| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Sep 2012 04:59:53 +0200
From: Eric Dumazet <eric.dumazet@...il.com>
To: David Miller <davem@...emloft.net>
Cc: netdev <netdev@...r.kernel.org>,
Lorenzo Colitti <lorenzo@...gle.com>,
Maciej Żenczykowski <maze@...gle.com>,
Tom Herbert <therbert@...gle.com>
Subject: Re: [PATCH net-next 1/2] ipv6: force RTF_NONEXTHOP for SIT device
On Wed, 2012-09-12 at 14:01 +0200, Eric Dumazet wrote:
> From: Eric Dumazet <edumazet@...gle.com>
>
> We have special handling of SIT devices in addrconf_prefix_route()
> to avoid using a neighbour for each destination.
>
> If routing entry is :
>
> ip -6 route add 2001:db8::/64 dev sit1
>
> Then the kernel will create a new route for every new address
> under 2001:db8::/64 that we send a packet to (potentially, 2^64
> routes).
>
> Under load, we immediately get the infamous "Neighbour table overflow"
> message and machine eventually crash.
>
> This does not happen if we specify a next-hop explicitly, like so:
>
> ip -6 route add 2001:db8::/64 via fe80:: dev sit1
>
> We can avoid this hassle doing the SIT test in ip6_route_add() instead
> of addrconf_prefix_route().
>
> This permits ip6_pol_route() to clone route instead of calling
> rt6_alloc_cow() and allocate a neighbour
>
> Reported-by: Lorenzo Colitti <lorenzo@...gle.com>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Maciej Żenczykowski <maze@...gle.com>
> Cc: Tom Herbert <therbert@...gle.com>
> ---
> net/ipv6/addrconf.c | 10 ----------
> net/ipv6/route.c | 9 +++++++++
> 2 files changed, 9 insertions(+), 10 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 1237d5d..c6837d2 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -1679,16 +1679,6 @@ addrconf_prefix_route(struct in6_addr *pfx, int plen, struct net_device *dev,
> };
>
> cfg.fc_dst = *pfx;
> -
> - /* Prevent useless cloning on PtP SIT.
> - This thing is done here expecting that the whole
> - class of non-broadcast devices need not cloning.
> - */
> -#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE)
> - if (dev->type == ARPHRD_SIT && (dev->flags & IFF_POINTOPOINT))
> - cfg.fc_flags |= RTF_NONEXTHOP;
> -#endif
> -
> ip6_route_add(&cfg);
> }
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index 399613b..d4ba3fc 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -1540,6 +1540,15 @@ int ip6_route_add(struct fib6_config *cfg)
> } else
> rt->rt6i_prefsrc.plen = 0;
>
> + /* Prevent useless cloning on PtP SIT.
> + * This thing is done here expecting that the whole
> + * class of non-broadcast devices need not cloning.
> + */
> +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE)
> + if (dev && dev->type == ARPHRD_SIT && (dev->flags & IFF_POINTOPOINT))
> + cfg->fc_flags |= RTF_NONEXTHOP;
> +#endif
> +
> if (cfg->fc_flags & (RTF_GATEWAY | RTF_NONEXTHOP)) {
> err = rt6_bind_neighbour(rt, dev);
> if (err)
>
Please hold this patch, I'll send a v2, based on excellent feedback from
Lorenzo.
Idea is to just do :
if (dev->flags & (IFF_POINTOPOINT | IFF_LOOPBACK))
cfg->fc_flags |= RFT_NONEXTHOP;
(no mention of SIT anymore, and a change in the title patch)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists