How to Permanently Set nf_conntrack_buckets Parameter in Linux Kernel for Connection Tracking Optimization


2 views

Many Linux administrators encounter permission issues when trying to modify net.netfilter.nf_conntrack_buckets through standard methods. Unlike other netfilter parameters, this value requires special handling because:

  • It can only be set during kernel module loading
  • It affects hash table size and cannot be dynamically resized
  • Default values are often too small for high-traffic servers

Attempting to set this parameter via sysctl.conf or runtime sysctl -w commands fails because:

# These methods won't work for buckets parameter
sysctl -w net.netfilter.nf_conntrack_buckets=245760
# Results in: error: permission denied on key 'net.netfilter.nf_conntrack_buckets'

# Even adding to /etc/sysctl.conf won't help
echo "net.netfilter.nf_conntrack_buckets=245760" >> /etc/sysctl.conf
sysctl -p
# Still no effect on the buckets value

Here are the reliable ways to set this parameter permanently:

Method 1: Kernel Module Parameter

Create or modify /etc/modprobe.d/nf_conntrack.conf:

# /etc/modprobe.d/nf_conntrack.conf
options nf_conntrack hashsize=245760

Then regenerate initramfs (for distributions that use it):

update-initramfs -u
reboot

Method 2: Grub Boot Parameter

For systems without module loading:

# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="nf_conntrack.hashsize=245760"

# Update grub and reboot
update-grub
reboot

After reboot, verify the setting took effect:

cat /sys/module/nf_conntrack/parameters/hashsize
# Should show your configured value

# Check current connection tracking stats
cat /proc/sys/net/netfilter/nf_conntrack_count
cat /proc/sys/net/netfilter/nf_conntrack_max

Remember to adjust nf_conntrack_max proportionally (typically 8x buckets):

# /etc/sysctl.d/99-nf_conntrack.conf
net.netfilter.nf_conntrack_max = 1966080
  • If changes don't apply, check if another module (like iptable_nat) loads nf_conntrack first
  • For custom kernels, you might need to rebuild with different configuration
  • Monitor dmesg for any conntrack-related errors during boot

Many sysadmins encounter this puzzling scenario: while net.netfilter.nf_conntrack_max can be set via /etc/sysctl.conf, its sibling parameter net.netfilter.nf_conntrack_buckets stubbornly resists modification through conventional methods. Even attempting sysctl -w net.netfilter.nf_conntrack_buckets=245760 results in a permission denied error.

The reason lies in kernel implementation. Unlike most sysctl parameters, the conntrack hash bucket size can only be set:

  • During kernel boot via kernel command line
  • Before the nf_conntrack module loads

This is because the hash table gets allocated when the module initializes, and resizing it afterwards would require rehashing all existing connections.

For permanent setting, add this to your kernel boot parameters:

nf_conntrack.hashsize=245760

Implementation steps for GRUB2 systems:

# Edit /etc/default/grub
GRUB_CMDLINE_LINUX="... nf_conntrack.hashsize=245760 ..."

# Update GRUB
update-grub   # Debian/Ubuntu
grub2-mkconfig -o /boot/grub2/grub.cfg  # RHEL/CentOS

If you can't modify boot parameters, create a systemd service that runs before networking starts:

# /etc/systemd/system/set-conntrack.service
[Unit]
Description=Set conntrack parameters
Before=network-pre.target

[Service]
Type=oneshot
ExecStart=/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=245760

[Install]
WantedBy=multi-user.target

After reboot, verify with:

cat /proc/sys/net/netfilter/nf_conntrack_buckets
dmesg | grep conntrack

Remember these key ratios:

nf_conntrack_max = hashsize * 8 (recommended)
nf_conntrack_buckets = hashsize

For high-connection systems, ensure your kernel has enough memory for the hash table. Each bucket consumes about 256 bytes.