Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > - to nf_conntrack_buckets by default. > > - Note that connection tracking entries are added to the table twice -- once > > - for the original direction and once for the reply direction (i.e., with > > - the reversed address). This means that with default settings a maxed-out > > - table will have a average hash chain length of 2, not 1. > > + - 0 - disabled (unlimited) > > unlimited is too much, and the number of buckets is also global, how > does this work? Its an historic wart going back to ip_conntrack - it was never the default but you could disable any and all limits even in the original version. Wether its time to disallow 0 is a different topic and not related to this patch. I would argue: "yes", disallow 0 -- users can still set INT_MAX if they want and that should provide enough rope to strangle yourself. > > + The limit of other netns cannot be greater than init_net netns. > > + +----------------+-------------+----------------+ > > + | init_net netns | other netns | limit behavior | > > + +----------------+-------------+----------------+ > > + | 0 | 0 | unlimited | > > + +----------------+-------------+----------------+ > > + | 0 | not 0 | other | > > + +----------------+-------------+----------------+ > > + | not 0 | 0 | init_net | > > + +----------------+-------------+----------------+ > > + | not 0 | not 0 | min | > > + +----------------+-------------+----------------+ I think this is fine, it doesn't really change things from init_net point of view.
