On Thu, May 22, 2025 at 09:32:23PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > > - to nf_conntrack_buckets by default. > > > - Note that connection tracking entries are added to the table twice -- once > > > - for the original direction and once for the reply direction (i.e., with > > > - the reversed address). This means that with default settings a maxed-out > > > - table will have a average hash chain length of 2, not 1. > > > + - 0 - disabled (unlimited) > > > > unlimited is too much, and the number of buckets is also global, how > > does this work? > > Its an historic wart going back to ip_conntrack - it was never the > default but you could disable any and all limits even in the original > version. Thanks, I was just sitting here clueless. > Wether its time to disallow 0 is a different topic and not related to this patch. > > I would argue: "yes", disallow 0 -- users can still set INT_MAX if they > want and that should provide enough rope to strangle yourself. The question is how to make it without breaking crazy people. > > > + The limit of other netns cannot be greater than init_net netns. > > > + +----------------+-------------+----------------+ > > > + | init_net netns | other netns | limit behavior | > > > + +----------------+-------------+----------------+ > > > + | 0 | 0 | unlimited | > > > + +----------------+-------------+----------------+ > > > + | 0 | not 0 | other | > > > + +----------------+-------------+----------------+ > > > + | not 0 | 0 | init_net | in this case above... > > > + +----------------+-------------+----------------+ > > > + | not 0 | not 0 | min | ... and this case, init_net value is used as a cap for other netns. Then, this is basically allowing to specify a maximum that is smaller than init_netns. IIUC, that sounds reasonable. As for how to discontinue the unlimited in other netns, let me know if you have any suggestions. > > > + +----------------+-------------+----------------+ > > I think this is fine, it doesn't really change things from init_net > point of view. Thanks for explaning.
