From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace Date: Tue, 17 Jul 2018 11:43:16 -0600 Message-ID: <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> References: <20180717120651.15748-1-dsahern@kernel.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: Linux Kernel Network Developers , nikita.leshchenko@oracle.com, Roopa Prabhu , Stephen Hemminger , Ido Schimmel , Jiri Pirko , Saeed Mahameed , alex.aring@gmail.com, linux-wpan@vger.kernel.org, NetFilter , LKML To: Cong Wang Return-path: In-Reply-To: Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-Id: netfilter-devel.vger.kernel.org On 7/17/18 11:40 AM, Cong Wang wrote: > On Tue, Jul 17, 2018 at 5:11 AM wrote: >> >> From: David Ahern >> >> Nikita Leshenko reported that neighbor entries in one namespace can >> evict neighbor entries in another. The problem is that the neighbor >> tables have entries across all namespaces without separate accounting >> and with global limits on when to scan for entries to evict. > > It is nothing new, people including me already noticed this before. > > >> >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per >> namespace and making the accounting and threshold limits per namespace. > > > The last discussion about this a long time ago concluded that neigh > table entries are controllable by remote, so after moving it to per netns, > it would be easier to DOS the host. > There are still limits on the total number of entries and with per-namespace limits an admin has better control.