[ovs-dev] [patch v1] conntrack: Support zone limits.

Yi-Hung Wei yihung.wei at gmail.com
Thu Dec 10 00:00:14 UTC 2020


On Wed, Dec 9, 2020 at 7:50 AM Harold Huang <baymaxhuang at gmail.com> wrote:
>
> When I  use ```ovs-appctl dpctl/ct-set-limits  default=6``` to set the
> default zone limit, the max connection limit of all zones is set to 6. I
> think it is not resonable. First, the max connection limit can be set with
> ```ovs-appctl dpctl/ct-set-maxconns```. And when I use ```ovs-appctl
> dpctl/ct-get-limits zone=5,6,7,8```,  the result is like:
> ```
> $ovs-appctl dpctl/ct-get-limits zone=5,6,7,8
> default limit=6
> zone=5,limit=6,count=0
> zone=6,limit=6,count=0
> zone=7,limit=6,count=0
> zone=8,limit=6,count=0
> ```

It is the expected behavior.  Basically, dpct/ct-set-limits sets the
per-zone limit, if the per-zone limit is not configured, it defaults
to the default per-zone limit.

It is documented on ovs-vswitchd(8),

       dpctl/ct-set-limits            [dp]             [default=default_limit]
       [zone=zone,limit=limit]...
              Sets  the  maximum allowed number of connections in a connection
              tracking zone.  A specific zone may be set to limit, and  multi‐
              ple  zones  may  be specified with a comma-separated list.  If a
              per-zone limit for a particular zone is  not  specified  in  the
              datapath,  it defaults to the default per-zone limit.  A default
              zone may be specified with the  default=default_limit  argument.
              Initially,  the  default per-zone limit is unlimited.  An unlim‐
              ited number of entries may be set with 0 limit.


> It seems that each zone has a default limit(6), but the limit(6) is the
> total connection limit for all zones if we do not set the limit for a
> specific zone.
>

The total connection limit is set by dpctl/ct-set-maxconns for
userpsace datapath.
Quoted from ovs-vswitchd(8),

       dpctl/ct-set-maxconns [dp] maxconns
              Sets the maximum limit of connection tracker entries to maxconns
              on dp.  This can be used to reduce the processing  load  on  the
              system  due to connection tracking or simply limiting connection
              tracking.  If the number of connections is already over the  new
              maximum  limit  request  then  the new maximum limit will be en‐
              forced when the number of connections decreases to  that  limit,
              which normally happens due to connection expiry.  Only supported
              for userspace datapath.


For kernel datapath, the number of conntrack entries for all zones is
limited by nf_conntrack_max,
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt


-Yi-Hung


More information about the dev mailing list