gucki

Asked: 2015-09-27 00:19:47 +0800 CST2015-09-27 00:19:47 +0800 CST 2015-09-27 00:19:47 +0800 CST

How to prevent conntrack overflow on host with many qemu guests

Is there any way to make iptables conntrack use separate data structures for each network interface? Would network namespaces help here (put each guest together with its tap device in its own netns and do the ipfilter conntrack inside that netns), or do they share the same data structures under the hood?

Background information: I'm running many qemu guests with ech guest having its own tap device on the host for networking. For firewalling of the guests I use iptables on the host with connection tracking enabled (I cannot do the firewalling inside the guests). However a single (very busy) guest can overflow the conntrack table on the host. As this table is shared among all guests (and the host) this can render the whole host/ guests unreachable because the host starts dropping packets/ connections.

How to prevent conntrack overflow on host with many qemu guests

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?

How to prevent conntrack overflow on host with many qemu guests

0 Answers