文档
我要评分
获取效率
正确性
完整性
易理解
提交关闭

Disabling nf_conntrack

Purpose

Disable the nf_conntrack module if network address translation (NAT) is not used. The nf_conntrack module of the kernel implements NAT. However, if NAT is not used, enabling the nf_conntrack module causes unnecessary CPU consumption and even causes packet loss due to full table records. Therefore, you can disable the nf_conntrack module to improve performance.

Procedure

  1. Open the /etc/modprobe.d/blacklist.conf file.
    1
    vi /etc/modprobe.d/blacklist.conf
  2. Press i to enter the insert mode and add the following parameters to the /etc/modprobe.d/blacklist.conf file:
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    install nf_conntrack /bin/false
blacklist nf_conntrack
blacklist nf_conntrack_ipv6
blacklist xt_conntrack
blacklist nf_conntrack_ftp
blacklist xt_state
blacklist iptable_nat
blacklist ipt_REDIRECT
blacklist nf_nat
blacklist nf_conntrack_ipv4
  3. Press Esc, type :wq!, and press Enter to save the file and exit.
  4. Restart the OS for the settings to take effect.
Parent topic: OS Tuning