lvxiafei <xiafei_xupt@xxxxxxx> wrote: > From: lvxiafei <lvxiafei@xxxxxxxxxxxxx> > > Support nf_conntrack_max settings in different netns, > nf_conntrack_max is used to more flexibly limit the > ct_count in different netns, which may be greater than > the value in the parent namespace. The default value > belongs to the global (ancestral) limit and no implicit > limit is inherited from the parent namespace. That seems the wrong thing to do. There must be some way to limit the netns conntrack usage. Whats the actual intent here? You could apply max = min(init_net->max, net->max) Or, you could relax it as long as netns are owned by initial user ns, I guess. Or perhaps its possible to make a guesstimate of the maximum memory needed by the new limit, then account that to memcg (at sysctl change time), and reject if memcg is exhausted. No other ideas at the moment, but I do not like the "no limits" approach.
