Am 17. Januar 2015 09:32:28 GMT+00:00, schrieb Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>: >On Sat, Jan 17, 2015 at 08:06:21AM +0000, Patrick McHardy wrote: >> >> Resizing might also fail because of memory allocation problems, but >> I'd argue that its better to continue with a non-optimal sized table >> and retry later than to completely fail, at least unless the API >> user has explicitly requested this behaviour. >> >> As for the element counter, yeah, it should prevent overflow. In that >> case I agree that failing insertion is the easiest solution. > >Well you have to consider the security aspect. These days root- >only is no longer an acceptable excuse given things like namespaces. > >If you don't fail the insertions while the expansion is ongoing, >and assuming a dump can postpone expansions, then you can essentially >insert entries into the hash table at will which is an easy DoS >attack. I agree, however at least in the case of nftables you can easily do the same thing by adding millions of rules. It doesn't make things worse. >Note that you don't have to fail the insertion right away. I >think waiting until you reach max * 2 would be fine. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html