Hi. All network namespaces share the single hash table to store conntrack entries. So the nf conntrack max value is the limit of summary number of conntrack entries in all network namespaces. It's true of last kernels. But I'm not sure about your kernel version. Check the content of /net/netfilter/nf_conntrack_core.c file in the sources of your kernel version (you can use this usefull site - https://elixir.bootlin.com/linux/latest/source/net/netfilter/nf_conntrack_core.c ) On Fri, 17 Aug 2018 at 21:59, Pankaja Dakhane (pdakhane) <pdakhane@xxxxxxxxx> wrote: > > Hello Experts, > > I am working on a system configured with Linux namespaces and one > conntrakd is running per namespace. My question is > Are the limits set in /proc/sys/net/netfilter/nf_conn* shared across all > namespaces? For e.g. /proc/sys/net/netfilter/nf-conntrack-max setting is > set to 65536, does it mean across all namespaces conntrackd can track > maximum of 65536 connections? Or does it mean that this limit is > applicable to default namespace only? > > Perhaps some stats like nf_conntrack_count are specific to namespaces and > others are not, documentation link will be helpful too. > > Check some data points below. > cat /proc/sys/net/netfilter/nf_conntrack_max ‹‹ default namespace > 262144 > at /proc/sys/net/netfilter/nf_conntrack_max ‹ namespace ns1 > 262144 > > ip netns exec ns1 cat /proc/sys/net/netfilter/nf_conntrack_count ‹ default > namespace > 13 > cat /proc/sys/net/netfilter/nf_conntrack_count ‹ namespace ns1 > 1465 > > Thanks > Pankaja > -- Anton.
