[ovs-dev] [PATCH v4 00/11] conntrack zone limitation
Justin Pettit
jpettit at ovn.org
Fri Aug 17 17:38:51 UTC 2018
> On Aug 17, 2018, at 2:05 AM, Yi-Hung Wei <yihung.wei at gmail.com> wrote:
>
> This patch series implements connection tracking zone limitation to
> limit the maximum number of conntrack entries in the conntrack table
> for every zone. This feature aims to resolve a problem that if one
> of the VM/container under attack that abuses the usage the conntrack
> entries, it may block the others from committing valid conntrack
> entries into the conntrack table.
>
> To address this issue, this patch series proposes to have a
> fine-grained mechanism that could limit the # of conntrack entries
> per-zone. For example, we can designate different zone to different VM,
> and set conntrack limit to each zone. By providing this isolation, a
> mis-behaved VM only consumes the conntrack entries in its own zone, and
> it will not influence other well-behaved VMs. Moreover, the users can
> set various conntrack limit to different zone based on their preference.
>
> This patch series consist of dpif layer support, kernel backports to
> support this features in dpif-netlinkt, dpif-netlink implementation,
> dpctl commands, and a system traffic test to verify this feature.
Thanks for the patches, Yi-Hung. I applied them to master and branch-2.10.
--Justin
More information about the dev
mailing list