Brian Haley <brian.ha...@hpe.com> wrote: > Openstack networking creates virtual routers using namespaces for isolation > between users. VETH pairs are used to connect the interfaces on these > routers to different networks, whether they are internal (private) or > external (public). In most cases NAT is done inside the namespace as > packets move between the networks. > > I've seen cases where certain users are attacked, where the CT table is > filled such that we start seeing "nf_conntrack: table full, dropping packet" > messages (as expected). But other users continue to function normally, > unaffected. Is this still the case - each netns has some limit it can't > exceed?
The limit is global, the accounting per namespace. If the bucket count (net.netfilter.nf_conntrack_buckets) is high enough to accomodate the expected load and noone can create arbitrary number of net namespaces things are fine. I haven't changed the way this works yet because I did not have a better idea so far.
