[pve-devel] pvefw: using ctmark to associacte connections to VMs
Alexandre DERUMIER
aderumier at odiso.com
Mon Mar 3 21:06:28 CET 2014
for the ip_conntrack hashsize value,
the rule seem to be
nf_conntrack_max/4
also, I found this on redhat (about there pass cloud platform)
https://access.redhat.com/site/solutions/362174
The OpenShift Deployment Guide recommends the following be added to the sysctl.conf file:
net.netfilter.nf_conntrack_max = 1048576
----- Mail original -----
De: "Dietmar Maurer" <dietmar at proxmox.com>
À: "Alexandre DERUMIER" <aderumier at odiso.com>
Cc: pve-devel at pve.proxmox.com
Envoyé: Lundi 3 Mars 2014 17:23:25
Objet: RE: pvefw: using ctmark to associacte connections to VMs
> > I don't known if we can setup a really high value by default ?
>
> no idea, sorry.
>
> > Also, it's seem that another option must be tune,
> >
> > /etc/modprobe.conf:
> >
> > options ip_conntrack hashsize=32768
> >
> >
> > I need to read a little more about it
>
> Does that mean that everybody can start a DOS attack by simply
> open(faking) 64000 tcp connections?
http://tools.ietf.org/html/rfc4987
So what can we do to prevent that?
More information about the pve-devel
mailing list