| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250408095854.GB536@breakpoint.cc> Date: Tue, 8 Apr 2025 11:58:54 +0200 From: Florian Westphal <fw@...len.de> To: lvxiafei <xiafei_xupt@....com> Cc: coreteam@...filter.org, davem@...emloft.net, edumazet@...gle.com, horms@...nel.org, kadlec@...filter.org, kuba@...nel.org, linux-kernel@...r.kernel.org, lvxiafei@...setime.com, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, pabeni@...hat.com, pablo@...filter.org Subject: Re: [PATCH V2] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl lvxiafei <xiafei_xupt@....com> wrote: > From: lvxiafei <lvxiafei@...setime.com> > > Support nf_conntrack_max settings in different netns, > nf_conntrack_max is used to more flexibly limit the > ct_count in different netns, which may be greater than > the value in the parent namespace. The default value > belongs to the global (ancestral) limit and no implicit > limit is inherited from the parent namespace. That seems the wrong thing to do. There must be some way to limit the netns conntrack usage. Whats the actual intent here? You could apply max = min(init_net->max, net->max) Or, you could relax it as long as netns are owned by initial user ns, I guess. Or perhaps its possible to make a guesstimate of the maximum memory needed by the new limit, then account that to memcg (at sysctl change time), and reject if memcg is exhausted. No other ideas at the moment, but I do not like the "no limits" approach.
Powered by blists - more mailing lists