|
Hello,
On Sat, 23 May 2026, Julian Anastasov wrote:
> Currently, we are using atomic_t to track the number of
> connections. On 64-bit setups with large memory there is
> a risk this counter to overflow. Also, setups with many
> containers may need to tune the limit for connections.
>
> Add sysctl control to limit the number of connections to
> 1,073,741,824 (64-bit) and 16,777,216 (32-bit).
> Depending on the admin's privilege, the value is
> used to change a soft or hard limit allowing
> unprivileged admins to change the soft limit in
> range determined by privileged admins.
>
> Link: https://sashiko.dev/#/patchset/20260430074420.26697-7-ja%40ssi.bg
> Link: https://sashiko.dev/#/patchset/20260522105546.13732-1-ja%40ssi.bg
> Signed-off-by: Julian Anastasov <ja@xxxxxx>
Forgot that writers should be serialized. Will send v3.
https://sashiko.dev/#/patchset/20260523172715.94795-1-ja%40ssi.bg
pw-bot: changes-requested
> + if (write && !rc && val != unset) {
> + struct netns_ipvs *ipvs = table->extra2;
> + bool priv = capable(CAP_NET_ADMIN);
> + /* Unprivileged admins can not go above the hard limit */
> + int max = priv ? IP_VS_CONN_MAX : ipvs->conn_max_limit;
> +
> + if (val < 0 || val > max) {
> + rc = -EINVAL;
> + } else {
> + /* Privileged admin changes both limits */
> + if (priv)
> + ipvs->conn_max_limit = val;
> + WRITE_ONCE(*valp, val);
> + }
Regards
--
Julian Anastasov <ja@xxxxxx>
|
