From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
netdev@vger.kernel.org, yoshfuji@linux-ipv6.org
Subject: Re: [PATCH RFC] ipv6: use stronger hash for reassembly queue hash table
Date: Thu, 14 Mar 2013 10:18:10 +0100 [thread overview]
Message-ID: <1363252690.14913.42.camel@localhost> (raw)
In-Reply-To: <20130314072839.GD4129@order.stressinduktion.org>
On Thu, 2013-03-14 at 08:28 +0100, Hannes Frederic Sowa wrote:
> On Thu, Mar 14, 2013 at 08:23:41AM +0100, Hannes Frederic Sowa wrote:
> > On Thu, Mar 14, 2013 at 08:10:40AM +0100, Jesper Dangaard Brouer wrote:
> > > On Thu, 2013-03-14 at 02:37 +0100, Hannes Frederic Sowa wrote:
> > >
> > > > [PATCH net] inet: limit length of fragment queue hash table bucket lists
> > > >
> > > > This patch introduces a constant limit of the fragment queue hash
> > > > table bucket list lengths. Currently the limit 128 is choosen somewhat
> > > > arbitrary and just ensures that we can fill up the fragment cache with
> > > > empty packets up to the default ip_frag_high_thresh limits. It should
> > > > just protect from list iteration eating considerable amounts of cpu.
> > > >
> > > > If we reach the maximum length in one hash bucket a warning is printed.
> > > > This is implemented on the caller side of inet_frag_find to distinguish
> > > > between the different users of inet_fragment.c.
> > >
> > > I like the idea of having a safe guard on the fragment queue hash table
> > > bucket list lengths. But I'm considering another cleanup/evictor
> > > strategy, where we drop the LRU list, and do frag eviction on a hash
> > > bucket level (which will be more cache optimal). This strategy would
> > > also involve a list length limit.
> >
> > I would try to get a simple guard into v3.9. In 3.9 the hashing of the key
> > of ipv6 fragments changed in such a way that an attacker could generate
> > fragments which would end up in just one hash chain, thus eating a lot
> > of cpu time because of list traversal. Later on, when you post your
> > patches we could simply revert/update this safeguard to your version.
>
> I just wanted to mention that if you plan to target v3.9 with some patches we
> could simply drop this patch.
I will start working on this as soon as Netfilter Workshop is over and I
have recovered from organizing this event. DaveM told me I needed to
finish my frag patches first, before I could implement all the other
cool ideas we have come up with during the workshop ;-)
But I don't know if my frag changes can make v3.9, maybe v3.10 is more
realistic? In which case we should use your patch to close this problem
on v3.9 IMHO.
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2013-03-14 9:18 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-03-07 21:42 [PATCH RFC] ipv6: use stronger hash for reassembly queue hash table Hannes Frederic Sowa
2013-03-08 5:57 ` Hannes Frederic Sowa
2013-03-08 13:04 ` Hannes Frederic Sowa
2013-03-08 14:53 ` Eric Dumazet
2013-03-08 15:08 ` Hannes Frederic Sowa
2013-03-08 15:23 ` Eric Dumazet
2013-03-08 15:54 ` Hannes Frederic Sowa
2013-03-08 16:15 ` Eric Dumazet
2013-03-08 16:18 ` Hannes Frederic Sowa
2013-03-09 15:19 ` Hannes Frederic Sowa
2013-03-08 20:53 ` Hannes Frederic Sowa
2013-03-13 1:27 ` Hannes Frederic Sowa
2013-03-13 1:31 ` Hannes Frederic Sowa
2013-03-13 5:29 ` Eric Dumazet
2013-03-14 1:37 ` Hannes Frederic Sowa
2013-03-14 4:36 ` Stephen Hemminger
2013-03-14 7:14 ` Hannes Frederic Sowa
2013-03-14 9:47 ` David Laight
2013-03-14 10:34 ` Eric Dumazet
2013-03-14 12:34 ` Hannes Frederic Sowa
2013-03-14 7:10 ` Jesper Dangaard Brouer
2013-03-14 7:23 ` Hannes Frederic Sowa
2013-03-14 7:28 ` Hannes Frederic Sowa
2013-03-14 9:18 ` Jesper Dangaard Brouer [this message]
2013-03-14 12:45 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1363252690.14913.42.camel@localhost \
--to=brouer@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.