Unable to change net.netfilter.nf_conntrack_buckets via sysctl

Strykar · November 19, 2016, 10:23pm

sysctl can change netfilter.nf_conntrack_max values fine, but doesn't seem to change net.netfilter.nf_conntrack_buckets.
I could work around it by changing /sys/module/nf_conntrack/parameters/hashsize post boot but I'm wondering if this a bug?

root@lede:~# sysctl net.netfilter.nf_conntrack_buckets
net.netfilter.nf_conntrack_buckets = 16384
root@lede:~# sysctl -w net.netfilter.nf_conntrack_buckets=32768
root@lede:~# sysctl net.netfilter.nf_conntrack_buckets
net.netfilter.nf_conntrack_buckets = 16384
root@lede:~# cat /sys/module/nf_conntrack/parameters/hashsize
16384

root@lede:~# sysctl -w net.netfilter.nf_conntrack_max=131072
net.netfilter.nf_conntrack_max = 131072
root@lede:~# sysctl net.netfilter.nf_conntrack_max
net.netfilter.nf_conntrack_max = 131072
root@lede:~# sysctl -w net.netfilter.nf_conntrack_buckets=32768
root@lede:~# sysctl net.netfilter.nf_conntrack_buckets
net.netfilter.nf_conntrack_buckets = 16384

weedy · November 20, 2016, 6:00am

I've had this in rc.local for years. If it's a bug it's an old bug. I think I pulled this off SO

# net.netfilter.nf_conntrack_max / 4 (or 6)
echo 4096 > /sys/module/nf_conntrack/parameters/hashsize