[PATCH net-next 0/3] ipv6: snmp: avoid performance issue with RATELIMITHOST

[PATCH net-next 0/3] ipv6: snmp: avoid performance issue with RATELIMITHOST

[Eric Dumazet]

Addition of ICMP6_MIB_RATELIMITHOST in commit d0941130c9351
("icmp: Add counters for rate limits") introduced a performance
drop in case of DOS (like receiving UDP packets
to closed ports).

Per netns ICMP6_MIB_RATELIMITHOST tracking uses per-cpu
storage and is enough, we do not need per-device and slow tracking
for this metric.

Eric Dumazet (3):
  ipv6: snmp: remove icmp6type2name[]
  ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore
  ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST

 include/net/ip.h | 11 ++++++
 net/ipv6/icmp.c  |  3 +-
 net/ipv6/proc.c  | 87 ++++++++++++++++++++++++++----------------------
 3 files changed, 60 insertions(+), 41 deletions(-)

-- 
2.51.0.338.gd7d06c2dae-goog

[PATCH net-next 1/3] ipv6: snmp: remove icmp6type2name[]

[Eric Dumazet]

This 2KB array can be replaced by a switch() to save space.

Before:
$ size net/ipv6/proc.o
   text	   data	    bss	    dec	    hex	filename
   6410	    624	      0	   7034	   1b7a	net/ipv6/proc.o

After:
$ size net/ipv6/proc.o
   text	   data	    bss	    dec	    hex	filename
   5516	    592	      0	   6108	   17dc	net/ipv6/proc.o

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/ipv6/proc.c | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 752327b10dde..e96f14a36834 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -99,26 +99,6 @@ static const struct snmp_mib snmp6_icmp6_list[] = {
 	SNMP_MIB_SENTINEL
 };
 
-/* RFC 4293 v6 ICMPMsgStatsTable; named items for RFC 2466 compatibility */
-static const char *const icmp6type2name[256] = {
-	[ICMPV6_DEST_UNREACH] = "DestUnreachs",
-	[ICMPV6_PKT_TOOBIG] = "PktTooBigs",
-	[ICMPV6_TIME_EXCEED] = "TimeExcds",
-	[ICMPV6_PARAMPROB] = "ParmProblems",
-	[ICMPV6_ECHO_REQUEST] = "Echos",
-	[ICMPV6_ECHO_REPLY] = "EchoReplies",
-	[ICMPV6_MGM_QUERY] = "GroupMembQueries",
-	[ICMPV6_MGM_REPORT] = "GroupMembResponses",
-	[ICMPV6_MGM_REDUCTION] = "GroupMembReductions",
-	[ICMPV6_MLD2_REPORT] = "MLDv2Reports",
-	[NDISC_ROUTER_ADVERTISEMENT] = "RouterAdvertisements",
-	[NDISC_ROUTER_SOLICITATION] = "RouterSolicits",
-	[NDISC_NEIGHBOUR_ADVERTISEMENT] = "NeighborAdvertisements",
-	[NDISC_NEIGHBOUR_SOLICITATION] = "NeighborSolicits",
-	[NDISC_REDIRECT] = "Redirects",
-};
-
-
 static const struct snmp_mib snmp6_udp6_list[] = {
 	SNMP_MIB_ITEM("Udp6InDatagrams", UDP_MIB_INDATAGRAMS),
 	SNMP_MIB_ITEM("Udp6NoPorts", UDP_MIB_NOPORTS),
@@ -151,11 +131,31 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
 
 	/* print by name -- deprecated items */
 	for (i = 0; i < ICMP6MSG_MIB_MAX; i++) {
+		const char *p = NULL;
 		int icmptype;
-		const char *p;
+
+#define CASE(TYP, STR) case TYP: p = STR; break;
 
 		icmptype = i & 0xff;
-		p = icmp6type2name[icmptype];
+		switch (icmptype) {
+/* RFC 4293 v6 ICMPMsgStatsTable; named items for RFC 2466 compatibility */
+		CASE(ICMPV6_DEST_UNREACH,	"DestUnreachs")
+		CASE(ICMPV6_PKT_TOOBIG,		"PktTooBigs")
+		CASE(ICMPV6_TIME_EXCEED,	"TimeExcds")
+		CASE(ICMPV6_PARAMPROB,		"ParmProblems")
+		CASE(ICMPV6_ECHO_REQUEST,	"Echos")
+		CASE(ICMPV6_ECHO_REPLY,		"EchoReplies")
+		CASE(ICMPV6_MGM_QUERY,		"GroupMembQueries")
+		CASE(ICMPV6_MGM_REPORT,		"GroupMembResponses")
+		CASE(ICMPV6_MGM_REDUCTION,	"GroupMembReductions")
+		CASE(ICMPV6_MLD2_REPORT,	"MLDv2Reports")
+		CASE(NDISC_ROUTER_ADVERTISEMENT, "RouterAdvertisements")
+		CASE(NDISC_ROUTER_SOLICITATION, "RouterSolicits")
+		CASE(NDISC_NEIGHBOUR_ADVERTISEMENT, "NeighborAdvertisements")
+		CASE(NDISC_NEIGHBOUR_SOLICITATION, "NeighborSolicits")
+		CASE(NDISC_REDIRECT,		"Redirects")
+		}
+#undef CASE
 		if (!p)	/* don't print un-named types here */
 			continue;
 		snprintf(name, sizeof(name), "Icmp6%s%s",
-- 
2.51.0.338.gd7d06c2dae-goog

[PATCH net-next 2/3] ipv6: snmp: do not use SNMP_MIB_SENTINEL anymore

[Eric Dumazet]

Use ARRAY_SIZE(), so that we know the limit at compile time.

Following patch needs this preliminary change.

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 include/net/ip.h | 11 +++++++++++
 net/ipv6/proc.c  | 39 ++++++++++++++++++++++-----------------
 2 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/include/net/ip.h b/include/net/ip.h
index 6dbd2bf8fa9c..856e62aae036 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -349,6 +349,17 @@ static inline u64 snmp_fold_field64(void __percpu *mib, int offt, size_t syncp_o
 	} \
 }
 
+#define snmp_get_cpu_field_batch_cnt(buff, stats_list, cnt, mib_statistic) \
+{ \
+	int i, c; \
+	for_each_possible_cpu(c) { \
+		for (i = 0; i < cnt; i++) \
+			buff[i] += snmp_get_cpu_field( \
+						mib_statistic, \
+						c, stats_list[i].entry); \
+	} \
+}
+
 static inline void inet_get_local_port_range(const struct net *net, int *low, int *high)
 {
 	u32 range = READ_ONCE(net->ipv4.ip_local_ports.range);
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index e96f14a36834..6dc06a11e05a 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -85,7 +85,6 @@ static const struct snmp_mib snmp6_ipstats_list[] = {
 	SNMP_MIB_ITEM("Ip6InECT0Pkts", IPSTATS_MIB_ECT0PKTS),
 	SNMP_MIB_ITEM("Ip6InCEPkts", IPSTATS_MIB_CEPKTS),
 	SNMP_MIB_ITEM("Ip6OutTransmits", IPSTATS_MIB_OUTPKTS),
-	SNMP_MIB_SENTINEL
 };
 
 static const struct snmp_mib snmp6_icmp6_list[] = {
@@ -96,7 +95,6 @@ static const struct snmp_mib snmp6_icmp6_list[] = {
 	SNMP_MIB_ITEM("Icmp6OutErrors", ICMP6_MIB_OUTERRORS),
 	SNMP_MIB_ITEM("Icmp6InCsumErrors", ICMP6_MIB_CSUMERRORS),
 	SNMP_MIB_ITEM("Icmp6OutRateLimitHost", ICMP6_MIB_RATELIMITHOST),
-	SNMP_MIB_SENTINEL
 };
 
 static const struct snmp_mib snmp6_udp6_list[] = {
@@ -109,7 +107,6 @@ static const struct snmp_mib snmp6_udp6_list[] = {
 	SNMP_MIB_ITEM("Udp6InCsumErrors", UDP_MIB_CSUMERRORS),
 	SNMP_MIB_ITEM("Udp6IgnoredMulti", UDP_MIB_IGNOREDMULTI),
 	SNMP_MIB_ITEM("Udp6MemErrors", UDP_MIB_MEMERRORS),
-	SNMP_MIB_SENTINEL
 };
 
 static const struct snmp_mib snmp6_udplite6_list[] = {
@@ -121,7 +118,6 @@ static const struct snmp_mib snmp6_udplite6_list[] = {
 	SNMP_MIB_ITEM("UdpLite6SndbufErrors", UDP_MIB_SNDBUFERRORS),
 	SNMP_MIB_ITEM("UdpLite6InCsumErrors", UDP_MIB_CSUMERRORS),
 	SNMP_MIB_ITEM("UdpLite6MemErrors", UDP_MIB_MEMERRORS),
-	SNMP_MIB_SENTINEL
 };
 
 static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
@@ -182,27 +178,29 @@ static void snmp6_seq_show_icmpv6msg(struct seq_file *seq, atomic_long_t *smib)
  */
 static void snmp6_seq_show_item(struct seq_file *seq, void __percpu *pcpumib,
 				atomic_long_t *smib,
-				const struct snmp_mib *itemlist)
+				const struct snmp_mib *itemlist,
+				int cnt)
 {
 	unsigned long buff[SNMP_MIB_MAX];
 	int i;
 
 	if (pcpumib) {
-		memset(buff, 0, sizeof(unsigned long) * SNMP_MIB_MAX);
+		memset(buff, 0, sizeof(unsigned long) * cnt);
 
-		snmp_get_cpu_field_batch(buff, itemlist, pcpumib);
-		for (i = 0; itemlist[i].name; i++)
+		snmp_get_cpu_field_batch_cnt(buff, itemlist, cnt, pcpumib);
+		for (i = 0; i < cnt; i++)
 			seq_printf(seq, "%-32s\t%lu\n",
 				   itemlist[i].name, buff[i]);
 	} else {
-		for (i = 0; itemlist[i].name; i++)
+		for (i = 0; i < cnt; i++)
 			seq_printf(seq, "%-32s\t%lu\n", itemlist[i].name,
 				   atomic_long_read(smib + itemlist[i].entry));
 	}
 }
 
 static void snmp6_seq_show_item64(struct seq_file *seq, void __percpu *mib,
-				  const struct snmp_mib *itemlist, size_t syncpoff)
+				  const struct snmp_mib *itemlist,
+				  int cnt, size_t syncpoff)
 {
 	u64 buff64[SNMP_MIB_MAX];
 	int i;
@@ -210,7 +208,7 @@ static void snmp6_seq_show_item64(struct seq_file *seq, void __percpu *mib,
 	memset(buff64, 0, sizeof(u64) * SNMP_MIB_MAX);
 
 	snmp_get_cpu_field64_batch(buff64, itemlist, mib, syncpoff);
-	for (i = 0; itemlist[i].name; i++)
+	for (i = 0; i < cnt; i++)
 		seq_printf(seq, "%-32s\t%llu\n", itemlist[i].name, buff64[i]);
 }
 
@@ -219,14 +217,19 @@ static int snmp6_seq_show(struct seq_file *seq, void *v)
 	struct net *net = (struct net *)seq->private;
 
 	snmp6_seq_show_item64(seq, net->mib.ipv6_statistics,
-			    snmp6_ipstats_list, offsetof(struct ipstats_mib, syncp));
+			      snmp6_ipstats_list,
+			      ARRAY_SIZE(snmp6_ipstats_list),
+			      offsetof(struct ipstats_mib, syncp));
 	snmp6_seq_show_item(seq, net->mib.icmpv6_statistics,
-			    NULL, snmp6_icmp6_list);
+			    NULL, snmp6_icmp6_list,
+			    ARRAY_SIZE(snmp6_icmp6_list));
 	snmp6_seq_show_icmpv6msg(seq, net->mib.icmpv6msg_statistics->mibs);
 	snmp6_seq_show_item(seq, net->mib.udp_stats_in6,
-			    NULL, snmp6_udp6_list);
+			    NULL, snmp6_udp6_list,
+			    ARRAY_SIZE(snmp6_udp6_list));
 	snmp6_seq_show_item(seq, net->mib.udplite_stats_in6,
-			    NULL, snmp6_udplite6_list);
+			    NULL, snmp6_udplite6_list,
+			    ARRAY_SIZE(snmp6_udplite6_list));
 	return 0;
 }
 
@@ -236,9 +239,11 @@ static int snmp6_dev_seq_show(struct seq_file *seq, void *v)
 
 	seq_printf(seq, "%-32s\t%u\n", "ifIndex", idev->dev->ifindex);
 	snmp6_seq_show_item64(seq, idev->stats.ipv6,
-			    snmp6_ipstats_list, offsetof(struct ipstats_mib, syncp));
+			      snmp6_ipstats_list,
+			      ARRAY_SIZE(snmp6_ipstats_list),
+			      offsetof(struct ipstats_mib, syncp));
 	snmp6_seq_show_item(seq, NULL, idev->stats.icmpv6dev->mibs,
-			    snmp6_icmp6_list);
+			    snmp6_icmp6_list, ARRAY_SIZE(snmp6_icmp6_list));
 	snmp6_seq_show_icmpv6msg(seq, idev->stats.icmpv6msgdev->mibs);
 	return 0;
 }
-- 
2.51.0.338.gd7d06c2dae-goog

[PATCH net-next 3/3] ipv6: snmp: do not track per idev ICMP6_MIB_RATELIMITHOST

[Eric Dumazet]

Blamed commit added a critical false sharing on a single
atomic_long_t under DOS, like receiving UDP packets
to closed ports.

Per netns ICMP6_MIB_RATELIMITHOST tracking uses per-cpu
storage and is enough, we do not need per-device and slow tracking.

Fixes: d0941130c9351 ("icmp: Add counters for rate limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jamie Bainbridge <jamie.bainbridge@gmail.com>
Cc: Abhishek Rawal <rawal.abhishek92@gmail.com>
---
 net/ipv6/icmp.c | 3 +--
 net/ipv6/proc.c | 6 +++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index 95cdd4cacb00..56c974cf75d1 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -230,8 +230,7 @@ static bool icmpv6_xrlim_allow(struct sock *sk, u8 type,
 	}
 	rcu_read_unlock();
 	if (!res)
-		__ICMP6_INC_STATS(net, ip6_dst_idev(dst),
-				  ICMP6_MIB_RATELIMITHOST);
+		__ICMP6_INC_STATS(net, NULL, ICMP6_MIB_RATELIMITHOST);
 	else
 		icmp_global_consume(net);
 	dst_release(dst);
diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
index 6dc06a11e05a..6e8d70b34a7e 100644
--- a/net/ipv6/proc.c
+++ b/net/ipv6/proc.c
@@ -94,6 +94,7 @@ static const struct snmp_mib snmp6_icmp6_list[] = {
 	SNMP_MIB_ITEM("Icmp6OutMsgs", ICMP6_MIB_OUTMSGS),
 	SNMP_MIB_ITEM("Icmp6OutErrors", ICMP6_MIB_OUTERRORS),
 	SNMP_MIB_ITEM("Icmp6InCsumErrors", ICMP6_MIB_CSUMERRORS),
+/* ICMP6_MIB_RATELIMITHOST needs to be last, see snmp6_dev_seq_show(). */
 	SNMP_MIB_ITEM("Icmp6OutRateLimitHost", ICMP6_MIB_RATELIMITHOST),
 };
 
@@ -242,8 +243,11 @@ static int snmp6_dev_seq_show(struct seq_file *seq, void *v)
 			      snmp6_ipstats_list,
 			      ARRAY_SIZE(snmp6_ipstats_list),
 			      offsetof(struct ipstats_mib, syncp));
+
+	/* Per idev icmp stats do not have ICMP6_MIB_RATELIMITHOST */
 	snmp6_seq_show_item(seq, NULL, idev->stats.icmpv6dev->mibs,
-			    snmp6_icmp6_list, ARRAY_SIZE(snmp6_icmp6_list));
+			    snmp6_icmp6_list, ARRAY_SIZE(snmp6_icmp6_list) - 1);
+
 	snmp6_seq_show_icmpv6msg(seq, idev->stats.icmpv6msgdev->mibs);
 	return 0;
 }
-- 
2.51.0.338.gd7d06c2dae-goog

Re: [PATCH net-next 0/3] ipv6: snmp: avoid performance issue with RATELIMITHOST

[Jakub Kicinski]

On Thu,  4 Sep 2025 13:25:50 +0000 Eric Dumazet wrote:
> Addition of ICMP6_MIB_RATELIMITHOST in commit d0941130c9351
> ("icmp: Add counters for rate limits") introduced a performance
> drop in case of DOS (like receiving UDP packets
> to closed ports).
> 
> Per netns ICMP6_MIB_RATELIMITHOST tracking uses per-cpu
> storage and is enough, we do not need per-device and slow tracking
> for this metric.

CI says:

==================================================================
[ 156.608382][ T330] BUG: KASAN: global-out-of-bounds in snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.608699][ T330] Read of size 8 at addr ffffffffad4d4790 by task connect-deny_ip/330
[ 156.608965][ T330]
[ 156.609064][ T330] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 156.609066][ T330] Call Trace:
[ 156.609069][ T330]  <TASK>
[ 156.609071][ T330] dump_stack_lvl (lib/dump_stack.c:123) 
[ 156.609077][ T330] print_address_description.constprop.0 (mm/kasan/report.c:379) 
[ 156.609084][ T330] ? snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.609088][ T330] print_report (mm/kasan/report.c:483) 
[ 156.609091][ T330] ? snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.609094][ T330] ? kasan_addr_to_slab (./include/linux/mm.h:1180 mm/kasan/../slab.h:187 mm/kasan/common.c:38) 
[ 156.609098][ T330] ? snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.609101][ T330] kasan_report (mm/kasan/report.c:597) 
[ 156.609105][ T330] ? snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.609111][ T330] snmp6_seq_show_item64.constprop.0 (net/ipv6/proc.c:211) 
[ 156.609119][ T330] ? sockstat6_seq_show (net/ipv6/proc.c:202) 
[ 156.609137][ T330] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 156.609142][ T330] ? trace_kmalloc (./include/trace/events/kmem.h:54 (discriminator 21)) 
[ 156.609146][ T330] ? __kvmalloc_node_noprof (mm/slub.c:5055) 
[ 156.609152][ T330] snmp6_seq_show (net/ipv6/proc.c:224) 
[ 156.609155][ T330] seq_read_iter (fs/seq_file.c:231) 
[ 156.609165][ T330] seq_read (fs/seq_file.c:163) 
[ 156.609169][ T330] ? seq_read_iter (fs/seq_file.c:152) 
[ 156.609173][ T330] ? __lock_acquire (kernel/locking/lockdep.c:5237) 
[ 156.609180][ T330] ? __mutex_trylock_common (./arch/x86/include/asm/atomic64_64.h:101 ./include/linux/atomic/atomic-arch-fallback.h:4296 ./include/linux/atomic/atomic-long.h:1482 ./include/linux/atomic/atomic-instrumented.h:4458 kernel/locking/mutex.c:113) 
[ 156.609184][ T330] ? rcu_is_watching (./include/linux/context_tracking.h:128 kernel/rcu/tree.c:751) 
[ 156.609189][ T330] proc_reg_read (fs/proc/inode.c:308 fs/proc/inode.c:320) 
[ 156.609196][ T330] vfs_read (fs/read_write.c:570) 
[ 156.609201][ T330] ? fdget_pos (fs/file.c:1235) 
[ 156.609206][ T330] ? ww_mutex_lock (kernel/locking/mutex.c:759) 
[ 156.609212][ T330] ? kernel_read (fs/read_write.c:553) 
[ 156.609215][ T330] ? __lock_release (kernel/locking/lockdep.c:5536) 
[ 156.609220][ T330] ? __fget_files (./include/linux/rcupdate.h:341 ./include/linux/rcupdate.h:871 fs/file.c:1072) 
[ 156.609223][ T330] ? __fget_files (fs/file.c:1075) 
[ 156.609230][ T330] ksys_read (fs/read_write.c:715) 
[ 156.609234][ T330] ? vfs_write (fs/read_write.c:705) 
[ 156.609240][ T330] do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) 
[ 156.609244][ T330] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) 
[ 156.609248][ T330] RIP: 0033:0x7f5190d4a2cc
[ 156.609252][ T330] Code: ec 28 48 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 8b f8 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 34 44 89 c7 48 89 44 24 08 e8 7f 8b f8 ff 48
All code
========
   0:	ec                   	in     (%dx),%al
   1:	28 48 89             	sub    %cl,-0x77(%rax)
   4:	54                   	push   %rsp
   5:	24 18                	and    $0x18,%al
   7:	48 89 74 24 10       	mov    %rsi,0x10(%rsp)
   c:	89 7c 24 08          	mov    %edi,0x8(%rsp)
  10:	e8 29 8b f8 ff       	call   0xfffffffffff88b3e
  15:	48 8b 54 24 18       	mov    0x18(%rsp),%rdx
  1a:	48 8b 74 24 10       	mov    0x10(%rsp),%rsi
  1f:	41 89 c0             	mov    %eax,%r8d
  22:	8b 7c 24 08          	mov    0x8(%rsp),%edi
  26:	31 c0                	xor    %eax,%eax
  28:	0f 05                	syscall
  2a:*	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax		<-- trapping instruction
  30:	77 34                	ja     0x66
  32:	44 89 c7             	mov    %r8d,%edi
  35:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  3a:	e8 7f 8b f8 ff       	call   0xfffffffffff88bbe
  3f:	48                   	rex.W

Code starting with the faulting instruction
===========================================
   0:	48 3d 00 f0 ff ff    	cmp    $0xfffffffffffff000,%rax
   6:	77 34                	ja     0x3c
   8:	44 89 c7             	mov    %r8d,%edi
   b:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  10:	e8 7f 8b f8 ff       	call   0xfffffffffff88b94
  15:	48                   	rex.W
[  156.609255][  T330] RSP: 002b:00007f518bffe090 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[  156.609259][  T330] RAX: ffffffffffffffda RBX: 00007f5184000f30 RCX: 00007f5190d4a2cc
[  156.609261][  T330] RDX: 0000000000000400 RSI: 00007f5184001190 RDI: 000000000000000b
[  156.609263][  T330] RBP: 00007f5190e425c0 R08: 0000000000000000 R09: 0000000000000000
[  156.609265][  T330] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000

Re: [PATCH net-next 0/3] ipv6: snmp: avoid performance issue with RATELIMITHOST

[Eric Dumazet]

On Thu, Sep 4, 2025 at 9:24 AM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu,  4 Sep 2025 13:25:50 +0000 Eric Dumazet wrote:
> > Addition of ICMP6_MIB_RATELIMITHOST in commit d0941130c9351
> > ("icmp: Add counters for rate limits") introduced a performance
> > drop in case of DOS (like receiving UDP packets
> > to closed ports).
> >
> > Per netns ICMP6_MIB_RATELIMITHOST tracking uses per-cpu
> > storage and is enough, we do not need per-device and slow tracking
> > for this metric.
>
> CI says:

Oh right I forgot the snmp_get_cpu_field64_batch() call.

I will send a V2 tomorrow.

Thank you