From 397565ab1d074dd1b7c74fd8550dbedbdbbc9002 Mon Sep 17 00:00:00 2001
From: David Galloway <dgallowa@redhat.com>
Date: Fri, 6 Oct 2017 13:29:04 -0400
Subject: [PATCH] nameserver: Double max amount of concurrent connections

I observed an unintentional DoS on ns1.front last night right as most of
the nightly scheduled jobs started up.  Lots of "nf_conntrack: table
full, dropping packet" messages in the syslog.

Doubling it should be safe.

Signed-off-by: David Galloway <dgallowa@redhat.com>
---
 roles/nameserver/tasks/config.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/nameserver/tasks/config.yml b/roles/nameserver/tasks/config.yml
index 90fbcde0..c1305393 100644
--- a/roles/nameserver/tasks/config.yml
+++ b/roles/nameserver/tasks/config.yml
@@ -25,3 +25,10 @@
     name: named_write_master_zones
     state: yes
     persistent: yes
+
+# Helps prevent accidental DoS
+- name: Double maximum configured connections
+  sysctl:
+    name: net.nf_conntrack_max
+    value: 131072
+    state: present
-- 
2.47.3