Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3824663imm;
        Tue, 17 Jul 2018 10:54:28 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpfzE7x5TEs+7VtciS4/Cma1c3Ip46izphnBfe4oZbbEF+UgbkNWWd71uov2l1XhuqAADRkM
X-Received: by 2002:a63:5542:: with SMTP id f2-v6mr2184857pgm.37.1531850068099;
        Tue, 17 Jul 2018 10:54:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531850068; cv=none;
        d=google.com; s=arc-20160816;
        b=sXosFTyTpx+3XQH5imc3Wl0cDhT02MsMTucOCghHtTJ9hB7Jbsw+84Jr+euvdW/fiC
         duzOjcCpXPlgtxwNw3hUWRpbBhIb6wVxmm4LCssVi/WtDHBBPZzHD35mGizQLcyMfAjm
         7Cwn87jrv/XLU4zMbfn4P0A3DBHSdmz4FSNUNJeHyPzpES7GxZnbr4t8EiVGX3MtsuxD
         k553RgAR2o2eM8kEtZ9+BAVmyU5fL8UrOKrmZpudCfvXFVhnse0QBUbz7tt48HmjVicw
         7vutjDgGcOih7TCcijNGo0bFPK7MYp/C3iOyarxf8NQrILC7Y3bsDyyS5CZDnqGcO6Mm
         9o1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=;
        b=RM+qMO3wP4yJ/c3dAF+l7tWq+uEXK7sVFNkQmQX8z2U6q3qYwS8dsQ/7Kf/zmelApC
         tDc3WehIPgawXcxjMDFeHwpKVfbmf4/SaF9sVO0YRRq59qBAbehPExqMYL5Ria9Nfcgp
         2yU6YnensFQXiifx4MQ7NM68eYN2Ipb86xBF9VA9ak30hPv0pPPserZz5q919WRhOGgk
         pMdD3FaUEl7z7XxwQnhbfCR6v24MluPxK6+UgEoMF8lzGp1DJRmjzsTDKDHjLCFX9GzW
         GQt/UciRHw83nXJUO3bnaPPHSA9C7C7VEi42KmAjKWoOP8Z12ZpbpBoo4RUpQ1RMRvrD
         vaBQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IMCssMWN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r4-v6si1494068pgb.97.2018.07.17.10.54.13;
        Tue, 17 Jul 2018 10:54:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=IMCssMWN;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731128AbeGQS1V (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Tue, 17 Jul 2018 14:27:21 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:43760 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729709AbeGQS1U (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Jul 2018 14:27:20 -0400
Received: by mail-ed1-f68.google.com with SMTP id b20-v6so1931454edt.10;
        Tue, 17 Jul 2018 10:53:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=;
        b=IMCssMWNAOgslx8a89M7fHFUGRcOp0Puc+cKsKkvLrKHmNib93MlpxBiSrDmHW5H7u
         0WBI+D4CWCGlB29Txz8M8balJ+Dj1FRMRmQ1VcydYn+UsOwmUUKVUhoYXsmFG4yjOVqO
         q66X8AcAkHcKfB07b9pfrtMCQw70QLvsRBJCymHUE1rbH45mCZPN4atEgsKlyS3nHIMY
         ybIZRw9kbeQGf8t0ad7OSwz2GUFwzZsKsNAuqiN7SoXpTUl/nuAw6Rg6BadHcHFeYBxb
         +YDIN5x5X9rQdt3R9vsolBsStVGGEO4j+Z+qE6dTtPVvktoPAq5Cf/soisz0mJt91Cj8
         TS3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=;
        b=Aga1g/9Zz0gMUKQ5JZ0abfpTRINrZX6+W7O9/bByADQWWRl7ruKimH8C7NYruWO4Tx
         1oFdFB4J18ee7ANdu0N/ynVG82v2fmYnNkCLgktyKr/4iDIkhKBbwj5U/w3PXD1UEH8R
         +m7KN1hny4zOk8N8/gcgmsbFlso0FMQuZr8biblz/YPLsixXP5b25CeTG2GXZ09ueeG1
         k3sjzZOS9A4Y+e1rrPbjc1AhpZZ4/V4LdadPhoZq5NDIeAMt556XiT/bRYkA8sf8hdcH
         gpcFZuEdVejallR+bYuEzMtReEa9GVhHLGk0afj2G0ej+PkuPsDjltDGWQIU5b5Z8qm9
         pCew==
X-Gm-Message-State: AOUpUlERfiZHaGqnKOpbb/FKji5ytgrfgzkPpPIqUPmSL+IfjZfsanha
        fg7u0qM9hnVz4W9HJ1Hpr4zLnWBQWAnCAjkvOr4=
X-Received: by 2002:a50:95ab:: with SMTP id w40-v6mr3517045eda.33.1531850013930;
 Tue, 17 Jul 2018 10:53:33 -0700 (PDT)
MIME-Version: 1.0
References: <20180717120651.15748-1-dsahern@kernel.org> <CAM_iQpW4g2v6xk49Gz+WBasKaO9VUk3Q-umX7iBRK-mAhn21Fw@mail.gmail.com>
 <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com>
In-Reply-To: <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com>
From:   Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue, 17 Jul 2018 10:53:21 -0700
Message-ID: <CAM_iQpWabZorkMNswyfHyS4KT=f_bgMtK8K35=84uah6Kfqxew@mail.gmail.com>
Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace
To:     David Ahern <dsahern@gmail.com>
Cc:     Linux Kernel Network Developers <netdev@vger.kernel.org>,
        nikita.leshchenko@oracle.com,
        Roopa Prabhu <roopa@cumulusnetworks.com>,
        Stephen Hemminger <stephen@networkplumber.org>,
        Ido Schimmel <idosch@mellanox.com>,
        Jiri Pirko <jiri@mellanox.com>,
        Saeed Mahameed <saeedm@mellanox.com>, alex.aring@gmail.com,
        linux-wpan@vger.kernel.org,
        NetFilter <netfilter-devel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 17, 2018 at 10:43 AM David Ahern <dsahern@gmail.com> wrote:
>
> On 7/17/18 11:40 AM, Cong Wang wrote:
> > On Tue, Jul 17, 2018 at 5:11 AM <dsahern@kernel.org> wrote:
> >>
> >> From: David Ahern <dsahern@gmail.com>
> >>
> >> Nikita Leshenko reported that neighbor entries in one namespace can
> >> evict neighbor entries in another. The problem is that the neighbor
> >> tables have entries across all namespaces without separate accounting
> >> and with global limits on when to scan for entries to evict.
> >
> > It is nothing new, people including me already noticed this before.
> >
> >
> >>
> >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per
> >> namespace and making the accounting and threshold limits per namespace.
> >
> >
> > The last discussion about this a long time ago concluded that neigh
> > table entries are controllable by remote, so after moving it to per netns,
> > it would be easier to DOS the host.
> >
>
> There are still limits on the total number of entries and with
> per-namespace limits an admin has better control.

Per-netns limit is *exactly* the problem here.

Quote from David Miller:
"
From: ebiederm@xmission.com (Eric W. Biederman)
Date: Wed, 25 Jun 2014 18:17:08 -0700

> I disagree that removing a global DOS prevention check is a benefit.
> Certainly large semantics changes like that should not happen without
> being discussed in the patch description.

Agreed, this is the most important core issue.

If we just make these things per netns, then as a result if you create
N namespaces we will allow N times more neighbour entries to be
sitting in the system at once.

Actually, I'm really surprised the limits get hit and this actually
causes problems.
"

You can see the original discussion here:
https://marc.info/?l=linux-netdev&m=140356141019653&w=2