Received: by 10.223.164.202 with SMTP id h10csp2323310wrb;
        Mon, 27 Nov 2017 15:31:07 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbFe9fp/sx0+AAQY7R4hwGXP99c5rVJ4CcqSs1fRXv+h1SzUrf+SceDbacxIXW11MSN3Ysm
X-Received: by 10.101.70.136 with SMTP id h8mr27930922pgr.325.1511825467373;
        Mon, 27 Nov 2017 15:31:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511825467; cv=none;
        d=google.com; s=arc-20160816;
        b=N1/PyBdNlYMn/nIgTq+GEhUbF2vSRZoEfCJwWRAiCDg0TUyU2WhIPDgdGTNzxMdC0h
         o8RLemSrHs81/BX2znE52wGpItF9roEyAYk1jT6XbVvA2tFoDFwkKQ+ImtJnw5h/owAc
         qLu3+zzTyQ1fYEV31ANcnwo3wvLcJ5sJFaN2Sa5tYm6DrfU5Ww0bj4K1F4qlRr0iSEvF
         IvK5dXzeLC/peCb4oM22xP06UkHrmzi64/YaBIyiGDBKZCOjEMP1cYUCNy0pT8prJfKy
         rxyhh4/57n0KK0kFDFo2/1SBYbxSZKTzuTqvHxmhKj16AsGTIxRWGOmHmUuCMYA9vnBc
         YfYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date
         :arc-authentication-results;
        bh=h20iDw43VT6Cy3bcHj26Dk0XAP7mUFR6GkMXz5lxtxI=;
        b=Tj3rCTYi8IQCUUqMpK1cPHEWOt7vArJuc25IfGi5zFa2+nydn1DEiLhqHLO01NIYY5
         zCG3YREOtcm+KWhwCqIxZrNpr2eyujWguMBt4lDyZDXJ7gF8drKXCNtHaWrAvvm933+U
         n5SU+thIrEtJNXnuo9NmORxcvTRZDBkUrEnWcc7YqYlB5f2+2BRw9tRUlXcCzw27K9VV
         8jGhy2YrBXkMRVCbH/Z1AfewGYvpMpKY0PPBVrPgJNRNDnZlVqlzkC31iwkXD3HnPMQg
         JV70WElcZQvaVuQYpb7sKrqMe37XpDljixqPT9rGiR9w3IG6mtzME3UJ2Cv2deS+DL+A
         7wFA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d6si24689445pln.570.2017.11.27.15.30.55;
        Mon, 27 Nov 2017 15:31:07 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753105AbdK0XaQ (ORCPT <rfc822;xuyizhaos@gmail.com> + 78 others);
        Mon, 27 Nov 2017 18:30:16 -0500
Received: from mail.us.es ([193.147.175.20]:44110 "EHLO mail.us.es"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751921AbdK0XaO (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Nov 2017 18:30:14 -0500
Received: from antivirus1-rhel7.int (unknown [192.168.2.11])
        by mail.us.es (Postfix) with ESMTP id 3F2B7DA867
        for <linux-kernel@vger.kernel.org>; Tue, 28 Nov 2017 00:30:13 +0100 (CET)
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
        by antivirus1-rhel7.int (Postfix) with ESMTP id 2985FDA86C
        for <linux-kernel@vger.kernel.org>; Tue, 28 Nov 2017 00:30:13 +0100 (CET)
Received: by antivirus1-rhel7.int (Postfix, from userid 99)
        id 1E936DA80E; Tue, 28 Nov 2017 00:30:13 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on antivirus1-rhel7.int
X-Spam-Level: 
X-Spam-Status: No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,
        HEADER_FROM_DIFFERENT_DOMAINS,SMTPAUTH_US2,USER_IN_WHITELIST
        autolearn=disabled version=3.4.1
Received: from antivirus1-rhel7.int (localhost [127.0.0.1])
        by antivirus1-rhel7.int (Postfix) with ESMTP id 006C2DA7F1;
        Tue, 28 Nov 2017 00:30:09 +0100 (CET)
Received: from 192.168.1.97 (192.168.1.97)
 by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int);
 Tue, 28 Nov 2017 00:30:08 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)
Received: from us.es (40.red-212-170-55.staticip.rima-tde.net [212.170.55.40])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        (Authenticated sender: 1984lsi)
        by entrada.int (Postfix) with ESMTPSA id B94BF4265A50;
        Tue, 28 Nov 2017 00:30:08 +0100 (CET)
Date:   Tue, 28 Nov 2017 00:30:08 +0100
X-SMTPAUTHUS: auth mail.us.es
From:   Pablo Neira Ayuso <pablo@netfilter.org>
To:     Linus =?iso-8859-1?Q?L=FCssing?= <linus.luessing@c0d3.blue>
Cc:     netfilter-devel@vger.kernel.org,
        Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
        Florian Westphal <fw@strlen.de>,
        Stephen Hemminger <stephen@networkplumber.org>,
        "David S . Miller" <davem@davemloft.net>, coreteam@netfilter.org,
        bridge@lists.linux-foundation.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule
 state
Message-ID: <20171127233008.GA1418@salvia>
References: <20171125074418.16537-1-linus.luessing@c0d3.blue>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20171125074418.16537-1-linus.luessing@c0d3.blue>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Linus,

On Sat, Nov 25, 2017 at 08:44:18AM +0100, Linus L�ssing wrote:
> So far any changes with ebtables will reset the state of limit rules,
> leading to spikes in traffic. This is especially noticeable if changes
> are done frequently, for instance via a daemon.
> 
> This patch fixes this by bailing out from (re)setting if the limit
> rule was initialized before.
> 
> When sending packets every 250ms for 600s, with a
> "--limit 1/sec --limit-burst 50" rule and a command like this
> in the background:
> 
> $ ebtables -N VOIDCHAIN
> $ while true; do ebtables -F VOIDCHAIN; sleep 30; done
> 
> The results are:
> 
> Before: ~1600 packets
> After: 650 packets
> 
> Signed-off-by: Linus L�ssing <linus.luessing@c0d3.blue>
> ---
>  net/bridge/netfilter/ebt_limit.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
> index 61a9f1be1263..f74b48633feb 100644
> --- a/net/bridge/netfilter/ebt_limit.c
> +++ b/net/bridge/netfilter/ebt_limit.c
> @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
>  {
>  	struct ebt_limit_info *info = par->matchinfo;
>  
> +	/* Do not reset state on unrelated table changes */
> +	if (info->prev)
> +		return 0;

What kernel version are you using? I suspect you don't have this
applied?

commit ec23189049651b16dc2ffab35a4371dc1f491aca
Author: Willem de Bruijn <willemb@google.com>
Date:   Mon Jan 2 17:19:46 2017 -0500

    xtables: extend matches and targets with .usersize

From 1585023249550245752@xxx Sat Nov 25 07:46:04 +0000 2017
X-GM-THRID: 1585023249550245752
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread