Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp3824663imm; Tue, 17 Jul 2018 10:54:28 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfzE7x5TEs+7VtciS4/Cma1c3Ip46izphnBfe4oZbbEF+UgbkNWWd71uov2l1XhuqAADRkM X-Received: by 2002:a63:5542:: with SMTP id f2-v6mr2184857pgm.37.1531850068099; Tue, 17 Jul 2018 10:54:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531850068; cv=none; d=google.com; s=arc-20160816; b=sXosFTyTpx+3XQH5imc3Wl0cDhT02MsMTucOCghHtTJ9hB7Jbsw+84Jr+euvdW/fiC duzOjcCpXPlgtxwNw3hUWRpbBhIb6wVxmm4LCssVi/WtDHBBPZzHD35mGizQLcyMfAjm 7Cwn87jrv/XLU4zMbfn4P0A3DBHSdmz4FSNUNJeHyPzpES7GxZnbr4t8EiVGX3MtsuxD k553RgAR2o2eM8kEtZ9+BAVmyU5fL8UrOKrmZpudCfvXFVhnse0QBUbz7tt48HmjVicw 7vutjDgGcOih7TCcijNGo0bFPK7MYp/C3iOyarxf8NQrILC7Y3bsDyyS5CZDnqGcO6Mm 9o1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=; b=RM+qMO3wP4yJ/c3dAF+l7tWq+uEXK7sVFNkQmQX8z2U6q3qYwS8dsQ/7Kf/zmelApC tDc3WehIPgawXcxjMDFeHwpKVfbmf4/SaF9sVO0YRRq59qBAbehPExqMYL5Ria9Nfcgp 2yU6YnensFQXiifx4MQ7NM68eYN2Ipb86xBF9VA9ak30hPv0pPPserZz5q919WRhOGgk pMdD3FaUEl7z7XxwQnhbfCR6v24MluPxK6+UgEoMF8lzGp1DJRmjzsTDKDHjLCFX9GzW GQt/UciRHw83nXJUO3bnaPPHSA9C7C7VEi42KmAjKWoOP8Z12ZpbpBoo4RUpQ1RMRvrD vaBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IMCssMWN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r4-v6si1494068pgb.97.2018.07.17.10.54.13; Tue, 17 Jul 2018 10:54:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IMCssMWN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731128AbeGQS1V (ORCPT + 99 others); Tue, 17 Jul 2018 14:27:21 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:43760 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729709AbeGQS1U (ORCPT ); Tue, 17 Jul 2018 14:27:20 -0400 Received: by mail-ed1-f68.google.com with SMTP id b20-v6so1931454edt.10; Tue, 17 Jul 2018 10:53:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=; b=IMCssMWNAOgslx8a89M7fHFUGRcOp0Puc+cKsKkvLrKHmNib93MlpxBiSrDmHW5H7u 0WBI+D4CWCGlB29Txz8M8balJ+Dj1FRMRmQ1VcydYn+UsOwmUUKVUhoYXsmFG4yjOVqO q66X8AcAkHcKfB07b9pfrtMCQw70QLvsRBJCymHUE1rbH45mCZPN4atEgsKlyS3nHIMY ybIZRw9kbeQGf8t0ad7OSwz2GUFwzZsKsNAuqiN7SoXpTUl/nuAw6Rg6BadHcHFeYBxb +YDIN5x5X9rQdt3R9vsolBsStVGGEO4j+Z+qE6dTtPVvktoPAq5Cf/soisz0mJt91Cj8 TS3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=41Z91/MXjfQHcAVCDW1mkadMZC7WIDawmTrHG8kyZMA=; b=Aga1g/9Zz0gMUKQ5JZ0abfpTRINrZX6+W7O9/bByADQWWRl7ruKimH8C7NYruWO4Tx 1oFdFB4J18ee7ANdu0N/ynVG82v2fmYnNkCLgktyKr/4iDIkhKBbwj5U/w3PXD1UEH8R +m7KN1hny4zOk8N8/gcgmsbFlso0FMQuZr8biblz/YPLsixXP5b25CeTG2GXZ09ueeG1 k3sjzZOS9A4Y+e1rrPbjc1AhpZZ4/V4LdadPhoZq5NDIeAMt556XiT/bRYkA8sf8hdcH gpcFZuEdVejallR+bYuEzMtReEa9GVhHLGk0afj2G0ej+PkuPsDjltDGWQIU5b5Z8qm9 pCew== X-Gm-Message-State: AOUpUlERfiZHaGqnKOpbb/FKji5ytgrfgzkPpPIqUPmSL+IfjZfsanha fg7u0qM9hnVz4W9HJ1Hpr4zLnWBQWAnCAjkvOr4= X-Received: by 2002:a50:95ab:: with SMTP id w40-v6mr3517045eda.33.1531850013930; Tue, 17 Jul 2018 10:53:33 -0700 (PDT) MIME-Version: 1.0 References: <20180717120651.15748-1-dsahern@kernel.org> <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> In-Reply-To: <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> From: Cong Wang Date: Tue, 17 Jul 2018 10:53:21 -0700 Message-ID: Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace To: David Ahern Cc: Linux Kernel Network Developers , nikita.leshchenko@oracle.com, Roopa Prabhu , Stephen Hemminger , Ido Schimmel , Jiri Pirko , Saeed Mahameed , alex.aring@gmail.com, linux-wpan@vger.kernel.org, NetFilter , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 17, 2018 at 10:43 AM David Ahern wrote: > > On 7/17/18 11:40 AM, Cong Wang wrote: > > On Tue, Jul 17, 2018 at 5:11 AM wrote: > >> > >> From: David Ahern > >> > >> Nikita Leshenko reported that neighbor entries in one namespace can > >> evict neighbor entries in another. The problem is that the neighbor > >> tables have entries across all namespaces without separate accounting > >> and with global limits on when to scan for entries to evict. > > > > It is nothing new, people including me already noticed this before. > > > > > >> > >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per > >> namespace and making the accounting and threshold limits per namespace. > > > > > > The last discussion about this a long time ago concluded that neigh > > table entries are controllable by remote, so after moving it to per netns, > > it would be easier to DOS the host. > > > > There are still limits on the total number of entries and with > per-namespace limits an admin has better control. Per-netns limit is *exactly* the problem here. Quote from David Miller: " From: ebiederm@xmission.com (Eric W. Biederman) Date: Wed, 25 Jun 2014 18:17:08 -0700 > I disagree that removing a global DOS prevention check is a benefit. > Certainly large semantics changes like that should not happen without > being discussed in the patch description. Agreed, this is the most important core issue. If we just make these things per netns, then as a result if you create N namespaces we will allow N times more neighbour entries to be sitting in the system at once. Actually, I'm really surprised the limits get hit and this actually causes problems. " You can see the original discussion here: https://marc.info/?l=linux-netdev&m=140356141019653&w=2