Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Disabling the nf_conntrack Module

Skip this section if a container is used.

Purpose

Disable the nf_conntrack module if NAT is not used. The nf_conntrack module of the kernel performs NAT. However, if NAT is not used, enabling the nf_conntrack module causes unnecessary CPU consumption and even causes packet loss due to full table records. Therefore, you can disable the nf_conntrack module to improve performance.

Procedure

  1. Open the blacklist.conf file.
    1
    vim /etc/modprobe.d/blacklist.conf
  2. Press i to enter the insert mode and add the following content to the file:
    install nf_conntrack /bin/false
blacklist nf_conntrack
blacklist nf_conntrack_ipv6
blacklist xt_conntrack
blacklist nf_conntrack_ftp
blacklist xt_state
blacklist iptable_nat
blacklist ipt_REDIRECT
blacklist nf_nat
blacklist nf_conntrack_ipv4
  3. Press Esc, type :wq!, and press Enter to save the file and exit.
  4. Restart the server to make the file take effect.
Parent topic: OS Tuning