From: Changli Gao <xiaosuo@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: hawk@comx.dk, Jesper Dangaard Brouer <hawk@diku.dk>,
paulmck@linux.vnet.ibm.com, Patrick McHardy <kaber@trash.net>,
Linux Kernel Network Hackers <netdev@vger.kernel.org>,
Netfilter Developers <netfilter-devel@vger.kernel.org>
Subject: Re: DDoS attack causing bad effect on conntrack searches
Date: Tue, 1 Jun 2010 13:48:23 +0800 [thread overview]
Message-ID: <AANLkTik_zo96O530947eF6YDr5ZZ4ogROwjEZmbBZHFM@mail.gmail.com> (raw)
In-Reply-To: <1275368732.2478.88.camel@edumazet-laptop>
On Tue, Jun 1, 2010 at 1:05 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> Le mardi 01 juin 2010 à 08:28 +0800, Changli Gao a écrit :
>> On Tue, Jun 1, 2010 at 5:21 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> >
>> > I had a look at current conntrack and found the 'unconfirmed' list was
>> > maybe a candidate for a potential blackhole.
>> >
>> > That is, if a reader happens to hit an entry that is moved from regular
>> > hash table slot 'hash' to unconfirmed list,
>>
>> Sorry, but I can't find where we do this things. unconfirmed list is
>> used to track the unconfirmed cts, whose corresponding skbs are still
>> in path from the first to the last netfilter hooks. As soon as the
>> skbs end their travel in netfilter, the corresponding cts will be
>> confirmed(moving ct from unconfirmed list to regular hash table).
>>
>
> So netfilter is a monolithic thing.
>
> When a packet begins its travel into netfilter, you guarantee that no
> other packet can also begin its travel and find an unconfirmed
> conntrack ?
>
> I wonder why we use atomic ops then to track the confirmed bit :)
seems no need.
>
>
>> unconfirmed list should be small, as networking receiving is in BH.
>
> So according to you, netfilter/ct runs only in input path ?
No. there are another entrances: local out and nf_reinject. If there
isn't any packet queued, as netfilter is in atomic context, the nubmer
of unconfirmed cts should be small( at most, 2 * nr_cpu?).
>
> So I assume a packet is handled by CPU X, creates a new conntrack
> (possibly early droping an old entry that was previously in a standard
> hash chain), inserted in unconfirmed list.
>
Oh, Thanks, I got it.
> _You_ guarantee another CPU
> Y, handling another packet, possibly sent by a hacker reading your
> netdev mails, cannot find the conntrack that was early dropped ?
>
>> How about implementing unconfirmed list as a per cpu variable?
>
> I first implemented such a patch to reduce cache line contention, then I
> asked to myself : What is exactly an unconfirmed conntrack ? Can their
> number be unbounded ? If yes, we have a problem, even on a two cpus
> machine. Using two lists instead of one wont solve the fundamental
> problem.
>
> The real question is, why do we need this unconfirmed 'list' in the
> first place. Is it really a private per cpu thing ?
No, it isn't really private. But most of time, it is accessed locally,
if it is implemented as a per cpu var.
> Can you prove this,
> in respect of lockless lookups, and things like NFQUEUE ?
>
> Each conntrack object has two list anchors. One for IP_CT_DIR_ORIGINAL,
> one for IP_CT_DIR_REPLY.
>
> Unconfirmed list use the first anchor. This means another cpu can
> definitely find an unconfirmed item in a regular hash chain, since we
> dont respect an RCU grace period before re-using an object.
>
> If memory was not a problem, we probably would use a third anchor to
> avoid this, or regular RCU instead of SLAB_DESTROY_BY_RCU variant.
>
thanks for your explaining.
--
Regards,
Changli Gao(xiaosuo@gmail.com)
next prev parent reply other threads:[~2010-06-01 5:48 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-22 12:58 DDoS attack causing bad effect on conntrack searches Jesper Dangaard Brouer
2010-04-22 13:13 ` Changli Gao
2010-04-22 13:17 ` Patrick McHardy
2010-04-22 14:36 ` Eric Dumazet
2010-04-22 14:53 ` Eric Dumazet
2010-04-22 15:51 ` Paul E. McKenney
2010-04-22 16:02 ` Eric Dumazet
2010-04-22 16:34 ` Paul E. McKenney
2010-04-22 20:38 ` Jesper Dangaard Brouer
2010-04-22 21:03 ` Eric Dumazet
2010-04-22 21:14 ` Eric Dumazet
2010-04-22 23:44 ` David Miller
2010-04-23 5:44 ` Eric Dumazet
2010-04-23 8:13 ` David Miller
2010-04-23 8:18 ` David Miller
2010-04-23 8:40 ` Jesper Dangaard Brouer
2010-04-23 10:36 ` Patrick McHardy
2010-04-23 11:06 ` Eric Dumazet
2010-04-22 21:28 ` Jesper Dangaard Brouer
2010-04-23 7:23 ` Jan Engelhardt
2010-04-23 7:46 ` Eric Dumazet
2010-04-23 7:55 ` Jan Engelhardt
2010-04-23 9:23 ` Eric Dumazet
2010-04-23 10:55 ` Patrick McHardy
2010-04-23 11:05 ` Eric Dumazet
2010-04-23 11:06 ` Patrick McHardy
2010-04-23 20:57 ` Eric Dumazet
2010-04-24 11:11 ` Jesper Dangaard Brouer
2010-04-24 20:11 ` Eric Dumazet
2010-04-26 14:36 ` Jesper Dangaard Brouer
2010-05-31 21:21 ` Eric Dumazet
2010-06-01 0:28 ` Changli Gao
2010-06-01 5:05 ` Eric Dumazet
2010-06-01 5:48 ` Changli Gao [this message]
2010-06-01 10:18 ` Patrick McHardy
2010-06-01 10:31 ` Eric Dumazet
2010-06-01 10:41 ` Patrick McHardy
2010-06-01 16:20 ` [RFC nf-next-2.6] conntrack: per cpu nf_conntrack_untracked Eric Dumazet
2010-06-04 11:40 ` Patrick McHardy
2010-06-04 12:10 ` Changli Gao
2010-06-04 12:29 ` Patrick McHardy
2010-06-04 12:36 ` Eric Dumazet
2010-06-04 16:25 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Eric Dumazet
2010-06-04 20:15 ` [PATCH nf-next-2.6 2/2] conntrack: per_cpu untracking Eric Dumazet
2010-06-08 14:29 ` Patrick McHardy
2010-06-08 14:52 ` Eric Dumazet
2010-06-08 15:12 ` Eric Dumazet
2010-06-09 12:45 ` Patrick McHardy
2010-06-08 14:12 ` [PATCH nf-next-2.6] conntrack: IPS_UNTRACKED bit Patrick McHardy
2010-04-23 10:56 ` DDoS attack causing bad effect on conntrack searches Patrick McHardy
2010-04-23 12:45 ` Jesper Dangaard Brouer
2010-04-23 13:57 ` Patrick McHardy
2010-04-22 13:31 ` Jesper Dangaard Brouer
2010-04-23 10:35 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTik_zo96O530947eF6YDr5ZZ4ogROwjEZmbBZHFM@mail.gmail.com \
--to=xiaosuo@gmail.com \
--cc=eric.dumazet@gmail.com \
--cc=hawk@comx.dk \
--cc=hawk@diku.dk \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=paulmck@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).