Taehee Yoo <ap420073@xxxxxxxxx> wrote: > In order to avoid wastefull memory allocation, conntrack bucket size > should be lower than conntrack_max size. > When a conntrack_max is changed, a conntrack_buckets will be changed to be > under a conntrack_max value. > But, a conntrack_buckets can be over than a conntrack_max only when > a conntrack_max is lower than minimum of a conntrack_buckets. > > TEST > sysctl net.netfilter.nf_conntrack_max=100000 -w > sysctl net.netfilter.nf_conntrack_buckets=200000 -w > second command will be failed because of this patch. Are you sure this is correct? IIRC nf_conntrack_buckets is a global value, whereas nf_conntrack_max is per netns. So, with 100 netns nf_conntrack_buckets should be set to a much larger value. Also, we hash and insert each conntrack entry twice, once for original and once for the reverse direction. So, setting buckets to twice the max count is fine even for the 'init netns only' case.
