From 4816adb6bafa53a191a07347635bfc7e8dd57c49 Mon Sep 17 00:00:00 2001
From: Evangelos Foutras <evangelos@foutrelis.com>
Date: Mon, 3 Oct 2022 06:30:28 +0300
Subject: [PATCH] common: bump nf_conntrack_max to 256k on redirect

The traffic hitting ping.archlinux.org has lately been exhausting its
default nf_conntrack_max limit of 64k. Bump it to 256k (which is also
the default limit found on systems with more than 4G of memory).

Suggested-by: Kristian Klausen <kristian@klausen.dk>
---
 host_vars/redirect.archlinux.org/misc | 3 +++
 roles/common/tasks/main.yml           | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/host_vars/redirect.archlinux.org/misc b/host_vars/redirect.archlinux.org/misc
index 8056762cb..f33e80c00 100644
--- a/host_vars/redirect.archlinux.org/misc
+++ b/host_vars/redirect.archlinux.org/misc
@@ -4,3 +4,6 @@ wireguard_public_key: n11Ps2sc0Cxsi1sLaYFq7dkhlDtTnOZCGovRYbzDGR8=
 
 ipv4_address: "95.216.195.133"
 ipv6_address: "2a01:4f9:c010:2636::1"
+
+# The default limit of 65536 is too small to handle ping.archlinux.org traffic
+nf_conntrack_max: 262144
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index da928cfbe..79ab632e7 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -76,6 +76,14 @@
     sysctl_file: /etc/sysctl.d/net.conf
   when: tcp_wmem is defined
 
+- name: Configure size of connection tracking table
+  sysctl:
+    name: net.netfilter.nf_conntrack_max
+    value: "{{ nf_conntrack_max }}"
+    sysctl_set: true
+    sysctl_file: /etc/sysctl.d/net.conf
+  when: nf_conntrack_max is defined
+
 - name: Create drop-in directories for systemd configuration
   file: path=/etc/systemd/{{ item }}.d state=directory owner=root group=root mode=0755
   loop:
-- 
GitLab