Re: [Patch net-next] net: make neigh tables per netns
From: Jesper Dangaard Brouer <hidden>
Date: 2014-06-30 18:15:36
Possibly related (same subject, not in this thread)
- 2014-06-26 · Re: [Patch net-next] net: make neigh tables per netns · David Miller <davem@davemloft.net>
- 2014-06-26 · Re: [Patch net-next] net: make neigh tables per netns · Eric W. Biederman <hidden>
- 2014-06-26 · Re: [Patch net-next] net: make neigh tables per netns · Michal Kubecek <hidden>
- 2014-06-26 · Re: [Patch net-next] net: make neigh tables per netns · Eric W. Biederman <hidden>
- 2014-06-26 · Re: [Patch net-next] net: make neigh tables per netns · Cong Wang <hidden>
On Fri, 27 Jun 2014 22:12:52 -0700 ebiederm@xmission.com (Eric W. Biederman) wrote:
Cong Wang [off-list ref] writes:quoted
On Thu, Jun 26, 2014 at 3:44 PM, David Miller [off-list ref] wrote:quoted
[...]
quoted
Hmm, I did overlook the potential DOS problem. But hold on, isn't IP fragments have the same problem? The fragment queues are per netns, and the thresh is per netns as well, we will eventually have memory pressure as well.Interesting. It does look like ip fragments are susceptible that way.
For IP fragments we have per netns mem-limit and LRU-list, but all netns share the same hash table, which have its own DoS potential. And argh! - we have a hardcoded INETFRAGS_MAXDEPTH=128, which can be used for (slow) DoS of IP frags if enough netns are created. https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/tree/net/ipv4/inet_fragment.c#n344 Introduced by commit 5a3da1fe9 ("inet: limit length of fragment queue hash table bucket lists"). -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn: http://www.linkedin.com/in/brouer