On Sun, Jun 08, 2003 at 11:56:22PM -0700, David S. Miller wrote: > We have to walk the entire destination hash chain _ANYWAYS_ to verify > that a matching entry has not been put into the cache while we were > procuring the new one. During this walk we can also choose a > candidate rtcache entry to free. Ah, neat. I should try reading this stuff. :) > Something like the patch at the end of this email, doesn't compile > it's just a work in progress. The trick is picking TIMEOUT1 and > TIMEOUT2 :) > > Another point is that the default ip_rt_gc_min_interval is > absolutely horrible for DoS like attacks. When DoS traffic > can fill the rtcache multiple times per second, using a GC > interval of 5 seconds is the worst possible choice. :) Yes, I've reduced the gc_min_interval to 1, and it has been that way for some time. BTW, you may be interested in this old email from Alexey: http://www.tux.org/hypermail/linux-kernel/1999week05/1113.html (This was back when the GC was limited so much that legitimate traffic was overflowing the table. DoS attacks must have been really effective then. :)) Simon- [ Simon Kirby ][ Network Operations ] [ sim@netnation.com ][ NetNation Communications Inc. ] [ Opinions expressed are not necessarily those of my employer. ] - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
