Re: [PATCH V3] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl
From: lvxiafei
Date: Thu Apr 10 2025 - 09:10:41 EST
Florian Westphal <fw@xxxxxxxxx> wrote:
> I suggest to remove nf_conntrack_max as a global variable,
> make net.nf_conntrack_max use init_net.nf_conntrack_max too internally,
> so in the init_net both sysctls remain the same.
The nf_conntrack_max global variable is a system calculated
value and should not be removed.
nf_conntrack_max = max_factor * nf_conntrack_htable_size;
> When a new conntrack is allocated, then:
>
> If the limit in the init_net is lower than the netns, then
> that limit applies, so it provides upper cap.
>
> If the limit in the init_net is higher, the lower pernet limit
> is applied.
>
> If the init_net has 0 setting, no limit is applied.
If the init_net has 0 setting, it should depend on the
limit of other netns.
The netns Limit Behavior:
+------------------------+--------------------+-----------------------+
| init_net.ct.sysctl_max | net->ct.sysctl_max | netns Limit Behavior |
+------------------------+--------------------+-----------------------+
| 0 | 0 | No limit |
+------------------------+--------------------+-----------------------+
| 0 | Non-zero | net->ct.sysctl_max |
+------------------------+--------------------+-----------------------+
| Non-zero | 0 | init_net.ct.sysctl_max|
+------------------------+--------------------+-----------------------+
| Non-zero | Non-zero | min |
+------------------------+--------------------+-----------------------+
net_ct_sysctl_max = likely(a && b) ? min(a, b) : max(a, b);
or
net_ct_sysctl_max = unlikely(a == 0 || b == 0) ? max(a, b) : min(a, b);
if (net_ct_sysctl_max && unlikely(ct_count > net_ct_sysctl_max)) { ...