From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Lunn <andrew@lunn.ch>
Subject: Re: [PATCH] net: bridge: add max_fdb_count
Date: Thu, 16 Nov 2017 04:01:07 +0100
Message-ID: <20171116030107.GI2130@lunn.ch>
References: <1510774027-2468-1-git-send-email-srn@prgmr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: netdev@vger.kernel.org
To: Sarah Newman <srn@prgmr.com>
Return-path: <netdev-owner@vger.kernel.org>
Received: from vps0.lunn.ch ([185.16.172.187]:56186 "EHLO vps0.lunn.ch"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751029AbdKPDBI (ORCPT <rfc822;netdev@vger.kernel.org>);
        Wed, 15 Nov 2017 22:01:08 -0500
Content-Disposition: inline
In-Reply-To: <1510774027-2468-1-git-send-email-srn@prgmr.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

> @@ -556,6 +559,10 @@ void br_fdb_update(struct net_bridge *br, struct net_bridge_port *source,
>  	if (hold_time(br) == 0)
>  		return;
>  
> +	/* Place maximum on number of learned entries. */
> +	if (br->max_fdb_count <= br->fdb_count)
> +		return;
> +

Hi Sarah

We probably want a rate limited warning printed here. If the table is
full, it will have to start flooding frames, which is not good for
performance. Having something in the log will help debug the problem.
The log will also give a hit that a DoS attack could be happening.

    Andrew