Go to file
Yi-Hung Wei 11efd5cb04 openvswitch: Support conntrack zone limit
Currently, nf_conntrack_max is used to limit the maximum number of
conntrack entries in the conntrack table for every network namespace.
For the VMs and containers that reside in the same namespace,
they share the same conntrack table, and the total # of conntrack entries
for all the VMs and containers are limited by nf_conntrack_max.  In this
case, if one of the VM/container abuses the usage the conntrack entries,
it blocks the others from committing valid conntrack entries into the
conntrack table.  Even if we can possibly put the VM in different network
namespace, the current nf_conntrack_max configuration is kind of rigid
that we cannot limit different VM/container to have different # conntrack
entries.

To address the aforementioned issue, this patch proposes to have a
fine-grained mechanism that could further limit the # of conntrack entries
per-zone.  For example, we can designate different zone to different VM,
and set conntrack limit to each zone.  By providing this isolation, a
mis-behaved VM only consumes the conntrack entries in its own zone, and
it will not influence other well-behaved VMs.  Moreover, the users can
set various conntrack limit to different zone based on their preference.

The proposed implementation utilizes Netfilter's nf_conncount backend
to count the number of connections in a particular zone.  If the number of
connection is above a configured limitation, ovs will return ENOMEM to the
userspace.  If userspace does not configure the zone limit, the limit
defaults to zero that is no limitation, which is backward compatible to
the behavior without this patch.

The following high leve APIs are provided to the userspace:
  - OVS_CT_LIMIT_CMD_SET:
    * set default connection limit for all zones
    * set the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_DEL:
    * remove the connection limit for a particular zone
  - OVS_CT_LIMIT_CMD_GET:
    * get the default connection limit for all zones
    * get the connection limit for a particular zone

Signed-off-by: Yi-Hung Wei <yihung.wei@gmail.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-25 16:45:19 -04:00
arch Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-05-24 22:20:51 -04:00
block
certs
crypto
Documentation net: dsa: qca8k: Add QCA8334 binding documentation 2018-05-23 15:45:55 -04:00
drivers mlx5e-updates-2018-05-19 2018-05-25 16:41:23 -04:00
firmware
fs umh: introduce fork_usermode_blob() helper 2018-05-23 13:23:39 -04:00
include openvswitch: Add conntrack limit netlink definition 2018-05-25 16:45:19 -04:00
init Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
ipc
kernel Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-05-24 22:20:51 -04:00
lib Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
LICENSES
mm mmap: relax file size limit for regular files 2018-05-19 09:29:11 -07:00
net openvswitch: Support conntrack zone limit 2018-05-25 16:45:19 -04:00
samples Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-05-24 22:20:51 -04:00
scripts Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2018-05-24 22:20:51 -04:00
security Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
sound
tools selftests: forwarding: Test mirror-to-gre w/ UL 802.1d+VLAN 2018-05-24 22:26:20 -04:00
usr
virt
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-05-21 16:01:54 -04:00
Makefile Linux 4.17-rc6 2018-05-20 15:31:38 -07:00
README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.