From mboxrd@z Thu Jan 1 00:00:00 1970 From: Gregory Rose Subject: Re: [PATCH net-next 2/2] openvswitch: Support conntrack zone limit Date: Wed, 18 Apr 2018 08:05:05 -0700 Message-ID: <3db148a6-034d-d2f4-ae59-5ef97d1a1dda@gmail.com> References: <1523902550-10767-1-git-send-email-yihung.wei@gmail.com> <1523902550-10767-3-git-send-email-yihung.wei@gmail.com> <4ac1904b-043f-faaf-043d-0a3c68da8c88@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Cc: netdev@vger.kernel.org To: Yi-Hung Wei Return-path: Received: from mail-pl0-f52.google.com ([209.85.160.52]:38026 "EHLO mail-pl0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752096AbeDRPFJ (ORCPT ); Wed, 18 Apr 2018 11:05:09 -0400 Received: by mail-pl0-f52.google.com with SMTP id c7-v6so1293650plr.5 for ; Wed, 18 Apr 2018 08:05:08 -0700 (PDT) In-Reply-To: Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 4/17/2018 5:30 PM, Yi-Hung Wei wrote: >> s/to commit/from committing/ >> s/entry/entries/ > Thanks, will fix that in both patches in v2. > > >> I think this is a great idea but I suggest porting to the iproute2 package >> so everyone can use it. Then git rid of the OVS specific prefixes. >> Presuming of course that the conntrack connection >> limit backend works there as well I guess. If it doesn't, then I'd suggest >> extending >> it. This is a nice feature for all users in my opinion and then OVS >> can take advantage of it as well. > Thanks for the comment. And yes, I think currently, iptables’s > connlimit extension does support limiting the # of connections. Users > need to configure the zone properly, and the iptable’s connlimit > extension is using netfilter's nf_conncount backend already. > > The main goal for this patch is to utilize netfilter backend > (nf_conncount) to count and limit the number of connections. OVS needs > the proposed OVS_CT_LIMIT netlink API and the corresponding booking > data structure because the current nf_conncount backend only counts > the # of connections, but it does not keep track of the connection > limit in nf_conncount. > > Thanks, > > -Yi-Hung Thanks Yi-hung, I figured I was just missing something there.  I appreciate the explanation. - Greg