On 05/05/2016 04:54 PM, Florian Westphal wrote:
Brian Haley <brian.haley@xxxxxxx> wrote:
Openstack networking creates virtual routers using namespaces for isolation
between users. VETH pairs are used to connect the interfaces on these
routers to different networks, whether they are internal (private) or
external (public). In most cases NAT is done inside the namespace as
packets move between the networks.
I've seen cases where certain users are attacked, where the CT table is
filled such that we start seeing "nf_conntrack: table full, dropping packet"
messages (as expected). But other users continue to function normally,
unaffected. Is this still the case - each netns has some limit it can't
exceed?
The limit is global, the accounting per namespace.
So this is a change from existing.
If the bucket count (net.netfilter.nf_conntrack_buckets) is high enough
to accomodate the expected load and noone can create arbitrary number of
net namespaces things are fine.
In my case we can't control the number of namespaces, each user will get one as
a virtual router is created. We could change how we size things, but that
doesn't stop one user from consuming larger than their 1/N share of entries.
Typically we just increase the number of systems hosting these "routers" when we
hit a limit, which decreases the netns count per node.
I haven't changed the way this works yet because I did not have a better
idea so far.
Creating a per-netns maximum seems doable, but maybe not practical from the
accounting side of things. Can't think of anything else at the moment.
-Brian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
