From: Willy Tarreau <w@1wt.eu>
To: Andrew Lunn <andrew@lunn.ch>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
Vincent Bernat <bernat@luffy.cx>, Sarah Newman <srn@prgmr.com>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
netdev@vger.kernel.org, roopa <roopa@cumulusnetworks.com>
Subject: Re: [PATCH] net: bridge: add max_fdb_count
Date: Fri, 17 Nov 2017 19:44:31 +0100 [thread overview]
Message-ID: <20171117184431.GA17987@1wt.eu> (raw)
In-Reply-To: <20171117140623.GA5809@lunn.ch>
Hi Andrew,
On Fri, Nov 17, 2017 at 03:06:23PM +0100, Andrew Lunn wrote:
> > Usually it's better to apply LRU or random here in my opinion, as the
> > new entry is much more likely to be needed than older ones by definition.
>
> Hi Willy
>
> I think this depends on why you need to discard. If it is normal
> operation and the limits are simply too low, i would agree.
>
> If however it is a DoS, throwing away the new entries makes sense,
> leaving the old ones which are more likely to be useful.
>
> Most of the talk in this thread has been about limits for DoS
> prevention...
Sure but my point is that it can kick in on regular traffic and in
this case it can be catastrophic. That's only what bothers me. If
we have an unlimited default value with this algorithm I'm fine
because nobody will get caught by accident with a bridge suddenly
replicating high traffic on all ports because an unknown limit was
reached. That's the principle of least surprise.
I know that when fighting DoSes there's never any universally good
solutions and one has to make tradeoffs. I'm perfectly fine with this.
Cheers,
Willy
next prev parent reply other threads:[~2017-11-17 18:44 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-15 19:27 [PATCH] net: bridge: add max_fdb_count Sarah Newman
2017-11-15 19:43 ` Sarah Newman
2017-11-15 20:04 ` Stephen Hemminger
2017-11-16 2:25 ` Andrew Lunn
2017-11-16 4:05 ` Toshiaki Makita
2017-11-16 4:54 ` Sarah Newman
2017-11-16 6:13 ` Toshiaki Makita
2017-11-16 6:20 ` Roopa Prabhu
2017-11-16 16:54 ` Stephen Hemminger
2017-11-15 21:34 ` Egil Hjelmeland
2017-11-16 3:01 ` Andrew Lunn
2017-11-16 7:31 ` Nikolay Aleksandrov
2017-11-16 9:20 ` Sarah Newman
2017-11-16 9:49 ` Nikolay Aleksandrov
2017-11-16 9:58 ` Willy Tarreau
2017-11-16 18:23 ` Sarah Newman
2017-11-16 19:23 ` Andrew Lunn
2017-11-16 19:36 ` Nikolay Aleksandrov
2017-11-16 20:54 ` Sarah Newman
2017-11-16 20:21 ` Vincent Bernat
2017-11-17 0:27 ` Stephen Hemminger
2017-11-17 5:26 ` Willy Tarreau
2017-11-17 6:14 ` Nikolay Aleksandrov
2017-11-17 8:01 ` Nikolay Aleksandrov
2017-11-17 14:06 ` Andrew Lunn
2017-11-17 18:44 ` Willy Tarreau [this message]
2017-11-21 14:53 ` David Laight
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171117184431.GA17987@1wt.eu \
--to=w@1wt.eu \
--cc=andrew@lunn.ch \
--cc=bernat@luffy.cx \
--cc=netdev@vger.kernel.org \
--cc=nikolay@cumulusnetworks.com \
--cc=roopa@cumulusnetworks.com \
--cc=srn@prgmr.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).