Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3580257imu; Mon, 10 Dec 2018 04:42:37 -0800 (PST) X-Google-Smtp-Source: AFSGD/UFccCKk8g8ph/A5faGqkKDN3Om40Smq7E4QVkNpXZt0bdTfiORZ3wb4xAcGiLqyWxdAVOc X-Received: by 2002:a17:902:f20d:: with SMTP id gn13mr11539140plb.11.1544445757549; Mon, 10 Dec 2018 04:42:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544445757; cv=none; d=google.com; s=arc-20160816; b=DLXRthqF+oWfcRKqLSefI0QCPdWNYFPCltfW9bLXB9l6j47mGXu0wQGT8sfnf5q87A fQMJPvIP0IsQ3iy6beAorrdNtWdQGvqbrYGzWGNuB++sQB8fl45+PfiyHsgBK1ydypEn ZjI1rQqMwqSku/Snr5XBeWcc7FFjDSDk2xg5jNFKmkh7SknEkTvGT+DkLji6PLXacDvi SzT7tzp20AMldrQBLpjPBi5tTgAhXHgULcIMHHv+bPnjT9zrXfqrjfZkmJg9jIKaQKHB WuxAG9IwBS0n8u+ynKpTS5v01sDfSuylm2aahgbnC0Bge9E3ZcshztkZd340oaPrgk/O PJEw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=YbZHNvXH9F822lv2s5VBOcT80SIAdx4J7UKoS4Ov/kk=; b=zxw2GDIzQgJdktwJMNBO3PvRHSRD198LCebV1868mJmMhdCyTC20YQ26nZDPIsPDfz fqdxVhbh7jw9vWBHoHJOUzkWCyOdRDlM4ppTlfJLmB1A9PxQieyd8UrPsi0k6um7w6k4 nLNIonoBbxpls2qS2xRJBLSklNd+Gfc5Gp41WTbyfZvPsdop4fDvR6ikyYdSjzphdl8b nVAUvRJ+KlEK0GUPPQTUdclN6RSj6PTU91kL8N6LlzGzqr3tgpWgu9PY83LQY79I3X8u uCw8vECF3Y4hWlpsS971NgfZt7cZBwhxswMOXKxrzbQv0ZLDRRsAZ6MKFG0Rn2xkqtEe KQkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k125si10084901pfc.21.2018.12.10.04.42.22; Mon, 10 Dec 2018 04:42:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727034AbeLJLXd (ORCPT + 99 others); Mon, 10 Dec 2018 06:23:33 -0500 Received: from mail.us.es ([193.147.175.20]:50350 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726847AbeLJLXd (ORCPT ); Mon, 10 Dec 2018 06:23:33 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id A5504443824 for ; Mon, 10 Dec 2018 12:23:30 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 5925ADA4D1 for ; Mon, 10 Dec 2018 12:23:30 +0100 (CET) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 3BF61DA80D; Mon, 10 Dec 2018 12:23:30 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int X-Spam-Level: X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50, SMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1 Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 75866DA4F6; Mon, 10 Dec 2018 12:23:23 +0100 (CET) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Mon, 10 Dec 2018 12:23:23 +0100 (CET) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (sys.soleta.eu [212.170.55.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id 441EF4265A4C; Mon, 10 Dec 2018 12:23:23 +0100 (CET) Date: Mon, 10 Dec 2018 12:23:22 +0100 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Linus =?iso-8859-1?Q?L=FCssing?= Cc: netfilter-devel@vger.kernel.org, Jozsef Kadlecsik , Florian Westphal , Roopa Prabhu , Nikolay Aleksandrov , "David S . Miller" , coreteam@netfilter.org, bridge@lists.linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next v2] netfilter: ebtables: avoid resetting limit rule state Message-ID: <20181210112322.rxndlqmfckctbhjm@salvia> References: <20181209061405.15112-1-linus.luessing@c0d3.blue> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20181209061405.15112-1-linus.luessing@c0d3.blue> User-Agent: NeoMutt/20170113 (1.7.2) X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, On Sun, Dec 09, 2018 at 07:14:05AM +0100, Linus L?ssing wrote: > So far any changes with ebtables will reset the state of limit rules, > leading to spikes in traffic. This is especially noticeable if changes > are done frequently, for instance via a daemon. > > This patch fixes this by bailing out from (re)setting if the limit > rule was initialized before. > > When sending packets every 250ms for 600s, with a > "--limit 1/sec --limit-burst 50" rule and a command like this > in the background: > > $ ebtables -N VOIDCHAIN > $ while true; do ebtables -F VOIDCHAIN; sleep 30; done > > The results are: > > Before: ~1600 packets > After: 650 packets > > This also aligns the behavior to "xtables-nft-multi ebtables" which uses > nft_limit instead of ebt_limit. In tests nft_limit did not suffer from > this issue and rate limited to 650 just fine. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Signed-off-by: Linus L?ssing > > --- > > Changelog v2: > > - Adjusted commit message (adjusted title, added test results with > nft_limit for comparison) > - Excluded rate limiting variables from zeroing when passed to userspace > by increasing .usersize. This became necessary with 4.11 / > commit ec2318904965 ("xtables: extend matches and targets with .usersize") > - Retested with 4.20-rc4 and current net-next/master (83af01ba1c2d) > > v1 was: > > "[net-next] bridge: ebtables: Avoid resetting limit rule state" > -> https://lore.kernel.org/patchwork/patch/854802/ > --- > net/bridge/netfilter/ebt_limit.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c > index 165b9d678cf1..2cf9861c3bce 100644 > --- a/net/bridge/netfilter/ebt_limit.c > +++ b/net/bridge/netfilter/ebt_limit.c > @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par) > { > struct ebt_limit_info *info = par->matchinfo; > > + /* Do not reset state on unrelated table changes */ > + if (info->prev) > + return 0; Hm, still I don't think we can follow this path, even if it works. This means we trust userspace in what it sets for info->prev. Using ebtables-nft (instead of ebtables-legacy) fixes this problem, without this patch. > + > /* Check for overflow. */ > if (info->burst == 0 || > user2credits(info->avg * info->burst) < user2credits(info->avg)) { > @@ -105,7 +109,7 @@ static struct xt_match ebt_limit_mt_reg __read_mostly = { > .match = ebt_limit_mt, > .checkentry = ebt_limit_mt_check, > .matchsize = sizeof(struct ebt_limit_info), > - .usersize = offsetof(struct ebt_limit_info, prev), > + .usersize = sizeof(struct ebt_limit_info), > #ifdef CONFIG_COMPAT > .compatsize = sizeof(struct ebt_compat_limit_info), > #endif > -- > 2.11.0 >