[RFE] Allow to limit conntrack entries per tenant to avoid "nf_conntrack: table full, dropping packet"
Bug #2020358 reported by
Alexey Stupnikov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
New
|
Wishlist
|
Unassigned |
Bug Description
Description of problem:
A tenant can cause network issues for other tenants: nf_conntrack: table full, dropping packet.
In our cloud had a jmeter performance test running on two instances caused network issues for other tenants.
In the /var/log/messages on the compute node we see the following message:
"nf_conntrack: table full, dropping packet."
This gerrit https:/
Neutron allows to limit bandwidth on a port, but you cannot limit the conntrack sessions for an instance, port or tenant.
To post a comment you must log in.
From linux/iptables perspective it looks like:
- nf_conntrack_max still works in previous fashion and doesn't support per-zone limits
- it is now possible to use iptables connlimit module to enforce limits per zone
- in Neutron code connlimit is not currently used