Brian Haley <brian.haley@xxxxxxx> wrote: > Openstack networking creates virtual routers using namespaces for isolation > between users. VETH pairs are used to connect the interfaces on these > routers to different networks, whether they are internal (private) or > external (public). In most cases NAT is done inside the namespace as > packets move between the networks. > > I've seen cases where certain users are attacked, where the CT table is > filled such that we start seeing "nf_conntrack: table full, dropping packet" > messages (as expected). But other users continue to function normally, > unaffected. Is this still the case - each netns has some limit it can't > exceed? The limit is global, the accounting per namespace. If the bucket count (net.netfilter.nf_conntrack_buckets) is high enough to accomodate the expected load and noone can create arbitrary number of net namespaces things are fine. I haven't changed the way this works yet because I did not have a better idea so far. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
