From: Thomas Graf <tgraf@suug.ch>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Patrick McHardy <kaber@trash.net>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [v1 PATCH 7/14] netfilter: Use rhashtable_lookup instead of lookup_compare
Date: Fri, 20 Mar 2015 21:56:12 +0000 [thread overview]
Message-ID: <20150320215612.GA566@casper.infradead.org> (raw)
In-Reply-To: <20150320214712.GA23963@gondor.apana.org.au>
On 03/21/15 at 08:47am, Herbert Xu wrote:
> On Fri, Mar 20, 2015 at 10:27:01AM +0000, Patrick McHardy wrote:
> > On 20.03, Herbert Xu wrote:
> >
> > > Any hash function can be attacked. That's why we need to be able
> > > to rehash it. And the best way to decide when to rehash is based
> > > on chain length (otherwise you'd waste time rehashing periodically
> > > like we used to do). With name spaces these days anyone could be
> > > an adversary.
> >
> > We already had this discussion. I strongly do not believe this is
> > the right way to fix namespace problems. There are millions of ways
> > of creating CPU intensive workloads. You need to be able to put
> > bounds on the entire namespace. Fixing individual spots will not
> > solve that problem.
>
> A CPU intensive workload that can be rescheduled is completely
> different from one that is running under spin lock with BH disabled.
Just make the chain length based growth function configurable
and nft_hash can disable it. nft_hash entries are not created by
unprivileged users so attacking the table is out of the question.
next prev parent reply other threads:[~2015-03-20 21:56 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-13 9:56 [PATCH 0/6] rhashtable: Fixes + cleanups + preparation for multiple rehash Herbert Xu
2015-03-13 9:57 ` [PATCH 1/6] rhashtable: Fix walker behaviour during rehash Herbert Xu
2015-03-13 15:50 ` Thomas Graf
2015-03-13 23:42 ` Herbert Xu
2015-03-14 0:06 ` Thomas Graf
2015-03-13 9:57 ` [PATCH 2/6] rhashtable: Use SINGLE_DEPTH_NESTING Herbert Xu
2015-03-13 15:40 ` Thomas Graf
2015-03-13 9:57 ` [PATCH 3/6] rhashtable: Move seed init into bucket_table_alloc Herbert Xu
2015-03-13 10:03 ` Daniel Borkmann
2015-03-13 11:33 ` David Laight
2015-03-13 11:40 ` Herbert Xu
2015-03-13 15:40 ` Thomas Graf
2015-03-13 9:57 ` [PATCH 4/6] rhashtable: Free bucket tables asynchronously after rehash Herbert Xu
2015-03-13 15:42 ` Thomas Graf
2015-03-13 9:57 ` [PATCH 5/6] rhashtable: Add rehash counter to bucket_table Herbert Xu
2015-03-13 13:51 ` Thomas Graf
2015-03-14 2:49 ` Herbert Xu
2015-03-13 9:57 ` [PATCH 6/6] rhashtable: Move future_tbl into struct bucket_table Herbert Xu
2015-03-13 16:13 ` Thomas Graf
2015-03-13 13:57 ` [PATCH 0/6] rhashtable: Fixes + cleanups + preparation for multiple rehash Thomas Graf
2015-03-13 16:25 ` David Miller
2015-03-14 2:51 ` Herbert Xu
2015-03-14 2:53 ` [v2 PATCH " Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 1/6] rhashtable: Fix walker behaviour during rehash Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 2/6] rhashtable: Use SINGLE_DEPTH_NESTING Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 3/6] rhashtable: Move seed init into bucket_table_alloc Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 4/6] rhashtable: Free bucket tables asynchronously after rehash Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 5/6] rhashtable: Add rehash counter to bucket_table Herbert Xu
2015-03-14 2:57 ` [v2 PATCH 6/6] rhashtable: Move future_tbl into struct bucket_table Herbert Xu
2015-03-15 5:36 ` [v2 PATCH 0/6] rhashtable: Fixes + cleanups + preparation for multiple rehash David Miller
2015-03-15 10:10 ` [v1 PATCH 0/6] rhashtable: Fix two bugs caused by multiple rehash preparation Herbert Xu
2015-03-15 10:12 ` [v1 PATCH 1/2] rhashtable: Fix use-after-free in rhashtable_walk_stop Herbert Xu
2015-03-15 10:12 ` [v1 PATCH 2/2] rhashtable: Fix rhashtable_remove failures Herbert Xu
2015-03-15 10:43 ` [v1 PATCH 0/14] rhashtable: Kill shift/Key netlink namespace/Merge jhash Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 1/14] rhashtable: Remove shift from bucket_table Herbert Xu
2015-03-17 10:51 ` David Laight
2015-03-17 10:56 ` tgraf
2015-03-17 11:00 ` Herbert Xu
2015-03-17 11:22 ` tgraf
2015-03-17 11:27 ` Herbert Xu
2015-03-17 11:57 ` tgraf
2015-03-17 12:13 ` David Laight
2015-03-17 12:18 ` 'tgraf@suug.ch'
2015-03-17 12:20 ` Herbert Xu
2015-03-17 12:40 ` 'tgraf@suug.ch'
2015-03-17 13:06 ` David Laight
2015-03-17 21:56 ` Herbert Xu
2015-03-18 9:51 ` 'tgraf@suug.ch'
2015-03-18 9:55 ` Herbert Xu
2015-03-18 10:08 ` 'tgraf@suug.ch'
2015-03-18 10:12 ` Herbert Xu
2015-03-18 10:26 ` David Laight
2015-03-18 10:44 ` 'tgraf@suug.ch'
2015-03-17 11:22 ` David Laight
2015-03-17 11:25 ` Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 2/14] rhashtable: Introduce max_size/min_size Herbert Xu
2015-03-15 15:12 ` Sergei Shtylyov
2015-03-15 20:21 ` Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 3/14] netlink: Use rhashtable max_size instead of max_shift Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 4/14] tipc: " Herbert Xu
2015-03-15 15:13 ` Sergei Shtylyov
2015-03-15 10:44 ` [v1 PATCH 5/14] test_rhashtable: " Herbert Xu
2015-03-16 3:50 ` David Miller
2015-03-15 10:44 ` [v1 PATCH 6/14] rhashtable: Remove max_shift and min_shift Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 7/14] netfilter: Use rhashtable_lookup instead of lookup_compare Herbert Xu
2015-03-16 8:28 ` Thomas Graf
2015-03-16 9:14 ` Herbert Xu
2015-03-16 9:28 ` Thomas Graf
2015-03-16 11:13 ` Patrick McHardy
2015-03-20 8:55 ` Herbert Xu
2015-03-20 9:22 ` Patrick McHardy
2015-03-20 9:27 ` Herbert Xu
2015-03-20 9:59 ` Patrick McHardy
2015-03-20 10:16 ` Herbert Xu
2015-03-20 10:27 ` Patrick McHardy
2015-03-20 21:47 ` Herbert Xu
2015-03-20 21:56 ` Thomas Graf [this message]
2015-03-20 21:57 ` Herbert Xu
2015-03-20 22:07 ` Thomas Graf
2015-03-20 22:10 ` Herbert Xu
2015-03-20 22:23 ` Thomas Graf
2015-03-20 22:25 ` Herbert Xu
2015-03-20 22:36 ` Thomas Graf
2015-03-21 5:25 ` Patrick McHardy
2015-03-21 5:23 ` Patrick McHardy
2015-03-20 9:36 ` Herbert Xu
2015-03-20 10:02 ` Patrick McHardy
2015-03-15 10:44 ` [v1 PATCH 8/14] rhashtable: Fix support of objects with no accessible keys Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 9/14] netlink: Move namespace into hash key Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 10/14] rhashtable: Rip out obsolete compare interface Herbert Xu
2015-03-16 9:35 ` Thomas Graf
2015-03-15 10:44 ` [v1 PATCH 11/14] rhashtable: Allow hashfn to be unset Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 12/14] netlink: Use default rhashtable hashfn Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 13/14] tipc: " Herbert Xu
2015-03-15 10:44 ` [v1 PATCH 14/14] netfilter: " Herbert Xu
2015-03-16 4:01 ` [v1 PATCH 0/14] rhashtable: Kill shift/Key netlink namespace/Merge jhash David Miller
2015-03-16 4:18 ` Herbert Xu
2015-03-16 4:30 ` David Miller
2015-03-16 4:33 ` Herbert Xu
2015-03-16 4:40 ` David Miller
2015-03-16 11:26 ` Herbert Xu
2015-03-16 20:25 ` David Miller
2015-03-18 9:01 ` [v2 PATCH 1/6] rhashtable: Remove shift from bucket_table Herbert Xu
2015-03-18 9:01 ` [v2 PATCH 2/6] rhashtable: Introduce max_size/min_size Herbert Xu
2015-03-18 10:55 ` Thomas Graf
2015-03-18 16:47 ` David Miller
2015-03-18 16:51 ` David Laight
2015-03-18 9:01 ` [v2 PATCH 3/6] netlink: Use rhashtable max_size instead of max_shift Herbert Xu
2015-03-18 9:01 ` [v2 PATCH 4/6] tipc: Use rhashtable max/min_size instead of max/min_shift Herbert Xu
2015-03-18 9:01 ` [v2 PATCH 5/6] test_rhashtable: Use rhashtable max_size instead of max_shift Herbert Xu
2015-03-18 9:01 ` [v2 PATCH 6/6] rhashtable: Remove max_shift and min_shift Herbert Xu
2015-03-15 10:43 ` [v1 PATCH 0/6] rhashtable: Fix two bugs caused by multiple rehash preparation Herbert Xu
2015-03-16 2:23 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150320215612.GA566@casper.infradead.org \
--to=tgraf@suug.ch \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).