lvxiafei <xiafei_xupt@xxxxxxx> wrote:
> The modification of nf_conntrack_max in one netns
> should not affect the value in another one.
nf_conntrack_max can only be changed in init_net.
Given the check isn't removed:
/* Don't allow non-init_net ns to alter global sysctls */
if (!net_eq(&init_net, net)) {
table[NF_SYSCTL_CT_MAX].mode = 0444;
... this patch seems untested?
But, removing this check would allow any netns to consume
arbitrary amount of kernel memory.
How do you prevent this?
