Disable conntrack on proxies

quentinmit · quentinmit · commit fdd75f6089c5 · 2020-03-04T17:32:41.000-05:00
diff --git a/ansible/files/conntrack b/ansible/files/conntrack
@@ -0,0 +1,4 @@
+[fw_conntrack]
+command /bin/false
+[fw_forwarded_local]
+command /bin/false
diff --git a/ansible/roles/proxy-network/tasks/main.yml b/ansible/roles/proxy-network/tasks/main.yml
@@ -41,7 +41,4 @@
       net.ipv4.tcp_max_tw_buckets = 262144
       # Allow reusing a 5-tuple in TIME_WAIT for new connections
       net.ipv4.tcp_tw_reuse = 1
-      # Maximum number of connections netfilter is tracking
-      # TODO: Why are we using conntrack at all?
-      net.netfilter.nf_conntrack_max = 8388608
   notify: apply sysctl
diff --git a/ansible/scripts-proxy.yml b/ansible/scripts-proxy.yml
@@ -8,6 +8,10 @@
       name:
         - open-vm-tools
       state: present
+  - name: Disable Munin conntrack plugins
+    copy:
+      dest: /etc/munin/plugin-conf.d/
+      src: files/conntrack
   roles:
     - ansible-config-me
     - k5login
