lvxiafei <xiafei_xupt@xxxxxxx> wrote: > Florian Westphal <fw@xxxxxxxxx> wrote: > > I suggest to remove nf_conntrack_max as a global variable, > > make net.nf_conntrack_max use init_net.nf_conntrack_max too internally, > > so in the init_net both sysctls remain the same. > > The nf_conntrack_max global variable is a system calculated > value and should not be removed. > nf_conntrack_max = max_factor * nf_conntrack_htable_size; Thats the default calculation for the initial sysctl value: net/netfilter/nf_conntrack_standalone.c: .data = &nf_conntrack_max, net/netfilter/nf_conntrack_standalone.c: .data = &nf_conntrack_max, You can make an initial patch that replaces all occurences of nf_conntrack_max with cnet->sysctl_conntrack_max (adding a 'unsigned int sysctl_conntrack_max' to struct nf_conntrack_net). Then, in a second patch, remove the '0444' readonly and redirect the child netns to use the copy in its own pernet area rather than the init_net one.
