Page MenuHomeVyOS Platform
Create Task
Maniphest T7208

Some sysctl options like nf_conntrack_buckets are different between a clean install and the first reboot
Closed, ResolvedPublicBUG
Actions

Description

Some sysctl options like nf_conntrack_buckets are diffrent between a clean install and the first reboot of installed system
To reproduce, install a clean image, reboot the system, check the sysctl option, and reboot again.
After the reboot of loaded system, we got a different value for the net.netfilter.nf_conntrack_buckets

Before and after reboot:

vyos@vyos:~$ sysctl net.netfilter.nf_conntrack_buckets
net.netfilter.nf_conntrack_buckets = 65536
vyos@vyos:~$ 
vyos@vyos:~$ reboot now

vyos@vyos:~$ sysctl net.netfilter.nf_conntrack_buckets
net.netfilter.nf_conntrack_buckets = 32768
vyos@vyos:~$

In other cases, I saw even worse changes

# before reboot
net.netfilter.nf_conntrack_buckets = 262144

# after reboot
net.netfilter.nf_conntrack_buckets = 32768

There is no conntrack or sysctl configuration:

vyos@r14:~$ show conf com | match "sysctl|connt"
vyos@r14:~$

Details

Version
VyOS 1.5-rolling-202502280648, 1.4.1
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

Viacheslav created this task.Feb 28 2025, 11:21 AM
Viacheslav triaged this task as High priority.
pasik subscribed.Feb 28 2025, 1:43 PM
c-po raised the priority of this task from High to Urgent!.Feb 28 2025, 1:44 PM
c-po added a project: VyOS 1.5 Circinus.
Apachez subscribed.Mar 3 2025, 9:25 PM
c-po claimed this task.Mar 5 2025, 10:54 AM
Fabse subscribed.Mar 6 2025, 10:32 AM
syncer removed a project: VyOS 1.5 Circinus.Mar 6 2025, 10:33 PM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.3), VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.2).Mar 12 2025, 5:51 PM
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
Fabse added a comment.Mar 13 2025, 7:29 AM

Hey guys. Is there any reason why this issue was changed from "possibly destroys the router" (which is true if using conntrack and rebooting the system) to => perfectly compatible?

syncer removed a project: VyOS 1.5 Circinus.Apr 14 2025, 1:16 AM
dmbaturin subscribed.May 21 2025, 3:32 PM

@Fabse That field is for the compatibility implications of the change for the purpose of backport decisions and release notes. This is a bug, so a fix that restores correct behavior has no compatibility implications — it will just make the system work as it was always expected to work, so it will be safe to backport to any releases and will not require the user to take any action.

c-po added a comment.EditedJun 3 2025, 2:26 PM

Different values originate from the Kernel source code depending on the actual available amount of system memory:

  • min value 1024
  • up to 4GB RAM 65536
  • more then 4GB RAM 262144
if (!nf_conntrack_htable_size) {
        nf_conntrack_htable_size
                = (((nr_pages << PAGE_SHIFT) / 16384)
                   / sizeof(struct hlist_head));
        if (BITS_PER_LONG >= 64 &&
            nr_pages > (4 * (1024 * 1024 * 1024 / PAGE_SIZE)))
                nf_conntrack_htable_size = 262144;
        else if (nr_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
                nf_conntrack_htable_size = 65536;

        if (nf_conntrack_htable_size < 1024)
                nf_conntrack_htable_size = 1024;
        /* Use a max. factor of one by default to keep the average
         * hash chain length at 2 entries.  Each entry has to be added
         * twice (once for original direction, once for reply).
         * When a table size is given we use the old value of 8 to
         * avoid implicit reduction of the max entries setting.
         */
        max_factor = 1;
}

In addition sysctl net.netfilter.nf_conntrack_buckets relates to /sys/module/nf_conntrack/parameters/hashsize

Which now all boils down to:

vyos@vyos:~$ cat /etc/modprobe.d/vyatta_nf_conntrack.conf
# Autogenerated by system_conntrack.py
options nf_conntrack hashsize=32768

which is rendered on system startup by https://github.com/vyos/vyos-1x/blob/a26d3fcd3cb76d6cd56081c3eed6aad56a91563a/src/init/vyos-router#L504

The reason this only appears on the second reboot is that the file is generated during first boot, but the values only apply to conntrack module load on the next reboot. Instead of defining the hashsize during module load - it can be set during runtime, too in /sys/module/nf_conntrack/parameters/hashsize.

So all works as expected - it`s a bug anyway.

c-po changed the task status from Open to In progress.Jun 3 2025, 2:38 PM
c-po added a project: VyOS 1.5 Circinus (1.5-stream-2025-Q2).
c-po added a comment.Jun 7 2025, 7:41 AM

https://github.com/vyos/vyos-1x/pull/4548

c-po mentioned this in rVYOSONEX08421b277b1f: conntrack: T7208: nf_conntrack_buckets defaults and behavior.Jun 9 2025, 11:11 AM
Restricted Repository Identity mentioned this in rVYOSONEX34b07a49c052: Merge pull request #4548 from c-po/T7202-conntrack.Jun 9 2025, 11:11 AM
c-po closed this task as Resolved.Jun 10 2025, 3:29 PM
c-po moved this task from Need Triage to Completed on the VyOS Rolling board.
c-po moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.3) board.
c-po moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q2) board.
dmbaturin mentioned this in 1.4.3.Jul 17 2025, 8:18 AM
syncer renamed this task from Some sysctl options like nf_conntrack_buckets are diffrent between clean install and the first reboot to Some sysctl options like nf_conntrack_buckets are different between a clean install and the first reboot.Jul 17 2025, 12:36 PM