Tonghao Zhang <xiangxia.m.yue@xxxxxxxxx> wrote: > > openvswitch supports per zone limits already, using nf_conncount > > infrastructure. > This path limits the UNREPLIED conntrack entries. If we SYN flood one > zone, the zone will consume all entries in table, which state > SYN_SENT. > The openvswitch limits only the +est conntrack. Why? Can't it be fixed to work properly? > > iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -m connlimit \ > > --connlimit-above 1000 --connlimit-mask 0 -j REJECT This should work for the synflood case, too.
