gw-jp: Add sysctl net.nf_conntrack_max

docs/services/gateway-jp.md

@@ -2,8 +2,24 @@
 
 !!! info "This page is currently a stub."
 
-## iptables
+## Network configuration
+
+### iptables
 
 See [Gateway NIC](gateway-nic.md#iptables)
 
 Blacklists are also managed with `ipset`, see `/root/iptables`.
+
+### sysctl
+
+When first applying iptables rules, we experienced severe performance degradation. Dmesg was flooded with messages like this:
+
+```text
+nf_conntrack: nf_conntrack: table full, dropping packet
+```
+
+So we increased this sysctl setting:
+
+```shell title="/etc/sysctl.d/00-ustclug.conf"
+net.nf_conntrack_max = 262144
+```

docs/services/gateway-nic.md

@@ -307,7 +307,7 @@ PartOf=netfilter-persistent.service
 
 ### ustclug.org issue {#unregistered-domain-traffic}
 
-To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for `ustclug.org`, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to response to the requests for `lug.ustc.edu.cn` only, and rejecting the handshake for any other domain.
+To mitigate the issue of the complaints from ISPs and the regulation authorities caused by the gateways in USTCnet responding to the requests for `ustclug.org`, which is a unregistered domain in China MIIT, we make nginx listen on an alternative port 81/444 for HTTP and HTTPS respectively, to respond to requests for `lug.ustc.edu.cn` only, and rejecting the handshake for any other domain.
 
 ``` title="/etc/nginx/sites-available/default"
 server {
@@ -331,4 +331,4 @@ We use iptables to redirect any traffic from outside USTCnet whose destination i
 -A NGINX-REDIRECT -m set --match-set ustcnet src -j RETURN
 -A NGINX-REDIRECT -p tcp --dport 80 -j REDIRECT --to-port 81
 -A NGINX-REDIRECT -p tcp --dport 443 -j REDIRECT --to-port 444
-```
+```