Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp3098541rwl; Fri, 6 Jan 2023 15:50:48 -0800 (PST) X-Google-Smtp-Source: AMrXdXvypzSY9oObga5mKdjy8sJRPqtGRibgPsLMAq8XzxBoQzAtAh5jeg1cWdLUo6QFaMoumZCm X-Received: by 2002:a17:906:e98:b0:7c1:39e:db7e with SMTP id p24-20020a1709060e9800b007c1039edb7emr62816950ejf.59.1673049048552; Fri, 06 Jan 2023 15:50:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673049048; cv=none; d=google.com; s=arc-20160816; b=DOGaVwp7WRoIqJ7VBoOtljGYMU29rdz9rAxtGuanycmtkV1pz49EC8YR1dAv36vkHY 0hVweId6wiRZmtL/ES5rsvET3X0Wqf8kPYEfZnQn1QkMwBsVbAl6VueO2ZGM2zabGqq2 fcyS+wytL/+N+hywVKtX1hAqW3k/EYpSHm/OQ2F4KYYzP8voHTwTR1R72HksQHQ8uTiF uCjEMbbLdIufN/BWDTWCvuhbDUGasQz/DvHoJmTB+/miuCXDaV3roxFW0QzXSXgfTFBa DgWL3/4A3YgtthFvyfzL0GvMRR66dnRRQ6GSNfXpQE4lP9qs4vpATknT/Es0PnnXVbST ilXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=pS18w6uXzarPO0E2GYQ9ODmcRpg6MzsTKfGq36Z0OeI=; b=gADmQv1ucQn0CVQ00gODh8h7OD9NGYWRPEuphbkTrZZCH2Nlmv/fieD+lJ6btyfRZL VKT0PVOFu1mfbikc9Gbz73YLjB1gFbQboWpRvwPTqEqSZB+vj6Bkv8ogyko0IV3mfaKS D8zoWSzAm1FxLrLL1jswIZyzDYUT7dTFbrwEYmPR5PcH3YU7mmhRWHBGevh4eFE9gk85 vlkF8Im9TGHlNnqtCUycKOe/m5DAuCusNqCHV31cO7L883Pn805tyycE+H0BWq59fW8+ l2cpFjXVYFrEiFYZ9VyPRuZykbk8oLiui4vuGmCljqI4BTvRXQQMJ7QJHGKc4vDiglwr ruoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (no key) header.i=@uniroma2.it header.s=ed201904; dkim=pass header.i=@uniroma2.it header.s=rsa201904 header.b=JEAXTfBs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=uniroma2.it Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ji6-20020a170907980600b007877b1c7f27si3106710ejc.829.2023.01.06.15.50.35; Fri, 06 Jan 2023 15:50:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=neutral (no key) header.i=@uniroma2.it header.s=ed201904; dkim=pass header.i=@uniroma2.it header.s=rsa201904 header.b=JEAXTfBs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=uniroma2.it Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235581AbjAFX1l (ORCPT + 55 others); Fri, 6 Jan 2023 18:27:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45266 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229780AbjAFX1j (ORCPT ); Fri, 6 Jan 2023 18:27:39 -0500 Received: from smtp.uniroma2.it (smtp.uniroma2.it [160.80.6.16]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1A4F9714B8; Fri, 6 Jan 2023 15:27:36 -0800 (PST) Received: from smtpauth-2019-1.uniroma2.it (smtpauth-2019-1.uniroma2.it [160.80.5.46]) by smtp-2015.uniroma2.it (8.14.4/8.14.4/Debian-8) with ESMTP id 306NR0XH010592; Sat, 7 Jan 2023 00:27:05 +0100 Received: from lubuntu-18.04 (unknown [160.80.103.126]) by smtpauth-2019-1.uniroma2.it (Postfix) with ESMTPSA id E878A120EC9; Sat, 7 Jan 2023 00:26:56 +0100 (CET) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=uniroma2.it; s=ed201904; t=1673047617; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pS18w6uXzarPO0E2GYQ9ODmcRpg6MzsTKfGq36Z0OeI=; b=EYSfhUEz8n46+fVN52Pb/Or/9ohzlRWnbwjCICeT4QwQq5FsXJP/6Vmj5vOKqJJ8fmYmqC yKJvPmdN/OwqAbCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uniroma2.it; s=rsa201904; t=1673047617; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pS18w6uXzarPO0E2GYQ9ODmcRpg6MzsTKfGq36Z0OeI=; b=JEAXTfBsggsRO0unHhQymR/5ylWPiFl+B06S8sz719Cqy7+QGIC7MeMNZNF79AllZKl72H SH3ddoOCT+IVFs9Tj5KUbpMGLNEchHdT+Qu743QUp7YGA+8SzFXBXqA4l/arX0RghJOcBL m6QcSq0MMc0e5j7/1R8TYNC0EPxZ0mLQa5yg+3jhVD6ixnCFX2XDvaO4gg0SPFWc59+YFh JkeOS8NFJ/FtgN3usMMXH5CRxd+Psnq8Ec2HyMUlJ/IvO3Qd5/QtOuRt2o2W1BG77morRU BBZceUJHe62jH+Zm1D2hWTuXrEOdKDR2Nftg2cwjPArLHehORyAUyW61w+Q9Nw== Date: Sat, 7 Jan 2023 00:26:56 +0100 From: Andrea Mayer To: Jonathan Maxwell Cc: Paolo Abeni , davem@davemloft.net, edumazet@google.com, kuba@kernel.org, yoshfuji@linux-ipv6.org, dsahern@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Stefano Salsano , Paolo Lungaroni , Ahmed Abdelsalam , Andrea Mayer Subject: Re: [net-next] ipv6: fix routing cache overflow for raw sockets Message-Id: <20230107002656.b732de6750a063d07cdb8a5f@uniroma2.it> In-Reply-To: <20230103170711.819921d40132494b4bfd6a0d@uniroma2.it> References: <20221218234801.579114-1-jmaxwell37@gmail.com> <9f145202ca6a59b48d4430ed26a7ab0fe4c5dfaf.camel@redhat.com> <20221223212835.eb9d03f3f7db22360e34341d@uniroma2.it> <20230103170711.819921d40132494b4bfd6a0d@uniroma2.it> X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Virus-Scanned: clamav-milter 0.100.0 at smtp-2015 X-Virus-Status: Clean X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jon, please see after, thanks. > > > Any chance you could test this patch based on the latest net-next > > kernel and let me know the result? > > > > diff --git a/include/net/dst_ops.h b/include/net/dst_ops.h > > index 88ff7bb2bb9b..632086b2f644 100644 > > --- a/include/net/dst_ops.h > > +++ b/include/net/dst_ops.h > > @@ -16,7 +16,7 @@ struct dst_ops { > > unsigned short family; > > unsigned int gc_thresh; > > > > - int (*gc)(struct dst_ops *ops); > > + void (*gc)(struct dst_ops *ops); > > struct dst_entry * (*check)(struct dst_entry *, __u32 cookie); > > unsigned int (*default_advmss)(const struct dst_entry *); > > unsigned int (*mtu)(const struct dst_entry *); > > diff --git a/net/core/dst.c b/net/core/dst.c > > index 6d2dd03dafa8..31c08a3386d3 100644 > > --- a/net/core/dst.c > > +++ b/net/core/dst.c > > @@ -82,12 +82,8 @@ void *dst_alloc(struct dst_ops *ops, struct net_device *dev, > > > > if (ops->gc && > > !(flags & DST_NOCOUNT) && > > - dst_entries_get_fast(ops) > ops->gc_thresh) { > > - if (ops->gc(ops)) { > > - pr_notice_ratelimited("Route cache is full: > > consider increasing sysctl net.ipv6.route.max_size.\n"); > > - return NULL; > > - } > > - } > > + dst_entries_get_fast(ops) > ops->gc_thresh) > > + ops->gc(ops); > > > > dst = kmem_cache_alloc(ops->kmem_cachep, GFP_ATOMIC); > > if (!dst) > > diff --git a/net/ipv6/route.c b/net/ipv6/route.c > > index e74e0361fd92..b643dda68d31 100644 > > --- a/net/ipv6/route.c > > +++ b/net/ipv6/route.c > > @@ -91,7 +91,7 @@ static struct dst_entry *ip6_negative_advice(struct > > dst_entry *); > > static void ip6_dst_destroy(struct dst_entry *); > > static void ip6_dst_ifdown(struct dst_entry *, > > struct net_device *dev, int how); > > -static int ip6_dst_gc(struct dst_ops *ops); > > +static void ip6_dst_gc(struct dst_ops *ops); > > > > static int ip6_pkt_discard(struct sk_buff *skb); > > static int ip6_pkt_discard_out(struct net *net, struct > > sock *sk, struct sk_buff *skb); > > @@ -3284,11 +3284,10 @@ struct dst_entry *icmp6_dst_alloc(struct > > net_device *dev, > > return dst; > > } > > > > -static int ip6_dst_gc(struct dst_ops *ops) > > +static void ip6_dst_gc(struct dst_ops *ops) > > { > > struct net *net = container_of(ops, struct net, ipv6.ip6_dst_ops); > > int rt_min_interval = net->ipv6.sysctl.ip6_rt_gc_min_interval; > > - int rt_max_size = net->ipv6.sysctl.ip6_rt_max_size; > > int rt_elasticity = net->ipv6.sysctl.ip6_rt_gc_elasticity; > > int rt_gc_timeout = net->ipv6.sysctl.ip6_rt_gc_timeout; > > unsigned long rt_last_gc = net->ipv6.ip6_rt_last_gc; > > @@ -3296,11 +3295,10 @@ static int ip6_dst_gc(struct dst_ops *ops) > > int entries; > > > > entries = dst_entries_get_fast(ops); > > - if (entries > rt_max_size) > > + if (entries > ops->gc_thresh) > > entries = dst_entries_get_slow(ops); > > > > - if (time_after(rt_last_gc + rt_min_interval, jiffies) && > > - entries <= rt_max_size) > > + if (time_after(rt_last_gc + rt_min_interval, jiffies)) > > goto out; > > > > fib6_run_gc(atomic_inc_return(&net->ipv6.ip6_rt_gc_expire), net, true); > > @@ -3310,7 +3308,6 @@ static int ip6_dst_gc(struct dst_ops *ops) > > out: > > val = atomic_read(&net->ipv6.ip6_rt_gc_expire); > > atomic_set(&net->ipv6.ip6_rt_gc_expire, val - (val >> rt_elasticity)); > > - return entries > rt_max_size; > > } > > > > static int ip6_nh_lookup_table(struct net *net, struct fib6_config *cfg, > > @@ -6512,7 +6509,7 @@ static int __net_init ip6_route_net_init(struct net *net) > > #endif > > > > net->ipv6.sysctl.flush_delay = 0; > > - net->ipv6.sysctl.ip6_rt_max_size = 4096; > > + net->ipv6.sysctl.ip6_rt_max_size = INT_MAX; > > net->ipv6.sysctl.ip6_rt_gc_min_interval = HZ / 2; > > net->ipv6.sysctl.ip6_rt_gc_timeout = 60*HZ; > > net->ipv6.sysctl.ip6_rt_gc_interval = 30*HZ; > > > > Yes, I will apply this patch in the next days and check how it deals with the > seg6 subsystem. I will keep you posted. > I applied the patch* to the net-next (HEAD 6bd4755c7c49) and did some tests on the seg6 subsystem, specifically running the End.X/DX6 behaviors. They seem to work fine. (*) I had to slightly edit the patch because of the code formatting, e.g. some incorrect line breaks, spaces, etc. Ciao, Andrea > > > On Sat, Dec 24, 2022 at 6:38 PM Jonathan Maxwell wrote: > > > > > > On Sat, Dec 24, 2022 at 7:28 AM Andrea Mayer wrote: > > > > > > > > Hi Jon, > > > > please see below, thanks. > > > > > > > > On Wed, 21 Dec 2022 08:48:11 +1100 > > > > Jonathan Maxwell wrote: > > > > > > > > > On Tue, Dec 20, 2022 at 11:35 PM Paolo Abeni wrote: > > > > > > > > > > > > On Mon, 2022-12-19 at 10:48 +1100, Jon Maxwell wrote: > > > > > > > Sending Ipv6 packets in a loop via a raw socket triggers an issue where a > > > > > > > route is cloned by ip6_rt_cache_alloc() for each packet sent. This quickly > > > > > > > consumes the Ipv6 max_size threshold which defaults to 4096 resulting in > > > > > > > these warnings: > > > > > > > > > > > > > > [1] 99.187805] dst_alloc: 7728 callbacks suppressed > > > > > > > [2] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. > > > > > > > . > > > > > > > . > > > > > > > [300] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. > > > > > > > > > > > > If I read correctly, the maximum number of dst that the raw socket can > > > > > > use this way is limited by the number of packets it allows via the > > > > > > sndbuf limit, right? > > > > > > > > > > > > > > > > Yes, but in my test sndbuf limit is never hit so it clones a route for > > > > > every packet. > > > > > > > > > > e.g: > > > > > > > > > > output from C program sending 5000000 packets via a raw socket. > > > > > > > > > > ip raw: total num pkts 5000000 > > > > > > > > > > # bpftrace -e 'kprobe:dst_alloc {@count[comm] = count()}' > > > > > Attaching 1 probe... > > > > > > > > > > @count[a.out]: 5000009 > > > > > > > > > > > Are other FLOWI_FLAG_KNOWN_NH users affected, too? e.g. nf_dup_ipv6, > > > > > > ipvs, seg6? > > > > > > > > > > > > > > > > Any call to ip6_pol_route(s) where no res.nh->fib_nh_gw_family is 0 can do it. > > > > > But we have only seen this for raw sockets so far. > > > > > > > > > > > > > In the SRv6 subsystem, the seg6_lookup_nexthop() is used by some > > > > cross-connecting behaviors such as End.X and End.DX6 to forward traffic to a > > > > specified nexthop. SRv6 End.X/DX6 can specify an IPv6 DA (i.e., a nexthop) > > > > different from the one carried by the IPv6 header. For this purpose, > > > > seg6_lookup_nexthop() sets the FLOWI_FLAG_KNOWN_NH. > > > > > > > Hi Andrea, > > > > > > Thanks for pointing that datapath out. The more generic approach we are > > > taking bringing Ipv6 closer to Ipv4 in this regard should fix all instances > > > of this. > > > > > > > > > > [1] 99.187805] dst_alloc: 7728 callbacks suppressed > > > > > > > [2] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. > > > > > > > . > > > > > > > . > > > > > > > [300] Route cache is full: consider increasing sysctl net.ipv6.route.max_size. > > > > > > > > I can reproduce the same warning messages reported by you, by instantiating an > > > > End.X behavior whose nexthop is handled by a route for which there is no "via". > > > > In this configuration, the ip6_pol_route() (called by seg6_lookup_nexthop()) > > > > triggers ip6_rt_cache_alloc() because i) the FLOWI_FLAG_KNOWN_NH is present ii) > > > > and the res.nh->fib_nh_gw_family is 0 (as already pointed out). > > > > > > > > > > Nice, when I get back after the holiday break I'll submit the next patch. It > > > would be great if you could test the new patch and let me know how it works in > > > your tests at that juncture. I'll keep you posted. > > > > > > Regards > > > > > > Jon > > > > > > > > Regards > > > > > > > > > > Jon > > > > > > > > Ciao, > > > > Andrea > > > -- > Andrea Mayer -- Andrea Mayer