Hi Everyone,
I've been testing the conntrack limit per zone in OVS and noticed some
unexpected behavior.
Specifically, the count in 'ovs-dpctl ct-get-limits' only increases for
sessions in the ESTABLISHED state. Other states, such as TIME_WAIT or
CLOSE — are not counted.
After reviewing the code, it seems that OVS applies limits only to
active sessions (e.g. with ESTABLISHED state). However, from my point of
view, all records in the conntrack zone should be counted toward the limit.
This behavior could lead to issues if someone tries to overload the
conntrack zone with a large number of short-lived connections. For
example, conntrack records in the TIME_WAIT state can remain for up to 2
minutes, and in the CLOSE state for about 8 seconds. Since these are not
counted toward the limit, OVS won't prevent conntrack zone overload in
such scenarios.
It seems like the current implementation limits the number of active
connections per zone, rather than the total number of records in
conntrack per zone.
Is this the expected behavior? I think it would be useful to support
more flexible limits, allowing us to choose which states should increase
the count.
--
Best regards,
Evgenii Kovalev
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
