diff options
| author | Christian Breunig <christian@breunig.cc> | 2025-06-07 09:15:30 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2025-06-07 10:55:24 +0200 |
| commit | 08421b277b1f460ebc51673571bab975aece2215 (patch) | |
| tree | 2b209eee82a39c007b20d44b4aed9121315266e8 /src/migration-scripts/conntrack/5-to-6 | |
| parent | b3ebf8f81afc0c4ceddd11c28421971b7b44fe69 (diff) | |
| download | vyos-1x-08421b277b1f460ebc51673571bab975aece2215.tar.gz vyos-1x-08421b277b1f460ebc51673571bab975aece2215.zip | |
conntrack: T7208: nf_conntrack_buckets defaults and behavior
Previously, we used a lower limit of 1 and a default value of 32768 for the
nf_conntrack_buckets (conntrack hash-size) sysctl option. However, the Linux
kernel enforces an internal minimum of 1024. A configuration migrator will now
adjust the lower limit to 1024 if necessary.
The former default value of 32768 was passed as a kernel module option, which
only took effect after the second system reboot. This was due to the option being
rendered but not applied during the first boot. This behavior has been changed so
that the value is now configurable at runtime and takes effect immediately.
Additionally, since VyOS 1.4 increased the hardware requirements to 4GB of RAM,
we now align the default value of nf_conntrack_buckets with the kernel's
default for systems with more than 1GB of RAM to 65536 entries. Previously, we
only supported half that amount.
Diffstat (limited to 'src/migration-scripts/conntrack/5-to-6')
| -rw-r--r-- | src/migration-scripts/conntrack/5-to-6 | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/src/migration-scripts/conntrack/5-to-6 b/src/migration-scripts/conntrack/5-to-6 new file mode 100644 index 000000000..1db2e78b4 --- /dev/null +++ b/src/migration-scripts/conntrack/5-to-6 @@ -0,0 +1,30 @@ +# Copyright 2025 VyOS maintainers and contributors <maintainers@vyos.io> +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library. If not, see <http://www.gnu.org/licenses/>. + +# T7202: fix lower limit of supported conntrack hash-size to match Kernel +# lower limit. + +from vyos.configtree import ConfigTree + +base = ['system', 'conntrack'] +def migrate(config: ConfigTree) -> None: + if not config.exists(base): + # Nothing to do + return + + if config.exists(base + ['hash-size']): + tmp = config.return_value(base + ['hash-size']) + if int(tmp) < 1024: + config.set(base + ['hash-size'], value=1024) |