Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3815745imm; Tue, 17 Jul 2018 10:44:32 -0700 (PDT) X-Google-Smtp-Source: AAOMgpd+Uz/M8Th6HJP049NdbS1gdQ69ub5jEc+NMWw/llzFv515kL6FvG6wCgjX0Rr5FvqqNoGA X-Received: by 2002:a65:57c9:: with SMTP id q9-v6mr2538227pgr.128.1531849472539; Tue, 17 Jul 2018 10:44:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531849472; cv=none; d=google.com; s=arc-20160816; b=J5eTsWjHo3T2e82Ql3EtvCmwfXTRVx7Ejvw7DK7hI8i6qpz/uFg5qIPsunPQcx1oQq fF+YqqikJl5Yj0RXk0/Cc5OTAaVJ1loMMsy3eu5Yia3Lx748+PB2uRTTcDW+0WQSoJaN paFt6DiSQYnko0BjwaCirnoyylEKQZ/wGn9V+1AbdATdnlnyGbQUnsxoTIifGbOrw65Y ak5TehMmNS4mEjb7JKogmLzQKcc3q9TuX7yfenZAqniuXIAAziMFZz7d/x2BTl+6WF9h xOm+f9ZHNevy0QwXoisjKZsaGv2ZeJMhY4yubRNISGb7OFstlRWbMndMHoTHP4N0w82/ QFew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature :arc-authentication-results; bh=7f+uY0RamTrAkUnRuM0l2yTktj526hs7KMnvR/5n1UQ=; b=sSSuqowan6fPq4iwosu4+dVsnzpUtx3WzRbpsaJ6lAKsFm1+u3OOjRcemGoL1midBB e/oWNDcxMpI/VKvsuHtXX5yYrugrejaW7x3LAJfhyaRRhe91aChiyFizIPpyqRT8PMfg HVZEMxgfV7deJNRXOkOwOa3m4aoDj947a28pB4sjhfhiKjBo8rMIWK2516v3VELxbUS6 TOixmONG4x7VUIccJFI53OAa2QSt4lK55zrZKRycPYag3mRWkd7HeF0woLhG3WJOfvhh MKnal71QbqF7tTGUai4I2aECjpDdfSWusP49NCnZRUuj/UmHROi375wfz2RUzI8SnzQ9 M1MQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=skyhfKcT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l10-v6si1419322pgb.510.2018.07.17.10.44.17; Tue, 17 Jul 2018 10:44:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=skyhfKcT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730302AbeGQSRD (ORCPT + 99 others); Tue, 17 Jul 2018 14:17:03 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:43740 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729741AbeGQSRC (ORCPT ); Tue, 17 Jul 2018 14:17:02 -0400 Received: by mail-pf0-f193.google.com with SMTP id j26-v6so852260pfi.10; Tue, 17 Jul 2018 10:43:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=7f+uY0RamTrAkUnRuM0l2yTktj526hs7KMnvR/5n1UQ=; b=skyhfKcTn9tkbSD2FhNx47p/Tz8IuRr+reF/qfjSS/rBxjFJnoz5SGD+0wOR6IF6Jr yVn/N+pPwzPxAAvrxvBXXX2CaX6HVBsgnMzz1MuWgztFE3B+dWA91bRmLRBZys+oiYeL SUwJJeuF1OVywOG82EvoXASjoXBknj8Z7mZGO8dBaTv7b213oYWrqI5pOr3FvCEaBopC 3KnPqUxxnQsgVp2aARRL/wo5Dm2u7W5OuxMJeLUIJHbem1zr83Z0nGQJ95BLSbz+CuX2 22k8/Joi4tV8ZaCM53QBxXzPzBfply+hgA6e8uKfCHexgImrfXf20X5Cvx4x/mAiKQ4b qgTg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=7f+uY0RamTrAkUnRuM0l2yTktj526hs7KMnvR/5n1UQ=; b=NaYAO+dR25oVWu0d1tT5WXvWlEOi2xss+5AIxNYFPef6dAVFo7KCZ30o0SP4quiEss YriD3UCzPYkWwZeIyn057z6Pl2v4Z6OY4rhop/bFjkeve2QHY8EkYmHSBPot8BoRwiFd AVTq/WKghqm/dGonUqZVnH6zm8p9hxXDgfrtTurnRdVf/F+ytYzEA4XUcAJq1IuJneL1 1qQ+dYNzAJHysHNAIz15MSgnxyY45R0o4v6EaqgxxuILd9mMZN6pPVJLtrakHjEfZ4AR aBymbAeU642GKzloFp+qUYKD1wLk9Oip3lCOhXFakuNP7DcXOJlpvIho74CDUCSJD4cf eprw== X-Gm-Message-State: AOUpUlGxZKkQO1yp2CeFJqQKAPAkIdeac88i5HsJd1pKDWIrfXBNve2f LK/u/88xSvqb+AbXr5B07PwY9PX3 X-Received: by 2002:a62:ccd0:: with SMTP id j77-v6mr1650028pfk.22.1531849399316; Tue, 17 Jul 2018 10:43:19 -0700 (PDT) Received: from dsa-mb.local ([2601:282:800:fd80:442b:d01f:635c:39ec]) by smtp.googlemail.com with ESMTPSA id n9-v6sm3824806pfg.21.2018.07.17.10.43.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Jul 2018 10:43:17 -0700 (PDT) Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace To: Cong Wang Cc: Linux Kernel Network Developers , nikita.leshchenko@oracle.com, Roopa Prabhu , Stephen Hemminger , Ido Schimmel , Jiri Pirko , Saeed Mahameed , alex.aring@gmail.com, linux-wpan@vger.kernel.org, NetFilter , LKML References: <20180717120651.15748-1-dsahern@kernel.org> From: David Ahern Message-ID: <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> Date: Tue, 17 Jul 2018 11:43:16 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/17/18 11:40 AM, Cong Wang wrote: > On Tue, Jul 17, 2018 at 5:11 AM wrote: >> >> From: David Ahern >> >> Nikita Leshenko reported that neighbor entries in one namespace can >> evict neighbor entries in another. The problem is that the neighbor >> tables have entries across all namespaces without separate accounting >> and with global limits on when to scan for entries to evict. > > It is nothing new, people including me already noticed this before. > > >> >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per >> namespace and making the accounting and threshold limits per namespace. > > > The last discussion about this a long time ago concluded that neigh > table entries are controllable by remote, so after moving it to per netns, > it would be easier to DOS the host. > There are still limits on the total number of entries and with per-namespace limits an admin has better control.