On Fri, Aug 12, 2016 at 9:35 PM, Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> wrote: [...] >> * 'net.udp_usage': Reading this file gives the number of udp ports used by >> processes in this cgroup and all its descendants. >> * 'net.udp_limit': Writing this file sets the total number of udp ports >> that can be used by processes in this cgroup and all >> its descendants. This file can also be read. >> * 'net.udp_maxusage': Reading this file gives the highest value of >> net.udp_usage that has been seen for this cgroup. >> * 'net.udp_failcnt': Reading this file gives the number of times a >> process in this cgroup or one of its descendants has attempted to acquire >> a udp port but failed because the limit of this cgroup was reached. >> * 'net.udp_underflowcnt': Reading this file gives the number of times a >> process in this cgroup or one of its descendants released a udp port when >> the usage value of this cgroup was 0. > > I have similar concern here. I don't think we should bloat the kernel by > trying implement every possible port restriction combination and count. > For the same reasons we don't do all possible tcp stats that research > community finds useful. This additional code is a maintenance headache. > At this moment if a rampant process decides to just open a datagram socket and just binds (does not listen) and does this for all available ports, you are guaranteed to have machine becoming useless for some (totally unrelated) legitimate process trying to do useful things. >From kernel we can't control such user-space behavior, but at least restrict the damage to "a specific set of processes". This code provides that feature to restrict the damage. Additional code is always a maintenance headache but that doesn't stop us from adding new code, isn't it? :) -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html