datapath-windows: Add an upper limit to conntrack entries

The current implementation lacked an upper bound of number of entries in
the system. Set the size to ~2M (2^21) for the time being.

Signed-off-by: Sairam Venugopal <vsairam@vmware.com>
Acked-by: Shashank Ram <rams@vmware.com>
Acked-by: Alin Gabriel Serdean <aserdean@ovn.org>
Signed-off-by: Alin Gabriel Serdean <aserdean@ovn.org>

diff --git a/datapath-windows/ovsext/Conntrack.c b/datapath-windows/ovsext/Conntrack.c
index ce8c1c85e822c4aaa7304780d64a1aed2dae0616..8bcda05e2ae89a46a892eaf868af6859c7b295e6 100644 (file)
--- a/datapath-windows/ovsext/Conntrack.c
+++ b/datapath-windows/ovsext/Conntrack.c
@@ -722,6 +722,16 @@ OvsCtExecute_(OvsForwardingContext *fwdCtx,
         entry = NULL;
     }
 
+    if (!entry && commit && ctTotalEntries >= CT_MAX_ENTRIES) {
+        /* Don't proceed with processing if the max limit has been hit.
+         * This blocks only new entries from being created and doesn't
+         * affect existing connections.
+         */
+        NdisReleaseRWLock(ovsConntrackLockObj, &lockState);
+        OVS_LOG_ERROR("Conntrack Limit hit: %lu", ctTotalEntries);
+        return NDIS_STATUS_RESOURCES;
+    }
+
     if (!entry) {
         /* If no matching entry was found, create one and add New state */
         entry = OvsCtEntryCreate(fwdCtx, key->ipKey.nwProto,

diff --git a/datapath-windows/ovsext/Conntrack.h b/datapath-windows/ovsext/Conntrack.h
index bca7d9051dbcaff661e3a427abbaddaeb6dbae85..be5f34dc565d65ef642917fab00ffef39263f69b 100644 (file)
--- a/datapath-windows/ovsext/Conntrack.h
+++ b/datapath-windows/ovsext/Conntrack.h
@@ -131,6 +131,7 @@ typedef struct OvsConntrackKeyLookupCtx {
     BOOLEAN         related;
 } OvsConntrackKeyLookupCtx;
 
+#define CT_MAX_ENTRIES 1 << 21
 #define CT_HASH_TABLE_SIZE ((UINT32)1 << 10)
 #define CT_HASH_TABLE_MASK (CT_HASH_TABLE_SIZE - 1)
 #define CT_INTERVAL_SEC 10000000LL //1s