On 7/17/18 11:40 AM, Cong Wang wrote: > On Tue, Jul 17, 2018 at 5:11 AM <dsahern@xxxxxxxxxx> wrote: >> >> From: David Ahern <dsahern@xxxxxxxxx> >> >> Nikita Leshenko reported that neighbor entries in one namespace can >> evict neighbor entries in another. The problem is that the neighbor >> tables have entries across all namespaces without separate accounting >> and with global limits on when to scan for entries to evict. > > It is nothing new, people including me already noticed this before. > > >> >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per >> namespace and making the accounting and threshold limits per namespace. > > > The last discussion about this a long time ago concluded that neigh > table entries are controllable by remote, so after moving it to per netns, > it would be easier to DOS the host. > There are still limits on the total number of entries and with per-namespace limits an admin has better control. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
