7.4.2.2. Using conntrack Rules and NAT Tables

By default, the NAT table and conntrack rules are disabled and not allowed for use in containers even if they are loaded on the server. To allow their use in containers, run the prlctl set --netfilter full command. For example, for the container MyCT:

# prlctl set MyCT --netfilter full

To limit the maximum number of conntrack slots available for each container on the hardware node, set the net.netfilter.nf_conntrack_max variable. For example:

# sysctl -w net.netfilter.nf_conntrack_max=50000

The value of net.netfilter.nf_conntrack_max cannot exceed the value of net.nf_conntrack_max.

Note

Note: Even if a container is under a DoS attack and all its conntrack slots are in use, other containers will not be affected, still being able to create as many connections as set in net.netfilter.nf_conntrack_max.