From: Florian Westphal <fw@strlen.de>
To: xiangxia.m.yue@gmail.com
Cc: pablo@netfilter.org, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH net-next] netfilter: nf_conntrack: introduce conntrack limit per-zone
Date: Wed, 23 Oct 2019 12:31:17 +0200 [thread overview]
Message-ID: <20191023103117.GL25052@breakpoint.cc> (raw)
In-Reply-To: <1571288584-46449-1-git-send-email-xiangxia.m.yue@gmail.com>
xiangxia.m.yue@gmail.com <xiangxia.m.yue@gmail.com> wrote:
> nf_conntrack_max is used to limit the maximum number of
> conntrack entries in the conntrack table for every network
> namespace. For the containers that reside in the same namespace,
> they share the same conntrack table, and the total # of conntrack
> entries for all containers are limited by nf_conntrack_max.
> In this case, if one of the container abuses the usage the
> conntrack entries, it blocks the others from committing valid
> conntrack entries into the conntrack table.
>
> To address the issue, this patch adds conntrack counter for zones
> and max count which zone wanted, So that any zone can't consume
> all conntrack entries in the conntrack table.
>
> This feature can be used for openvswitch or iptables.
Your approach adds cost for everyone, plus a 256kbyte 'struct net'
increase.
openvswitch supports per zone limits already, using nf_conncount
infrastructure.
nftables supports it using ruleset (via 'ct count').
If you need support for iptables, consider extending xt_connlimit.c
instead -- looking at the code it might already do all that is needed
if userspace passes a 0-length mask for the ip address, i.e.
iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -m connlimit \
--connlimit-above 1000 --connlimit-mask 0 -j REJECT
next prev parent reply other threads:[~2019-10-23 10:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-17 5:03 [PATCH net-next] netfilter: nf_conntrack: introduce conntrack limit per-zone xiangxia.m.yue
2019-10-23 10:31 ` Florian Westphal [this message]
2019-10-23 10:57 ` Tonghao Zhang
2019-10-23 11:07 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191023103117.GL25052@breakpoint.cc \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=xiangxia.m.yue@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.