diff --git a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 index 501c2fa660..3d1c2f1240 100644 --- a/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 +++ b/octavia/amphorae/backends/agent/api_server/templates/amphora-netns.systemd.j2 @@ -14,6 +14,9 @@ ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} sysctl --system # cannot be set in another net namespace, but its value is inherited from the # main namespace) ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_buckets=125000 +# Update conntrack table sizes using the formula for the default values +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_max=125000 +ExecStart=-/sbin/sysctl -w net.netfilter.nf_conntrack_expect_max=488 # Enable kernel module ip_vs for lvs function in amphora network namespace ExecStart=-/sbin/ip netns exec {{ amphora_nsname }} modprobe ip_vs # Enable ip_forward and conntrack kernel configuration diff --git a/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml b/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml new file mode 100644 index 0000000000..8ee949b65d --- /dev/null +++ b/releasenotes/notes/fix-nf-conntrack-max-value-in-amp-0e16eb50b42e7b58.yaml @@ -0,0 +1,15 @@ +--- +upgrade: + - | + The fix that updates the Netfilter Conntrack Sysfs variables requires + rebuilding the amphora image in order to be effective. +fixes: + - | + Netfilter Conntrack Sysfs variables net.netfilter.nf_conntrack_max and + nf_conntrack_expect_max get set to sensible values on the amphora now. + Previously, kernel default values were used which were much too low for the + configured net.netfilter.nf_conntrack_buckets value. As a result packets + could get dropped because the conntrack table got filled too quickly. Note + that this affects only UDP and SCTP protocol listeners. + Connection tracking is disabled for TCP-based connections on the + amphora including HTTP(S).