Manage Conntrack Table Size (Linux)
This topic explains how to manage the kernel firewall state table.
About Managing the State Table
Conntrack is only supported on Linux systems, and IPFilter is supported on AIX and Solaris before version 11.4. Both are system-specific names for the Kernel Firewall State Table.
Linux workloads: Manage the Conntrack table.
AIX or Solaris workloads, versions 11.3 and earlier: Manage the IPFilter state table.
For more information about AIX and Solaris, see Tuning the IP Filter State Table (AIX/Solaris).
On Linux workloads, the VEN automatically increases and decreases the size of the Conntrack table as needed based on the number of active connections on the workload.
The VEN automatically increases the size to minimize the possibility of the workload running out of space in the Conntrack table and blocking valid connections.
The VEN uses the following behavior to manage the Conntrack table size:
By default, the size of the Conntrack table starts at 1M. This is the baseline value. The baseline value is used as the starting point for automatically resizing the Conntrack table.
Every 10 seconds, the VEN polls the table size to check the fill percentage.
When the table reaches 80% of the maximum size, the VEN doubles the value set for the maximum size.
The VEN doubles the maximum size value only 3 times (8x of the baseline value).
For a 1M baseline value, the maximum table size after adjustment is 8M.
Customizing the VEN Adjustment Behavior
If the Conntrack table is experiencing issues with the size limit, you can adjust the way by which the VEN automatically manages the table size. Adjust the VEN behavior by setting the following values in the VEN configuration file /etc/default/illumio-agent.
Setting | Default | Description |
|---|---|---|
| True | Indicates whether auto resize of the Conntrack table is required. |
| 1000000 |
|
| 256000 |
|
Note
When you install a VEN on a Linux workload, this feature is enabled by default using the default values. If you customize the values in the illumio-agent configuration file before installing the VEN, the custom values will apply on installation. If you customize the values after installing the VEN, you must restart the VEN for the values to take effect in runtime.
Restrictions for VEN Adjustment
Customizing the VEN adjustment behavior has the following restrictions:
The value you set for
CONNTRACK_HASH_SIZEshould be 25% of the value ofCONNTRACK_MAX.You must set the values to 512 or higher. If you set a value below 512, the Linux kernel will automatically adjust the value to 512.