From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 29584C433DF for ; Wed, 20 May 2020 17:24:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0462F2075F for ; Wed, 20 May 2020 17:24:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727998AbgETRYd (ORCPT ); Wed, 20 May 2020 13:24:33 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:43260 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726977AbgETRYc (ORCPT ); Wed, 20 May 2020 13:24:32 -0400 Received: from ip5f5af183.dynamic.kabel-deutschland.de ([95.90.241.131] helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1jbSS2-0008VV-JD; Wed, 20 May 2020 17:24:18 +0000 Date: Wed, 20 May 2020 19:24:17 +0200 From: Christian Brauner To: David Ahern Cc: "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next] ipv6/route: inherit max_sizes from current netns Message-ID: <20200520172417.4m7pyalpftdd2xrm@wittgenstein> References: <20200520145806.3746944-1-christian.brauner@ubuntu.com> <4b22a3bc-9dae-3f49-6748-ec45deb09a01@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4b22a3bc-9dae-3f49-6748-ec45deb09a01@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, May 20, 2020 at 10:54:21AM -0600, David Ahern wrote: > On 5/20/20 8:58 AM, Christian Brauner wrote: > > During NorthSec (cf. [1]) a very large number of unprivileged > > containers and nested containers are run during the competition to > > provide a safe environment for the various teams during the event. Every > > year a range of feature requests or bug reports come out of this and > > this year's no different. > > One of the containers was running a simple VPN server. There were about > > 1.5k users connected to this VPN over ipv6 and the container was setup > > with about 100 custom routing tables when it hit the max_sizes routing > > limit. After this no new connections could be established anymore, > > pinging didn't work anymore; you get the idea. > > > > should have been addressed by: > > commit d8882935fcae28bceb5f6f56f09cded8d36d85e6 > Author: Eric Dumazet > Date: Fri May 8 07:34:14 2020 -0700 > ipv6: use DST_NOCOUNT in ip6_rt_pcpu_alloc() > We currently have to adjust ipv6 route gc_thresh/max_size depending > on number of cpus on a server, this makes very little sense. > > > Did your tests include this patch? No, it's also pretty hard to trigger. The conference was pretty good for this. I tested on top of rc6. I'm probably missing the big picture here, could you briefy explain how this commit fixes the problem we ran into? Thanks! Christian