for the ip_conntrack hashsize value, the rule seem to be
nf_conntrack_max/4 also, I found this on redhat (about there pass cloud platform) https://access.redhat.com/site/solutions/362174 The OpenShift Deployment Guide recommends the following be added to the sysctl.conf file: net.netfilter.nf_conntrack_max = 1048576 ----- Mail original ----- De: "Dietmar Maurer" <diet...@proxmox.com> À: "Alexandre DERUMIER" <aderum...@odiso.com> Cc: pve-devel@pve.proxmox.com Envoyé: Lundi 3 Mars 2014 17:23:25 Objet: RE: pvefw: using ctmark to associacte connections to VMs > > I don't known if we can setup a really high value by default ? > > no idea, sorry. > > > Also, it's seem that another option must be tune, > > > > /etc/modprobe.conf: > > > > options ip_conntrack hashsize=32768 > > > > > > I need to read a little more about it > > Does that mean that everybody can start a DOS attack by simply > open(faking) 64000 tcp connections? http://tools.ietf.org/html/rfc4987 So what can we do to prevent that? _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
