Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Brian Haley
On 05/05/2016 06:36 PM, Florian Westphal wrote: Brian Haley wrote: I've seen cases where certain users are attacked, where the CT table is filled such that we start seeing "nf_conntrack: table full, dropping packet" messages (as expected). But other users continue to

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Florian Westphal
Brian Haley wrote: > >>I've seen cases where certain users are attacked, where the CT table is > >>filled such that we start seeing "nf_conntrack: table full, dropping packet" > >>messages (as expected). But other users continue to function normally, > >>unaffected. Is this

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Brian Haley
On 05/05/2016 04:54 PM, Florian Westphal wrote: Brian Haley wrote: Openstack networking creates virtual routers using namespaces for isolation between users. VETH pairs are used to connect the interfaces on these routers to different networks, whether they are internal

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Florian Westphal
Brian Haley wrote: > Openstack networking creates virtual routers using namespaces for isolation > between users. VETH pairs are used to connect the interfaces on these > routers to different networks, whether they are internal (private) or > external (public). In most

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Brian Haley
On 04/28/2016 01:13 PM, Florian Westphal wrote: [ CCing netdev so netns folks can have a look too ] This patch series removes the per-netns connection tracking tables. All conntrack objects are then stored in one global global table. This avoids the infamous 'vmalloc' when lots of namespaces

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-05 Thread Pablo Neira Ayuso
On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote: > [ CCing netdev so netns folks can have a look too ] > > This patch series removes the per-netns connection tracking tables. > All conntrack objects are then stored in one global global table. > > This avoids the infamous

Re: [PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-05-03 Thread Pablo Neira Ayuso
On Thu, Apr 28, 2016 at 07:13:39PM +0200, Florian Westphal wrote: > [ CCing netdev so netns folks can have a look too ] > > This patch series removes the per-netns connection tracking tables. > All conntrack objects are then stored in one global global table. > > This avoids the infamous

[PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

2016-04-28 Thread Florian Westphal
[ CCing netdev so netns folks can have a look too ] This patch series removes the per-netns connection tracking tables. All conntrack objects are then stored in one global global table. This avoids the infamous 'vmalloc' when lots of namespaces are used: We no longer allocate a new conntrack