. - nerik
    • In off. documentation - in the documentation what exactly? - aleksandr barakin