Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1147323imm; Wed, 18 Jul 2018 18:06:59 -0700 (PDT) X-Google-Smtp-Source: AAOMgpenFff/v/sPsec2F9MeSUe7LvaPHFCrxyNix2nQ4ySNYim9anohLFQXABIOYPl34k9OJdc/ X-Received: by 2002:a63:fd06:: with SMTP id d6-v6mr7975981pgh.348.1531962419042; Wed, 18 Jul 2018 18:06:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531962419; cv=none; d=google.com; s=arc-20160816; b=xi29Pa7JS1iJFsjQFOwwSTgASbTrQKR7fPKmql7Q5CodBeXq9EibLhDCqgWN+f5d7v 6oge3mgQrEaivWbryZhpCAAKHpUKU31HYApvz6skssXL6XsD5eXq5CpVPQswP3SWw0NZ Bx6plzN/XlgRRYYzjZGK8zIAHcF4wKZltrsYvBRQQb+k4cBeg8G9bV6bpi/+yyNDYMn1 PI5IcjoGRwVrR8SK6kUQmVTB2I6qLoU+xyPEMpBGqoYTzkS5NUOt3c8K5ne4Js+MNUnO 1VLendq0nioS7RN4eyTHEt2XNMuLGE64j3BYattQh7F4t8yiqKDNi/6Thb99aTDyeAcN xQow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:mime-version:references :in-reply-to:subject:cc:to:from:arc-authentication-results; bh=rs5HSUfv1EUPEmCa+DtzmxfFphlMMigUYCf6miN2Rd0=; b=j/mjSKGFNLqn7QdN894RBQv+GI/C01UeEXvgbxNEDaQCkcmSyGjt6kITwBw/PBGFWN WLFB18FqnxHjyqzsaIPDMZFsbu39OJKkEmL49JnlRKx/R+i0BUUCumtCY8TwsGV0inBJ ZnIi18xOlko6uwC4DpQete82mFCpUCP1loOOkUQkUP+yGHnNUwU3Wz2tuT00z8JW5IeL g8zXI1TrdoMrAbYKMGhtbp8cQnzg5SkvJyO4yGe+ovx2DWu65VT5lc1ow8o5kt9v2xn6 3+IZrb/OCAuAGtYL1w9g8k18zkE8APR72eFYBd9b4dr0XZb6e5u3CQIf8FKQ6sDemYjy hzdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p83-v6si4663360pfa.180.2018.07.18.18.06.42; Wed, 18 Jul 2018 18:06:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730810AbeGSBqi (ORCPT + 99 others); Wed, 18 Jul 2018 21:46:38 -0400 Received: from tuna.sandelman.ca ([209.87.249.19]:57096 "EHLO tuna.sandelman.ca" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729972AbeGSBqi (ORCPT ); Wed, 18 Jul 2018 21:46:38 -0400 X-Greylist: delayed 451 seconds by postgrey-1.27 at vger.kernel.org; Wed, 18 Jul 2018 21:46:37 EDT Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 33E702008C; Wed, 18 Jul 2018 21:14:27 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id 6C9E01A76; Wed, 18 Jul 2018 20:54:03 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 6A5041A54; Wed, 18 Jul 2018 20:54:03 -0400 (EDT) From: Michael Richardson To: dsahern@kernel.org cc: netdev@vger.kernel.org, nikita.leshchenko@oracle.com, roopa@cumulusnetworks.com, stephen@networkplumber.org, idosch@mellanox.com, jiri@mellanox.com, saeedm@mellanox.com, alex.aring@gmail.com, linux-wpan@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org, David Ahern Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace In-Reply-To: <20180717120651.15748-1-dsahern@kernel.org> References: <20180717120651.15748-1-dsahern@kernel.org> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --=-=-= Content-Type: text/plain >>>>> David Ahern writes: dsahern@kernel.org wrote: > Nikita Leshenko reported that neighbor entries in one namespace can > evict neighbor entries in another. The problem is that the neighbor > tables have entries across all namespaces without separate accounting > and with global limits on when to scan for entries to evict. > Resolve by making the neighbor tables for ipv4, ipv6 and decnet per > namespace and making the accounting and threshold limits per namespace. This is a good improvement, thank you. We absolutely need to keep a DOS against a single netns from causing evictions in another netns. Within a namespace there may be neighbours entries that are more sure/valid/useful than others. I would like an API to be able to mark them explicitely, but that could come leter. In particular, in the 802.15.4 case, NE that arrive via encrypted channels should be preferred over entries that arrive over unencrypted channels. This is needed for IETF 6tisch secure join work, for instance. I believe that we could use network namespaces to implement though. I had not considered that before, and I think that it will work, but there might be something subtle that I've missed. (Alex?) It appears that one can tune the amount of space on a per-namespace basis: + nd_tbl->gc_thresh1 = 128; + nd_tbl->gc_thresh2 = 512; + nd_tbl->gc_thresh3 = 1024; > Remove open use of arp_tbl and nd_tbl in favor of the new > ipv{4,6}_neigh_table helpers. Since the existence of the IPv6 table > is managed by the core networking, the IS_ENABLED checks for IPv6 > can be removed in favor of "is the table non-NULL". What's the advantage of changing this check? (I am ignorant) --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBW0/hJ4CLcPvd0N1lAQIyJQf/bfxvt2k0AgkFh2XrPvTiZ0pdXdicbhHE XDv5Fgft/iTBcvuDXH0ocIzPQGqyx46RbXBpH+ExJ/9YX3UHkaHQM19aDHZirOWj WS7Wxhxzcb5Tum/HfaD8vBF9n0qqGrRvDidn8b+UR4E8dnrhb4NRk0XVOUPnYx+J 1dHMTOaPz1ubs/h3U48GpiMn8IdXeqTsQ569zYmM5G3SSMl9bTfCu4GDmcVoFXlZ U+h5GXZm3COzqMl7UHiAGEcC++7OizvDv/R0dk2rE3jnUACSgk8tkN+t/ymSUfFg C/VCZuwVUnZoSx5faWHd4OEdW10J5Z6Karuu4m7h0PM4tEYPNZHMGA== =Tc0V -----END PGP SIGNATURE----- --=-=-=--