From: Florian Westphal <fw@strlen.de>
To: Vasily Averin <vvs@openvz.org>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, kernel@openvz.org
Subject: Re: troubles caused by conntrack overlimit in init_netns
Date: Sat, 2 Apr 2022 13:11:57 +0200 [thread overview]
Message-ID: <20220402111157.GD28321@breakpoint.cc> (raw)
In-Reply-To: <de70cc55-6c11-d772-8b08-e8994fd934a0@openvz.org>
Vasily Averin <vvs@openvz.org> wrote:
> There is an old issue with conntrack limit on multi-netns (read container) nodes.
>
> Any connection to containers hosted on the node creates a conntrack in init_netns.
> If the number of conntrack in init_netns reaches the limit, the whole node becomes
> unavailable.
Right, from inet_net p.o.v. connections coming from container netns is
no different from different physical host on pyhsical network.
> To avoid it OpenVz had special patches disabled conntracks on init_ns on openvz nodes,
> but this automatically limits the functionality of host's firewall.
>
> This has been our specific pain for many years, however, containers are now
> being used much more widely than before, and the severity of the described problem
> is growing more and more.
>
> Do you know perhaps some alternative solution?
If you need conntrack in init_net, then no.
If you don't (or only for connections that won't be rerouted to
container netns) you could -j NOTRACK traffic coming from/going to
container.
But, why do you need conntrack in the container netns?
Normally I'd expect that if packet was already handled in init_net,
why re-run skb through conntrack again?
next prev parent reply other threads:[~2022-04-02 11:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-02 10:33 troubles caused by conntrack overlimit in init_netns Vasily Averin
2022-04-02 11:11 ` Florian Westphal [this message]
2022-04-02 13:00 ` Nikita Yushchenko
2022-04-04 7:59 ` Vasily Averin
2022-04-02 17:12 ` Eric Dumazet
2022-04-02 18:32 ` Vasily Averin
2022-04-02 18:50 ` Eric Dumazet
2022-04-02 19:52 ` Vasily Averin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220402111157.GD28321@breakpoint.cc \
--to=fw@strlen.de \
--cc=kernel@openvz.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=vvs@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.