conntrack table full

[apfuzz]

Hello,

After recently upgrading Talos Linux from 1.84 -> 1.9.6 -> 1.10.7, it seems the nf_conntrack_entries_limit value is somehow capped at 262144 when it was over 12M previously. The result of this is I am seeing nf_conntrack: nf_conntrack: table full, dropping packet in kernel logs.

Did something change between 1.8.4 and 1.10.7 that changes how this limit is determined? Is there an easy way to override it? The only thing I've found so far is building a custom image using the image factory with kernel parameters (e.g. net.netfilter.nf_conntrack_max = 1048576) but I haven't tested this yet.

Thanks,
Aaron

[smira]

I don't think Talos ever had this specifically overwritten from kernel defaults, but you can use sysctl values to update it:

https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.rst

[apfuzz]

@smira That works. Thanks.

❯ talosctl patch mc -n <nodename> --patch-file conntrack-patch.yaml --dry-run
patched MachineConfigs.config.talos.dev/v1alpha1 at the node <nodename>
Dry run summary:
Applied configuration without a reboot (skipped in dry-run).
Config diff:

--- a
+++ b
@@ -38,6 +38,7 @@
    ...
     sysctls:
+        net.netfilter.nf_conntrack_max: "1048576"
         vm.max_map_count: "262144"