On Tue, Jul 17, 2018 at 12:02 PM David Ahern <dsahern@xxxxxxxxx> wrote: > As for the per-namespace tables, it is 4 years later and over that time > Linux supports a number of features: EVPN which is very mac heavy, VRR > which doubles mac entries (one against the VRR device and one against > the lower device) and NOS level features such as mlxsw which has to > ensure mac entries for nexthop gateaways stay active. In addition there > are other features on the horizon - like the ability to use namespaces > to create virtual switches (what Cisco calls a VDC) where you absolutely > want isolation and not allowing entries from virtual switch to evict > entries from another. And of course the continued proliferation of > containerized workloads where isolation is desired. As long as no change in neigh table code base itself, these can't address the concern people raised before. > > I understand the concern about global resource and limits: as it stands > you have to increase the limits in init_net to the max expected and hope > for the best. With per namespace limits you can lower the limits of each > namespace better control the total impact on the total memory used. The problem is that the number of containers in a host is usually not predictable. Of course, you can say containers limit kernel memory too, but memcg is not part of netns. I once told David Miller cpuset is the isolation for isolating per-CPU softnet_data, he didn't like it. Based on that I don't think you can convince him with memcg as a solution here. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html