Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl

From: lvxiafei
Date: Tue Apr 08 2025 - 04:42:51 EST

Next message: Andy Shevchenko: "Re: [PATCH 0/2] device property: Add fwnode_property_get_reference_optional_args"
Previous message: Matti Vaittinen: "[PATCH v3 00/14] Support ROHM Scalable PMIC family"
In reply to: lvxiafei: "Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl"
Next in thread: lvxiafei: "Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 7 Apr 2025 12:56:33 Jan Engelhardt <ej@xxxxxxx> wrote:
> By inheriting an implicit limit from the parent namespace somehow.
> For example, even if you set the kernel.pid_max sysctl in the initial
> namespace to something like 9999, subordinate namespace have
> kernel.pid_max=4million again, but nevertheless are unable to use
> more than 9999 PIDs. Or so documentation the documentation
> from commit d385c8bceb14665e935419334aa3d3fac2f10456 tells me
> (I did not try to create so many processes by myself).
>
> A similar logic would have to be applied for netfilter sysctls
> if they are made modifiable in subordinate namespaces.

The patch is to use nf_conntrack_max to more flexibly limit the
ct_count in different netns, which may be greater than the parent
namespace, belonging to the global (ancestral) limit, and there
is no implicit limit inherited from the parent namespace

Next message: Andy Shevchenko: "Re: [PATCH 0/2] device property: Add fwnode_property_get_reference_optional_args"
Previous message: Matti Vaittinen: "[PATCH v3 00/14] Support ROHM Scalable PMIC family"
In reply to: lvxiafei: "Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl"
Next in thread: lvxiafei: "Re: [PATCH] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]