Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3812795imm;
        Tue, 17 Jul 2018 10:41:12 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfTf5zKLoGBaTTXGLKuXbzBF/EDZt90oqxJ0wAWP9yxFKk7dcRdzYuq4ZwOvuBjaBiBAx4v
X-Received: by 2002:a63:68c1:: with SMTP id d184-v6mr2456083pgc.239.1531849272607;
        Tue, 17 Jul 2018 10:41:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531849272; cv=none;
        d=google.com; s=arc-20160816;
        b=fiwjErqUiLzI7CKOGsNV1fT6/QeUCtCxxphPWAyLcBH/+mAlXcDX7mqKQpz3asiLc0
         YKZJfetyYYeTk0RJilEOm+HouxfxqNBOAG5/KKut1Mh8C167AyZtrorXIWtTVCYdA0lg
         qR8ptbWpLefMV/WFZfEsqXwAjpBnic4nTymMOA9C/2e0+K2ka7AzRmN60JX+mI/4pkG1
         U+qNWFc/ygvXiSLEsW1Jf1INtP+gkKT8Yne0LVlEm3r4iSNQZaoPeTmoEoIL4zOXsQ55
         dmpUyDJjT2Jr2/PUhJKHosj2K3UTTjXgz7+us01kb+mPCCvs90+9T9xY5LPBu17QSuNF
         PBVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=MOpiopesXL+0vpI1kyJiP+PCMmDgHcQPhCS9oZd+Dq8=;
        b=sApxZ4BebrZi6R/OS5F2IULa5fdGuU2R+OykTSo/CiTNMJWCs+wxFi7ggJvOAujm39
         WHlR3/+dsGuIznk/b/J4GUGXDRQCIpMFoYhjf0Vq+PZfBhScoQThEmv4bX/VDXvUHwiV
         XfdsEsYWYCYx+DQPh48vvFbGqAGqH0CnwzGXxS5buUGk7K47c7iRIco8N7v9s5UZ3VQD
         zIfTBtHp8ognQUvXptDJu4bSLVIzJTK0Hk6IgFHyihyge7r+x28QPqAnNbkABB7MmuAP
         CEND3N3PH86cfUXdpLdU8s0YtkK3Eq/rXtlTBsyA3MMWHSlxhKpgD0bXBt24/hnNeNU2
         Sa1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="rap/cz7Q";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j19-v6si1375808pgg.313.2018.07.17.10.40.57;
        Tue, 17 Jul 2018 10:41:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="rap/cz7Q";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730522AbeGQSOF (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Tue, 17 Jul 2018 14:14:05 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:44353 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1730000AbeGQSOE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Jul 2018 14:14:04 -0400
Received: by mail-ed1-f67.google.com with SMTP id f23-v6so1898038edr.11;
        Tue, 17 Jul 2018 10:40:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=MOpiopesXL+0vpI1kyJiP+PCMmDgHcQPhCS9oZd+Dq8=;
        b=rap/cz7Qb7Xxo2LzGcrhpaldkTB0YoFfAaCTHaPEfT5zlF7O3FUgYTwu6GcJJwIHdr
         DeHVKDKO2/MNi9LgcEk+OI4lpksMKEd1IGfF4TayzqR7HpY7n5bff/Hz5bZxo9+Uve3S
         WhaeIRUe/j0+GSNSXtKy7iFDwnH5kANZPUi5PUui9SXK/ur16HgKw6P7/MRuC8RYOyE2
         Z5hmOmLx6yMoXHkSuxqJwH748O/pr5QB+6m/aNens396i2QeRVEXc46uXRqcTlikE49G
         dKbyPHLvkgJveoU5o5q+O5TKMMesO8n7cgGvd6L3DxlaUbOO6goMDaFrG3x+JJkNZji0
         2Jtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=MOpiopesXL+0vpI1kyJiP+PCMmDgHcQPhCS9oZd+Dq8=;
        b=GH5wd5tqEY5T9+9NsDCkzwQAkoAXgXcMvlEJ1sTn7HMl75falHY3cPHUfsVv5vLkJ7
         eiemvZwkvi+6P9VoWrGdZrCVq9Rh6fTphDdHz8Fh+eh7rndxT3t0eIX0gDMfVlVxyQYt
         i050gFyj53SyvzjYWZUZuqojQFc3IiS/kuptrYGBXSxf6i6YOzp98qYOA9OnIbSaw2am
         q/eVeSnHl+UEE5Q7e92tYhxvWYIXQMScUAmLtfvAW9u3nGjDHMtgFNtrzpPRMiX/vmgO
         FJRJyzDjcmODq8Du8kkHyrBrMDmA5t5Xhjakc46gNT7Etb30lXPj6xjQ5ZHIVHFUFeOH
         KvvA==
X-Gm-Message-State: AOUpUlGVW2OgA55JWvBDvr6qKSxvlLFYBTkJBHGqZQL0G6qGh3WDXMWH
        TYyUUZfHCB7y3CZVhslj2b3G9GZqiywBQaSe73dvv4h0
X-Received: by 2002:a50:be05:: with SMTP id a5-v6mr3676802edi.258.1531849221445;
 Tue, 17 Jul 2018 10:40:21 -0700 (PDT)
MIME-Version: 1.0
References: <20180717120651.15748-1-dsahern@kernel.org>
In-Reply-To: <20180717120651.15748-1-dsahern@kernel.org>
From:   Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue, 17 Jul 2018 10:40:09 -0700
Message-ID: <CAM_iQpW4g2v6xk49Gz+WBasKaO9VUk3Q-umX7iBRK-mAhn21Fw@mail.gmail.com>
Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace
To:     dsahern@kernel.org
Cc:     Linux Kernel Network Developers <netdev@vger.kernel.org>,
        nikita.leshchenko@oracle.com,
        Roopa Prabhu <roopa@cumulusnetworks.com>,
        Stephen Hemminger <stephen@networkplumber.org>,
        Ido Schimmel <idosch@mellanox.com>,
        Jiri Pirko <jiri@mellanox.com>,
        Saeed Mahameed <saeedm@mellanox.com>, alex.aring@gmail.com,
        linux-wpan@vger.kernel.org,
        NetFilter <netfilter-devel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        David Ahern <dsahern@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 17, 2018 at 5:11 AM <dsahern@kernel.org> wrote:
>
> From: David Ahern <dsahern@gmail.com>
>
> Nikita Leshenko reported that neighbor entries in one namespace can
> evict neighbor entries in another. The problem is that the neighbor
> tables have entries across all namespaces without separate accounting
> and with global limits on when to scan for entries to evict.

It is nothing new, people including me already noticed this before.


>
> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per
> namespace and making the accounting and threshold limits per namespace.


The last discussion about this a long time ago concluded that neigh
table entries are controllable by remote, so after moving it to per netns,
it would be easier to DOS the host.