yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2020358] [NEW] Allow to limit conntrack entries per tenant to avoid "nf_conntrack: table full, dropping packet"

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alexey Stupnikov <2020358@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 May 2023 11:53:55 -0000
Reply-to: Bug 2020358 <2020358@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Description of problem:

A tenant can cause network issues for other tenants: nf_conntrack: table
full, dropping packet.

In our cloud had a jmeter performance test running on two instances
caused network issues for other tenants.

In the /var/log/messages on the compute node we see the following message:
"nf_conntrack: table full, dropping packet."

This gerrit https://review.openstack.org/#/c/275769/ increases the limit
to 500.000 but this is a workaround as a tenant can still increase usage
up to this new limit.

Neutron allows to limit bandwidth on a port, but you cannot limit the
conntrack sessions for an instance, port or tenant.


RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1399987

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: rfe

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2020358

Title:
  Allow to limit conntrack entries per tenant to avoid "nf_conntrack:
  table full, dropping packet"

Status in neutron:
  New

Bug description:
  Description of problem:

  A tenant can cause network issues for other tenants: nf_conntrack:
  table full, dropping packet.

  In our cloud had a jmeter performance test running on two instances
  caused network issues for other tenants.

  In the /var/log/messages on the compute node we see the following message:
  "nf_conntrack: table full, dropping packet."

  This gerrit https://review.openstack.org/#/c/275769/ increases the
  limit to 500.000 but this is a workaround as a tenant can still
  increase usage up to this new limit.

  Neutron allows to limit bandwidth on a port, but you cannot limit the
  conntrack sessions for an instance, port or tenant.

  
  RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1399987

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2020358/+subscriptions