[ovs-dev] [patch v1] conntrack: Support zone limits.
Yi-Hung Wei
yihung.wei at gmail.com
Thu Dec 10 00:00:14 UTC 2020
On Wed, Dec 9, 2020 at 7:50 AM Harold Huang <baymaxhuang at gmail.com> wrote:
>
> When I use ```ovs-appctl dpctl/ct-set-limits default=6``` to set the
> default zone limit, the max connection limit of all zones is set to 6. I
> think it is not resonable. First, the max connection limit can be set with
> ```ovs-appctl dpctl/ct-set-maxconns```. And when I use ```ovs-appctl
> dpctl/ct-get-limits zone=5,6,7,8```, the result is like:
> ```
> $ovs-appctl dpctl/ct-get-limits zone=5,6,7,8
> default limit=6
> zone=5,limit=6,count=0
> zone=6,limit=6,count=0
> zone=7,limit=6,count=0
> zone=8,limit=6,count=0
> ```
It is the expected behavior. Basically, dpct/ct-set-limits sets the
per-zone limit, if the per-zone limit is not configured, it defaults
to the default per-zone limit.
It is documented on ovs-vswitchd(8),
dpctl/ct-set-limits [dp] [default=default_limit]
[zone=zone,limit=limit]...
Sets the maximum allowed number of connections in a connection
tracking zone. A specific zone may be set to limit, and multi‐
ple zones may be specified with a comma-separated list. If a
per-zone limit for a particular zone is not specified in the
datapath, it defaults to the default per-zone limit. A default
zone may be specified with the default=default_limit argument.
Initially, the default per-zone limit is unlimited. An unlim‐
ited number of entries may be set with 0 limit.
> It seems that each zone has a default limit(6), but the limit(6) is the
> total connection limit for all zones if we do not set the limit for a
> specific zone.
>
The total connection limit is set by dpctl/ct-set-maxconns for
userpsace datapath.
Quoted from ovs-vswitchd(8),
dpctl/ct-set-maxconns [dp] maxconns
Sets the maximum limit of connection tracker entries to maxconns
on dp. This can be used to reduce the processing load on the
system due to connection tracking or simply limiting connection
tracking. If the number of connections is already over the new
maximum limit request then the new maximum limit will be en‐
forced when the number of connections decreases to that limit,
which normally happens due to connection expiry. Only supported
for userspace datapath.
For kernel datapath, the number of conntrack entries for all zones is
limited by nf_conntrack_max,
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
-Yi-Hung
More information about the dev
mailing list