> On Aug 17, 2018, at 2:05 AM, Yi-Hung Wei <[email protected]> wrote: > > This patch series implements connection tracking zone limitation to > limit the maximum number of conntrack entries in the conntrack table > for every zone. This feature aims to resolve a problem that if one > of the VM/container under attack that abuses the usage the conntrack > entries, it may block the others from committing valid conntrack > entries into the conntrack table. > > To address this issue, this patch series proposes to have a > fine-grained mechanism that could limit the # of conntrack entries > per-zone. For example, we can designate different zone to different VM, > and set conntrack limit to each zone. By providing this isolation, a > mis-behaved VM only consumes the conntrack entries in its own zone, and > it will not influence other well-behaved VMs. Moreover, the users can > set various conntrack limit to different zone based on their preference. > > This patch series consist of dpif layer support, kernel backports to > support this features in dpif-netlinkt, dpif-netlink implementation, > dpctl commands, and a system traffic test to verify this feature.
Thanks for the patches, Yi-Hung. I applied them to master and branch-2.10. --Justin _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
