Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl

[Florian Westphal]

lvxiafei <xiafei_xupt@xxxxxxx> wrote:
> The modification of nf_conntrack_max in one netns
> should not affect the value in another one.

nf_conntrack_max can only be changed in init_net.

Given the check isn't removed:
   /* Don't allow non-init_net ns to alter global sysctls */
   if (!net_eq(&init_net, net)) {
       table[NF_SYSCTL_CT_MAX].mode = 0444;

... this patch seems untested?

But, removing this check would allow any netns to consume
arbitrary amount of kernel memory.

How do you prevent this?