>>What if we simply add this as additional option to host.fw?
Yes,sure !
- Mail original -
De: "Dietmar Maurer"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Mardi 4 Mars 2014 08:56:07
Objet: RE: pvefw: using ctmark to associacte connections to VMs
> >>That woul
> >>That would use 288MB RAM?
>
> Yes. That why I have proposed to ajust dynamicly with number of vms.
>
> I have myself hosts with 256GB ram, so I really don't care about 288MB of
> ram.
> (I have around 50-60 guests, so worst case potential 60 x total 6
> connections)
What if we simply add
>>That would use 288MB RAM?
Yes. That why I have proposed to ajust dynamicly with number of vms.
I have myself hosts with 256GB ram, so I really don't care about 288MB of ram.
(I have around 50-60 guests, so worst case potential 60 x total 6
connections)
- Mail original -
De
> https://access.redhat.com/site/solutions/362174
> The OpenShift Deployment Guide recommends the following be added to
> the sysctl.conf file:
>
> net.netfilter.nf_conntrack_max = 1048576
That would use 288MB RAM?
___
pve-devel mailing list
pve-devel
for the ip_conntrack hashsize value,
the rule seem to be
nf_conntrack_max/4
also, I found this on redhat (about there pass cloud platform)
https://access.redhat.com/site/solutions/362174
The OpenShift Deployment Guide recommends the following be added to the
sysctl.conf file:
net.netfilter.
>>Seems syncookies are off by default?
Yesk, we should enable them !
- Mail original -
De: "Dietmar Maurer"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Lundi 3 Mars 2014 17:28:44
Objet: RE: pvefw: using ctmark to associacte connections to VMs
> > > I don't k
> > > Does that mean that everybody can start a DOS attack by simply
> > > open(faking) 64000 tcp connections?
> >
> > http://tools.ietf.org/html/rfc4987
> >
> > So what can we do to prevent that?
>
> Seems syncookies are off by default?
>
> # cat /proc/sys/net/ipv4/tcp_syncookies
> 0
Also found
> > > I don't known if we can setup a really high value by default ?
> >
> > no idea, sorry.
> >
> > > Also, it's seem that another option must be tune,
> > >
> > > /etc/modprobe.conf:
> > >
> > > options ip_conntrack hashsize=32768
> > >
> > >
> > > I need to read a little more about it
> >
> > Do
> > I don't known if we can setup a really high value by default ?
>
> no idea, sorry.
>
> > Also, it's seem that another option must be tune,
> >
> > /etc/modprobe.conf:
> >
> > options ip_conntrack hashsize=32768
> >
> >
> > I need to read a little more about it
>
> Does that mean that everybo
> I don't known if we can setup a really high value by default ?
no idea, sorry.
> Also, it's seem that another option must be tune,
>
> /etc/modprobe.conf:
>
> options ip_conntrack hashsize=32768
>
>
> I need to read a little more about it
Does that mean that everybody can start a DOS attac
> >>Or is it good enough to use local ARP tables for that?
> >>
> >># cat /proc/net/arp
>
> oh, yes ! I didn't thinked about that.
> it should be faster and a lot less overhead.
yes, sometimes things are easier than expected ;-)
___
pve-devel mailing li
pve-devel@pve.proxmox.com
Envoyé: Lundi 3 Mars 2014 07:47:19
Objet: RE: [pve-devel] pvefw: using ctmark to associacte connections to VMs
> It's possible with ipset, to dynamicaly add to ipset ipmap, an src ip from a
> iptables match
Or is it good enough t
> It's possible with ipset, to dynamicaly add to ipset ipmap, an src ip from a
> iptables match
Or is it good enough to use local ARP tables for that?
# cat /proc/net/arp
___
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi
> It's possible with ipset, to dynamicaly add to ipset ipmap, an src ip from a
> iptables match
>
>
> "iptables -m mac --mac-source $macaddr -j SET --add-set tapxxxipmap src"
>
>
>
> So, maybe is it possible to create 1 ipset ipmap by tap device, and in tap-out
> chain, add src(s) to tap ipset
Cc: pve-devel@pve.proxmox.com
Envoyé: Dimanche 2 Mars 2014 18:09:51
Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs
>>Bu t i just noticed that we need 2 different marks, because we can traffic
>>from VM1 to VM2. So we need 2 marks/zones?
Yes, in 1l
ot;Dietmar Maurer"
À: "Alexandre DERUMIER"
Cc: pve-devel@pve.proxmox.com
Envoyé: Dimanche 2 Mars 2014 09:07:19
Objet: RE: [pve-devel] pvefw: using ctmark to associacte connections to VMs
Thanks for that link.
Bu t i just noticed that we need 2 different marks, because we can
>>What is the disadvantage having that as default?
Well, the default value is quite low (if I remember 64000).
And in the past, I have had packets drop (when netfilter conntrack was enabled
on bridges in kernel)
because this really track all connections, also not yet established (like a syn
fl
Another reason is that a user might have more VMs on their system than our
default will allow. Granted, they'd need a really powerful server to do
that, and would probably also know what to tweak to adapt, but a dynamic
value allows us to allocate the resources we need instead of just an
arbitrary
> >>What is the advantage of using dynamic value? You want to save RAM?
> I'm thinking of users who's have small server, will small ram and other users
> who's have big server and big ram.
>
> But sure, we can tune net.netfilter.nf_conntrack_max, but users must be
> warned to do it.
What is the d
Thanks for that link.
Bu t i just noticed that we need 2 different marks, because we can traffic
from VM1 to VM2. So we need 2 marks/zones?
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5
> d0aa2ccd4699a01cfdf14886191c249d7b45a01
>
> netfilter: nf_conntrack: add sup
.proxmox.com
Envoyé: Dimanche 2 Mars 2014 08:45:23
Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs
>>That is why I want to set ctmark with iptables (that is listed in
>>/proc/net/nf_conntrack).
They are also the "zone" field in /proc/net/n
>>That is why I want to set ctmark with iptables (that is listed in
>>/proc/net/nf_conntrack).
They are also the "zone" field in /proc/net/nf_conntrack
according to
https://lwn.net/Articles/370152/
"
A zone is simply a numerical identifier associated with a network
device that is incorporated
>>What is the advantage of using dynamic value? You want to save RAM?
I'm thinking of users who's have small server, will small ram and other users
who's have big server and big ram.
But sure, we can tune net.netfilter.nf_conntrack_max, but users must be warned
to do it.
- Mail original --
> >>So that we can parse /proc/net/nf_conntrack to list open connections for
> a VM.
>
> I'm not sure, but I think you don't have interfaces listed in nf_conntrack,
> only ip src,ip dst.
That is why I want to set ctmark with iptables (that is listed in
/proc/net/nf_conntrack).
_
> >>or dynamic value with number of vms ?)
>
> Maybe, allowing something like 32000 connections by vm, (350byte of
> memory by connection, around 10mb) and net.netfilter.nf_conntrack_max =
> numberofvms x 32000.
What is the advantage of using dynamic value? You want to save RAM?
_
> about nf_conntrack, I think we should also tune
>
> /sbin/sysctl -w net.netfilter.nf_conntrack_max (maybe around 20 ? or
> dynamic value with number of vms ?)
>
We can add that to /etc/sysctl.d/pve.conf
___
pve-devel mailing list
pve-devel@pve.
>
> >>Since each VM uses distinct interfaces for all their traffic, wouldn't
> it be simpler to just list connections through each of those?
>
> AFAIK, you can't use netstat on host, to show connections on guest tap
> interfaces
>
Yeah, lsof doesn't seem to be any more useful in that area, either.
>>So that we can parse /proc/net/nf_conntrack to list open connections for a VM.
I'm not sure, but I think you don't have interfaces listed in nf_conntrack,
only ip src,ip dst.
- Mail original -
De: "Dietmar Maurer"
À: pve-devel@pve.proxmox.com, "Alexandre DERUMIER (aderum...@odiso.
My mistake. I was thinking throughput for some reason. Probably sleep
deprivation. conn_track seems reasonable to me...
- Daniel Hunsaker
Owner / Developer
Lei's Genesis Experiment: Code For The Future!
On Fri, Feb 28, 2014 at 11:48 PM, Dietmar Maurer wrote:
> > Since each VM uses distinct i
>>or dynamic value with number of vms ?)
Maybe, allowing something like 32000 connections by vm, (350byte of memory by
connection, around 10mb)
and net.netfilter.nf_conntrack_max = numberofvms x 32000.
- Mail original -
De: "Alexandre DERUMIER"
À: "Dietmar Maurer"
Cc: pve-devel@pve.
Yes, it should work, at least for tcp. (I'm not sure it's working for udp ?)
about nf_conntrack, I think we should also tune
/sbin/sysctl -w net.netfilter.nf_conntrack_max (maybe around 20 ? or
dynamic value with number of vms ?)
to avoid this kind of messages for high number of guest and
saker"
À: "Dietmar Maurer"
Cc: "Alexandre DERUMIER" , pve-devel@pve.proxmox.com
Envoyé: Vendredi 28 Février 2014 19:06:41
Objet: Re: [pve-devel] pvefw: using ctmark to associacte connections to VMs
Since each VM uses distinct interfaces for all their traffic, wouldn&#x
> Since each VM uses distinct interfaces for all their traffic, wouldn't it be
> simpler to just list connections through each of those?
I was not aware that it is possible to do that.
So how can I list all connection for a specific interface?
___
pve-d
Since each VM uses distinct interfaces for all their traffic, wouldn't it
be simpler to just list connections through each of those?
On Feb 28, 2014 10:47 AM, "Dietmar Maurer" wrote:
> I wonder if we can use ctmark to associate connections with VMs?
>
>
>
> So that we can parse /proc/net/nf_conn
I wonder if we can use ctmark to associate connections with VMs?
So that we can parse /proc/net/nf_conntrack to list open connections for a VM.
Is that reasonable, or are there some hidden disadvantages? Or are there other
ways to do that?
___
pve-devel
35 matches
Mail list logo
