[RFE] Allow to limit conntrack entries per tenant to avoid "nf_conntrack: table full, dropping packet"
Bug #2020358 reported by
Alexey Stupnikov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
New
|
Wishlist
|
Unassigned | ||
Bug Description
Description of problem:
A tenant can cause network issues for other tenants: nf_conntrack: table full, dropping packet.
In our cloud had a jmeter performance test running on two instances caused network issues for other tenants.
In the /var/log/messages on the compute node we see the following message:
"nf_conntrack: table full, dropping packet."
This gerrit https:/
Neutron allows to limit bandwidth on a port, but you cannot limit the conntrack sessions for an instance, port or tenant.
Revision history for this message
| Alexey Stupnikov (astupnikov) wrote | #1 |
Revision history for this message
| yatin (yatinkarel) wrote | #2 |
| summary: |
- Allow to limit conntrack entries per tenant to avoid "nf_conntrack: - table full, dropping packet" + [RFE] Allow to limit conntrack entries per tenant to avoid + "nf_conntrack: table full, dropping packet" |
| Changed in neutron: | |
| importance: | Undecided → Wishlist |
Revision history for this message
| Alexey Stupnikov (astupnikov) wrote | #3 |
To post a comment you must log in.
From linux/iptables perspective it looks like:
- nf_conntrack_max still works in previous fashion and doesn't support per-zone limits
- it is now possible to use iptables connlimit module to enforce limits per zone
- in Neutron code connlimit is not currently used