On 4/2/22 21:50, Eric Dumazet wrote: > On Sat, Apr 2, 2022 at 11:32 AM Vasily Averin <vasily.averin@xxxxxxxxx> wrote: >> >> On 4/2/22 20:12, Eric Dumazet wrote: >>> >>> On 4/2/22 03:33, Vasily Averin wrote: >>>> Pablo, Florian, >>>> >>>> There is an old issue with conntrack limit on multi-netns (read container) nodes. >>>> >>>> Any connection to containers hosted on the node creates a conntrack in init_netns. >>>> If the number of conntrack in init_netns reaches the limit, the whole node becomes >>>> unavailable. >>> >>> Can you describe network topology ? >> >> += veth1 <=> veth container1 >> ethX <=> brX =+= veth2 <=> veth container2 >> += vethX <=> veth containerX >> > > Could you simply add an iptables rule in init_net to bypass conntrack > for idev=veth* ? > > iptables -t raw -I PREROUTING -i veth+ -j NOTRACK > > (I have not worked with conntrack in recent years, this might be foolish...) Great and simple idea. Thank you very much, we'll investigate it. Vasily Averin
