On Sat, Apr 2, 2022 at 11:32 AM Vasily Averin <vasily.averin@xxxxxxxxx> wrote: > > On 4/2/22 20:12, Eric Dumazet wrote: > > > > On 4/2/22 03:33, Vasily Averin wrote: > >> Pablo, Florian, > >> > >> There is an old issue with conntrack limit on multi-netns (read container) nodes. > >> > >> Any connection to containers hosted on the node creates a conntrack in init_netns. > >> If the number of conntrack in init_netns reaches the limit, the whole node becomes > >> unavailable. > > > > Can you describe network topology ? > > += veth1 <=> veth container1 > ethX <=> brX =+= veth2 <=> veth container2 > += vethX <=> veth containerX > Could you simply add an iptables rule in init_net to bypass conntrack for idev=veth* ? iptables -t raw -I PREROUTING -i veth+ -j NOTRACK (I have not worked with conntrack in recent years, this might be foolish...) > > Are you using macvlan, ipvlan, or something else ? > > No, we dod not used it earlier, because it was not available in RHEL7, > but now it looks like good solution for me. > > Thank you for the hint, > Vasily Averin
