[pve-devel] pvefw: using ctmark to associacte connections to VMs

[Alexandre DERUMIER]

>>What is the disadvantage having that as default? 

Well, the default value is quite low (if I remember 64000).
And in the past, I have had packets drop (when netfilter conntrack was enabled on bridges in kernel)

because this really track all connections, also not yet established (like a syn flood, and you can easily filled the table).

I don't known if we can setup a really high value by default ?


Also, it's seem that another option must be tune,

/etc/modprobe.conf:

options ip_conntrack hashsize=32768


I need to read a little more about it

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Dimanche 2 Mars 2014 09:14:50 
Objet: RE: pvefw: using ctmark to associacte connections to VMs 

> >>What is the advantage of using dynamic value? You want to save RAM? 
> I'm thinking of users who's have small server, will small ram and other users 
> who's have big server and big ram. 
> 
> But sure, we can tune net.netfilter.nf_conntrack_max, but users must be 
> warned to do it. 

What is the disadvantage having that as default?