Analyzer sys-nf-conntrack
Name
sys-nf-conntrack - current config of nf-conntrack and its recommend value
This analyzer collects the current nf_conntrack values and calcuate the recommended configuration value base on the system resources.
Resource Category
Network I/O.
Application Type & Technical Stack
- All
Command Line Syntax
The analyzer can be invoked directly on the command-line via the orxray
utility from the openresty-xray-cli software package.
Alternatively, the analyzer can also be invoked manually or automatically on the web console UI of OpenResty XRay (like on the Advanced web page).
# PID is the target process PID.
orxray analyzer run sys-nf-conntrack -p PID
# trace a shell command directly
orxray analyzer run sys-nf-conntrack -c SHELL_CMD
# PGID is the process group ID or any process's PID within the target process
# group.
orxray analyzer run sys-nf-conntrack -p -PGID
# trace any processes started from the specified executable path.
orxray analyzer run sys-nf-conntrack --exe /path/to/exe/file
Tracing Multiple Processes
Supported.
Output Formats
- Tables
- Plain Texts
Output Example
[
{
"type": "table",
"title": "nf_conntracek System Check Report",
"subtitle": "Current and the recommend values",
"data": [
[ "Metric", "Current", "Recommended", "Status" ],
[ "Current entries (max)", 8, "-", "-" ],
[ "Max entries (max)", 262144, 4082112, "OK (<60%)" ],
[ "Hash buckets", 262144, 1020528, "-" ],
[ "Usage", "0%", "<60%", "OK (<60%)" ],
[ "dmesg table full hits", 0, 0, "OK - no drops" ],
[ "System memory", "63783 MB", "-", "-" ]
]
},
{
"type": "table",
"title": "TCP Timeouts",
"subtitle": "Current and recommended values",
"data": [
[ "Parameter", "Current (s)", "Recommended (s)", "Note" ],
[ "nf_conntrack_tcp_timeout_established", 432000, 600, "Most impactful on table capacity" ],
[ "nf_conntrack_tcp_timeout_time_wait", 120, 30, "Fast TIME_WAIT recycle" ],
[ "nf_conntrack_tcp_timeout_close_wait", 60, 30, "Passive close" ],
[ "nf_conntrack_tcp_timeout_fin_wait", 120, 30, "Active close FIN" ],
[ "nf_conntrack_tcp_timeout_close", 10, 10, "Both sides closed" ],
[ "nf_conntrack_tcp_timeout_syn_sent", 120, 10, "Prevent SYN backlog" ],
[ "nf_conntrack_tcp_timeout_syn_recv", 60, 10, "Prevent SYN flood buildup" ],
[ "nf_conntrack_tcp_timeout_last_ack", 30, 10, "Last ACK wait" ]
]
},
{
"type": "table",
"title": "UDP / ICMP / Other Timeouts",
"subtitle": "Current and recommended values",
"data": [
[
"Parameter", "Current (s)", "Recommended (s)", "Note" ],
[ "nf_conntrack_udp_timeout", 30, 20, "Generic UDP" ],
[ "nf_conntrack_udp_timeout_stream", 120, 60, "Bidirectional UDP stream" ],
[ "nf_conntrack_icmp_timeout", 30, 5, "ICMP" ],
[ "nf_conntrack_generic_timeout", 600, 60, "Other protocols" ]
]
},
{
"type": "table",
"title": "Recommended Configuration",
"subtitle": "Current and recommended values",
"data": [
[ "command" ],
[ "# Write to /etc/sysctl.d/99-conntrack.conf and apply:\nnet.netfilter.nf_conntrack_max = 4082112\nnet.netfilter.nf_conntrack_buckets = 1020528\nnet.netfilter.nf_conntrack_tcp_timeout_established = 600\nnet.netfilter.nf_conntrack_tcp_timeout_time_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_close_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_fin_wait = 30\nnet.netfilter.nf_conntrack_tcp_timeout_close = 10\nnet.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10\nnet.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10\nnet.netfilter.nf_conntrack_tcp_timeout_last_ack = 10\nnet.netfilter.nf_conntrack_udp_timeout = 20\nnet.netfilter.nf_conntrack_udp_timeout_stream = 60\nnet.netfilter.nf_conntrack_icmp_timeout = 5\nnet.netfilter.nf_conntrack_generic_timeout = 60\n" ],
[ "# Run sysctl -p to apply config\nsysctl -p /etc/sysctl.d/99-conntrack.conf\n" ]
]
}
]
Author
The OpenResty Inc. Team.
Copyright
Copyright (C) by OpenResty Inc. All rights reserved.