From: David Ahern <dsahern@kernel.org>
To: Eric Dumazet <edumazet@google.com>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>, Keyu Man <keyu.man@email.ucr.edu>,
Jesper Dangaard Brouer <hawk@kernel.org>,
netdev@vger.kernel.org, eric.dumazet@gmail.com,
stable@vger.kernel.org
Subject: Re: [PATCH net-next 1/3] icmp: change the order of rate limits
Date: Wed, 28 Aug 2024 21:29:07 -0700 [thread overview]
Message-ID: <ed3ca336-7fbb-4247-bdd1-4ee5f3697d11@kernel.org> (raw)
In-Reply-To: <20240828193948.2692476-2-edumazet@google.com>
On 8/28/24 1:39 PM, Eric Dumazet wrote:
> ICMP messages are ratelimited :
>
> After the blamed commits, the two rate limiters are applied in this order:
>
> 1) host wide ratelimit (icmp_global_allow())
>
> 2) Per destination ratelimit (inetpeer based)
>
> In order to avoid side-channels attacks, we need to apply
> the per destination check first.
>
> This patch makes the following change :
>
> 1) icmp_global_allow() checks if the host wide limit is reached.
> But credits are not yet consumed. This is deferred to 3)
>
> 2) The per destination limit is checked/updated.
> This might add a new node in inetpeer tree.
>
> 3) icmp_global_consume() consumes tokens if prior operations succeeded.
>
> This means that host wide ratelimit is still effective
> in keeping inetpeer tree small even under DDOS.
>
> As a bonus, I removed icmp_global.lock as the fast path
> can use a lock-free operation.
>
> Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited")
> Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
> Reported-by: Keyu Man <keyu.man@email.ucr.edu>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Jesper Dangaard Brouer <hawk@kernel.org>
> Cc: stable@vger.kernel.org
> ---
> include/net/ip.h | 2 +
> net/ipv4/icmp.c | 103 ++++++++++++++++++++++++++---------------------
> net/ipv6/icmp.c | 28 ++++++++-----
> 3 files changed, 76 insertions(+), 57 deletions(-)
>
Reviewed-by: David Ahern <dsahern@kernel.org>
next prev parent reply other threads:[~2024-08-29 4:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-28 19:39 [PATCH net-next 0/3] icmp: avoid possible side-channels attacks Eric Dumazet
2024-08-28 19:39 ` [PATCH net-next 1/3] icmp: change the order of rate limits Eric Dumazet
2024-08-29 4:29 ` David Ahern [this message]
2024-08-28 19:39 ` [PATCH net-next 2/3] icmp: move icmp_global.credit and icmp_global.stamp to per netns storage Eric Dumazet
2024-08-29 4:30 ` David Ahern
2024-08-29 13:33 ` Simon Horman
2024-08-29 13:54 ` Eric Dumazet
2024-08-28 19:39 ` [PATCH net-next 3/3] icmp: icmp_msgs_per_sec and icmp_msgs_burst sysctls become per netns Eric Dumazet
2024-08-29 4:31 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ed3ca336-7fbb-4247-bdd1-4ee5f3697d11@kernel.org \
--to=dsahern@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=hawk@kernel.org \
--cc=keyu.man@email.ucr.edu \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.