Where is the correct place to set net.netfilter.nf_conntrack_buckets?

Solution 1:

I think that sysctl parameter is for viewing only. You'll want to use the /sys/module/nf_conntrack/parameters/hashsize interface for runtime changes, and the hashsize module option to set it during initial module load.

You'd want an entry in a /etc/modprobe.d/ file that looks something like this:

options nf_conntrack hashsize=XXXXX

Solution 2:

Further to Andrew B's answer:

For some reason, the RHEL documentation recommends putting an executable shell script with a name like nf_conntrack_hashsize.modules extension into /etc/sysconfig/modules instead. I have no idea why. Contents would look like:

exec /sbin/modprobe nf_conntrack hashsize=262144