lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250408123908.3608-1-xiafei_xupt@163.com>
Date: Tue,  8 Apr 2025 20:39:08 +0800
From: lvxiafei <xiafei_xupt@....com>
To: fw@...len.de
Cc: coreteam@...filter.org,
	davem@...emloft.net,
	edumazet@...gle.com,
	horms@...nel.org,
	kadlec@...filter.org,
	kuba@...nel.org,
	linux-kernel@...r.kernel.org,
	lvxiafei@...setime.com,
	netdev@...r.kernel.org,
	netfilter-devel@...r.kernel.org,
	pabeni@...hat.com,
	pablo@...filter.org,
	xiafei_xupt@....com
Subject: Re: [PATCH V2] netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_max sysctl


On Tue, 8 Apr 2025 11:58:54 Florian Westphal <fw@...len.de> wrote:
> That seems the wrong thing to do.
> There must be some way to limit the netns conntrack usage.
>
> Whats the actual intent here?
>
> You could apply max = min(init_net->max, net->max)
> Or, you could relax it as long as netns are owned
> by initial user ns, I guess.
>
> Or perhaps its possible to make a guesstimate of
> the maximum memory needed by the new limit, then
> account that to memcg (at sysctl change time), and
> reject if memcg is exhausted.
>
> No other ideas at the moment, but I do not like the
> "no limits" approach.

The original nf_conntrack_max is a global variable.
Modification will affect the connection tracking
limit in other netns, and the maximum memory
consumption = number of netns * nf_conntrack_max

This modification can make nf_conntrack_max support
the netns level to set the size of the connection
tracking table, and more flexibly limit the connection
tracking of each netns. For example, the initial user ns
has a default value (=max_factor*nf_conntrack_htable_size).
The nf_conntrack_max when netns 1 and netns 2 are created
is the same as the nf_conntrack_max in the initial user ns.
You can set it to netns 1 1k and netns 2 2k without
affecting each other.

If you are worried that different netns may exceed the
initial user limit and memory limit when setting,
apply max = min(init_net->max, net->max), the value in
netns is not greater than init_net->max, and the new
maximum memory consumption <= the original maximum memory
consumption, which limits memory consumption to a certain
extent. However, this will bring several problems:

1. Do not allow nf_conntrack_max in other netns to be greater
than nf_conntrack_max of the initial user. For example, when
other netns carry north-south traffic, the actual number of
connection tracking is greater than that of the initial user.

2. If nf_conntrack_max of the initial user is increased, the
maximum memory consumption will inevitably increase by n copies

3. If nf_conntrack_max of the initial user is reduced, will
the existing connections in other netns be affected?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ