Re: [PATCH V3] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl

[Florian Westphal]

lvxiafei <xiafei_xupt@xxxxxxx> wrote:
> Florian Westphal <fw@xxxxxxxxx> wrote:
> > I suggest to remove nf_conntrack_max as a global variable,
> > make net.nf_conntrack_max use init_net.nf_conntrack_max too internally,
> > so in the init_net both sysctls remain the same.
> 
> The nf_conntrack_max global variable is a system calculated
> value and should not be removed.
> nf_conntrack_max = max_factor * nf_conntrack_htable_size;

Thats the default calculation for the initial sysctl value:

net/netfilter/nf_conntrack_standalone.c:                .data           = &nf_conntrack_max,
net/netfilter/nf_conntrack_standalone.c:                .data           = &nf_conntrack_max,

You can make an initial patch that replaces all occurences of
nf_conntrack_max with cnet->sysctl_conntrack_max

(adding a 'unsigned int sysctl_conntrack_max' to struct
 nf_conntrack_net).

Then, in a second patch, remove the '0444' readonly and redirect
the child netns to use the copy in its own pernet area rather than the
init_net one.