5 files changed, 31 insertions, 8 deletions

diff --git a/Makefile.am b/Makefile.am
index f96e118..94c39d5 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,11 +2,16 @@ cfgdir = $(datadir)/vyatta-cfg/templates
 opdir = $(datadir)/vyatta-op/templates
 curverdir = $(sysconfdir)/config-migrate/current
 modprobedir = /etc/modprobe.d
-bin_sudo_usersdir = $(bindir)/sudo-users
 
+checkparamsonrebootdir = $(bindir)/sudo-users/check-params-on-reboot.d
+checkparamsonreboot_SCRIPTS =
+checkparamsonreboot_SCRIPTS += scripts/check-params-on-reboot.d/conntrack-hash-size
+
+bin_sudo_usersdir = $(bindir)/sudo-users
 bin_sudo_users_SCRIPTS = scripts/vyatta-show-conntrack.pl
 bin_sudo_users_SCRIPTS += scripts/vyatta-delete-conntrack.pl
 
+
 curver_DATA = cfg-version/conntrack@1
 
 modprobe_DATA  = etc/modprobe.d/vyatta_nf_conntrack.conf
diff --git a/scripts/check-params-on-reboot.d/conntrack-hash-size b/scripts/check-params-on-reboot.d/conntrack-hash-size
new file mode 100755
index 0000000..aec4f80
--- /dev/null
+++ b/scripts/check-params-on-reboot.d/conntrack-hash-size
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# fix conntrack-hash-size on reboot
+#
+
+BOOTFILE=$1
+cthash_cfg=$(cli-shell-api cfReturnValue $BOOTFILE system conntrack hash-size)
+
+if [ -z "$cthash_cfg" ]; then
+	cthash_cfg=4096 # default hashsize value that Vyatta ships
+fi
+
+if ! grep -q "nf_conntrack hashsize=$cthash_cfg$" \
+	/etc/modprobe.d/vyatta_nf_conntrack.conf
+then
+	sudo sh -c "sed -i -e '/options nf_conntrack hashsize/d' \
+		/etc/modprobe.d/vyatta_nf_conntrack.conf"
+	sudo sh -c "echo options nf_conntrack hashsize=$cthash_cfg >> \
+		/etc/modprobe.d/vyatta_nf_conntrack.conf"
+fi
diff --git a/templates-cfg/system/conntrack/expect-table-size/node.def b/templates-cfg/system/conntrack/expect-table-size/node.def
index f9f1ae5..9ff72c7 100644
--- a/templates-cfg/system/conntrack/expect-table-size/node.def
+++ b/templates-cfg/system/conntrack/expect-table-size/node.def
@@ -7,15 +7,14 @@
 # called application level gateways [ALGs]) for more complex protocols such as
 # FTP, SIP, H.323. 
 #
-# default value when no conntrack options set - 2048
-# default value when no conntrack options set - 4096
+# default value: 2048
 #
 
 type: u32
 
 help: Size of connection tracking expect table
 
-default: 4096
+default: 2048
 
 val_help: u32: 1-50000000; Number of entries allowed in connection tracking expect table
 
diff --git a/templates-cfg/system/conntrack/node.def b/templates-cfg/system/conntrack/node.def
index 53488ae..28f78d1 100644
--- a/templates-cfg/system/conntrack/node.def
+++ b/templates-cfg/system/conntrack/node.def
@@ -3,7 +3,7 @@ help: Connection tracking engine options
 priority: 218 # before NAT and conntrack-sync are configured
 
 delete: # set conntrack table size to standard 16384 entries if conntrack settings are removed
-        sudo sysctl -q -w net/nf_conntrack_max=16384
+        sudo sysctl -q -w net/nf_conntrack_max=1638
 
         # set conntrack expect table size to standard 2048 entries if conntrack settings are removed
         sudo sysctl -q -w net/netfilter/nf_conntrack_expect_max=2048
diff --git a/templates-cfg/system/conntrack/table-size/node.def b/templates-cfg/system/conntrack/table-size/node.def
index f91b101..b44b563 100644
--- a/templates-cfg/system/conntrack/table-size/node.def
+++ b/templates-cfg/system/conntrack/table-size/node.def
@@ -11,15 +11,14 @@
 # tracking table consumes kernel memory, so the size selected should
 # be no larger than necessary.
 #
-# default value when contrack is not set - 16384
-# default value when conntrack is set - 32768
+# default value: 16384
 #
 
 type: u32
 
 help: Size of connection tracking table
 
-default: 32768
+default: 16384
 
 val_help: u32:1-50000000; Number of entries allowed in connection tracking table