[pve-devel] pvefw: using ctmark to associacte connections to VMs
Alexandre DERUMIER
aderumier at odiso.com
Sat Mar 1 13:59:58 CET 2014
>>or dynamic value with number of vms ?)
Maybe, allowing something like 32000 connections by vm, (350byte of memory by connection, around 10mb)
and net.netfilter.nf_conntrack_max = numberofvms x 32000.
----- Mail original -----
De: "Alexandre DERUMIER" <aderumier at odiso.com>
À: "Dietmar Maurer" <dietmar at proxmox.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Samedi 1 Mars 2014 08:53:42
Objet: Re: pvefw: using ctmark to associacte connections to VMs
Yes, it should work, at least for tcp. (I'm not sure it's working for udp ?)
about nf_conntrack, I think we should also tune
/sbin/sysctl -w net.netfilter.nf_conntrack_max (maybe around 200000 ? or dynamic value with number of vms ?)
to avoid this kind of messages for high number of guest and high number of connections vms
" nf_conntrack: table full, dropping packet."
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: pve-devel at pve.proxmox.com, "Alexandre DERUMIER (aderumier at odiso.com)" <aderumier at odiso.com>
Envoyé: Vendredi 28 Février 2014 18:46:54
Objet: pvefw: using ctmark to associacte connections to VMs
I wonder if we can use ctmark to associate connections with VMs?
So that we can parse /proc/net/nf_conntrack to list open connections for a VM.
Is that reasonable, or are there some hidden disadvantages? Or are there other
ways to do that?
More information about the pve-devel
mailing list