On Tue, Jul 17, 2018 at 10:43 AM David Ahern <dsahern@xxxxxxxxx> wrote: > > On 7/17/18 11:40 AM, Cong Wang wrote: > > On Tue, Jul 17, 2018 at 5:11 AM <dsahern@xxxxxxxxxx> wrote: > >> > >> From: David Ahern <dsahern@xxxxxxxxx> > >> > >> Nikita Leshenko reported that neighbor entries in one namespace can > >> evict neighbor entries in another. The problem is that the neighbor > >> tables have entries across all namespaces without separate accounting > >> and with global limits on when to scan for entries to evict. > > > > It is nothing new, people including me already noticed this before. > > > > > >> > >> Resolve by making the neighbor tables for ipv4, ipv6 and decnet per > >> namespace and making the accounting and threshold limits per namespace. > > > > > > The last discussion about this a long time ago concluded that neigh > > table entries are controllable by remote, so after moving it to per netns, > > it would be easier to DOS the host. > > > > There are still limits on the total number of entries and with > per-namespace limits an admin has better control. Per-netns limit is *exactly* the problem here. Quote from David Miller: " From: ebiederm@xxxxxxxxxxxx (Eric W. Biederman) Date: Wed, 25 Jun 2014 18:17:08 -0700 > I disagree that removing a global DOS prevention check is a benefit. > Certainly large semantics changes like that should not happen without > being discussed in the patch description. Agreed, this is the most important core issue. If we just make these things per netns, then as a result if you create N namespaces we will allow N times more neighbour entries to be sitting in the system at once. Actually, I'm really surprised the limits get hit and this actually causes problems. " You can see the original discussion here: https://marc.info/?l=linux-netdev&m=140356141019653&w=2 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
