使用sysctl修改nf_conntrack_bucket

使用sysctl修改nf_conntrack_bucket

背景

旧版本通过/sys/module/nf_conntrack/parameters/hashsize来修改，/proc/sys/net/netfilter/nf_conntrack_buckets下的参数是只读。目前发现在4.9内核下能直接修改/proc/sys/net/netfilter/nf_conntrack_buckets，以下为确认从哪个版本开始支持sysctl方式修改。

确认过程

1. 经过网上搜索找到了相关功能的commit地址。

commit地址：https://github.com/torvalds/linux/commit/3183ab8997a477c8d9ad175a1cef70dff77c6dbc

netfilter: conntrack: allow increasing bucket size via sysctl too
No need to restrict this to module parameter.

We export a copy of the real hash size -- when user alters the value we
allocate the new table, copy entries etc before we update the real size
to the requested one.

This is also needed because the real size is used by concurrent readers
and cannot be changed without synchronizing the conntrack generation
seqcnt.

We only allow changing this value from the initial net namespace.

Tested using http-client-benchmark vs. httpterm with concurrent

while true;do
 echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
done

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1. 通过该commit地址确认了从kernel4.8开始支持。
2. 下载了kernel4.7最后一个版本及4.8.1版本，对比nf_conntrack-sysctl.txt的说明可以确认该参数已经从readonly修改为writable。

kernel 4.7.10

路径 \Documentation\networking\nf_conntrack-sysctl.txt

nf_conntrack_buckets - INTEGER (read-only)
    Size of hash table. If not specified as parameter during module
    loading, the default size is calculated by dividing total memory
    by 16384 to determine the number of buckets but the hash table will
    never have fewer than 32 and limited to 16384 buckets. For systems
    with more than 4GB of memory it will be 65536 buckets.

kernel 4.8.1

路径 \Documentation\networking\nf_conntrack-sysctl.txt

nf_conntrack_buckets - INTEGER
    Size of hash table. If not specified as parameter during module
    loading, the default size is calculated by dividing total memory
    by 16384 to determine the number of buckets but the hash table will
    never have fewer than 32 and limited to 16384 buckets. For systems
    with more than 4GB of memory it will be 65536 buckets.
    This sysctl is only writeable in the initial net namespace.