On one server I manage, the default net.netfilter.nf_conntrack_max value (65536, IIRC) was not sufficient and I wanted to increase it substantially.

The first thing I did was add a new file in /etc/sysctl.d:

# /etc/sysctl.d/91-cdz-nf_conntrack.conf

net.netfilter.nf_conntrack_max=196608

However, this didn’t seem to apply the new setting when I rebooted the server. Per this ServerFault discussion, this is because the settings from /etc/sysctl.d are applied too early — before the nf_conntrack module is loaded.

That discussion also contains a solution: add a udev rule to run the sysctl in question when the module is loaded. So, in addition to my configuration in /etc/sysctl.d, I added a second new file, /etc/udev/rules.d/91-cdz-nf_conntrack.rules:

# /etc/udev/rules.d/91-cdz-nf_conntrack.rules

ACTION=="add", SUBSYSTEM=="module", KERNEL=="nf_conntrack", \
  RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/net/netfilter/nf_conntrack_max"

I particularly like that this solution still uses the settings from sysctl.d in “the right way,” doesn’t duplicate any actual settings into /etc/udev.rules, and doesn’t otherwise interfere with however the system loads modules.

No idea why Ubuntu doesn’t ship such a rule by default; having a setting that work when you run sysctl -w manually but not when you put it in /etc/sysctl.d is a surprising behavior.