Merge branch 'ovs-ct-zone'
Yi-Hung Wei says: ==================== openvswitch: Support conntrack zone limit Currently, nf_conntrack_max is used to limit the maximum number of conntrack entries in the conntrack table for every network namespace. For the VMs and containers that reside in the same namespace, they share the same conntrack table, and the total # of conntrack entries for all the VMs and containers are limited by nf_conntrack_max. In this case, if one of the VM/container abuses the usage the conntrack entries, it blocks the others from committing valid conntrack entries into the conntrack table. Even if we can possibly put the VM in different network namespace, the current nf_conntrack_max configuration is kind of rigid that we cannot limit different VM/container to have different # conntrack entries. To address the aforementioned issue, this patch proposes to have a fine-grained mechanism that could further limit the # of conntrack entries per-zone. For example, we can designate different zone to different VM, and set conntrack limit to each zone. By providing this isolation, a mis-behaved VM only consumes the conntrack entries in its own zone, and it will not influence other well-behaved VMs. Moreover, the users can set various conntrack limit to different zone based on their preference. The proposed implementation utilizes Netfilter's nf_conncount backend to count the number of connections in a particular zone. If the number of connection is above a configured limitation, OVS will return ENOMEM to the userspace. If userspace does not configure the zone limit, the limit defaults to zero that is no limitation, which is backward compatible to the behavior without this patch. The first patch defines the conntrack limit netlink definition, and the second patch provides the implementation. v4->v5: - Addresses comments from Parvin that include log error msg in ovs_ct_limit_init(), handle deletion for default limit, and add a common helper for get zone limit. - Rebases to master. v3->v4: - Addresses comments from Parvin that include simplify netlink API, and remove unncessary RCU lockings. - Rebases to master. v2->v3: - Addresses comments from Parvin that include using static keys to check if ovs_ct_limit features is used, only check ct_limit when a ct entry is unconfirmed, and reports rate limited warning messages when the ct limit is reached. - Rebases to master. v1->v2: - Fixes commit log typos suggested by Greg. - Fixes memory free issue that Julia found. ==================== Signed-off-by: David S. Miller <firstname.lastname@example.org>