2

Is there any way to make iptables conntrack use separate data structures for each network interface? Would network namespaces help here (put each guest together with its tap device in its own netns and do the ipfilter conntrack inside that netns), or do they share the same data structures under the hood?

Background information: I'm running many qemu guests with ech guest having its own tap device on the host for networking. For firewalling of the guests I use iptables on the host with connection tracking enabled (I cannot do the firewalling inside the guests). However a single (very busy) guest can overflow the conntrack table on the host. As this table is shared among all guests (and the host) this can render the whole host/ guests unreachable because the host starts dropping packets/ connections.

gucki
  • 818
  • 2
  • 11
  • 29
  • 1
    Haven't you tried simply raising the limits? – Michael Hampton Sep 26 '15 at 08:44
  • Yes, but imo this is more like a workaround but not a real solution. – gucki Sep 26 '15 at 08:46
  • 1
    It's the normal solution. Why is it not working for you? – Michael Hampton Sep 26 '15 at 10:00
  • Well, it just opens the host to a very easy (and probably unintended) DOS attack. Lets assume one client installs a load-balancer in his vm and reveives thousands of connections per second. This could be fully legitimate, but I'd cause problems for the whole host. If he'd just overload his vm, no problem. – gucki Sep 26 '15 at 11:45
  • Well, conntrack has been available per-netns since 2008. So I think that ought to work if you have a recent kernel. – Michael Hampton Sep 26 '15 at 20:48
  • So you are sure they don't share data structures like the hash table? Each netns hat its own hashtable and can overflow that one? If yes, please write it as the answer so I can accept it. – gucki Sep 28 '15 at 10:06

0 Answers0