lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Nov 2017 22:34:10 +0100
From:   Egil Hjelmeland <privat@...l-hjelmeland.no>
To:     Sarah Newman <srn@...mr.com>, netdev@...r.kernel.org
Subject: Re: [PATCH] net: bridge: add max_fdb_count



Den 15. nov. 2017 20:27, skrev Sarah Newman:
> Current memory and CPU usage for managing bridge fdb entries is unbounded.
> Add a parameter max_fdb_count, controlled from sysfs, which places an upper
> limit on the number of entries. Defaults to 1024.
> 
> When max_fdb_count is met or exceeded, whether traffic is sent out a
> given port should depend on its flooding behavior.
> 
> This may instead be mitigated by filtering mac address entries in the
> PREROUTING chain of the ebtables nat table, but this is only practical
> when mac addresses are known in advance.
> 
> Signed-off-by: Sarah Newman <srn@...mr.com>
> ---
>   net/bridge/br_device.c   |  2 ++
>   net/bridge/br_fdb.c      | 25 ++++++++++++++++++++-----
>   net/bridge/br_private.h  |  3 +++
>   net/bridge/br_sysfs_br.c | 24 ++++++++++++++++++++++++
>   4 files changed, 49 insertions(+), 5 deletions(-)
> 
> diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
> index 723f25e..18fabdf 100644
> --- a/net/bridge/br_sysfs_br.c
> +++ b/net/bridge/br_sysfs_br.c
> @@ -335,6 +335,28 @@ static ssize_t flush_store(struct device *d,
>   }
>   static DEVICE_ATTR_WO(flush);
>   
> +static ssize_t max_fdb_count_show(struct device *d, struct device_attribute *attr,
> +			     char *buf)
> +{
> +	struct net_bridge *br = to_bridge(d);
> +	return sprintf(buf, "%lu\n", br->max_fdb_count);
> +}
> +
> +static ssize_t max_fdb_count_store(struct device *d, struct device_attribute *attr,
> +			      const char *buf, size_t len)
> +{
> +	return store_bridge_parm(d, buf, len, br_set_max_fdb_count);
> +}
> +static DEVICE_ATTR_RW(max_fdb_count);
> +
> +static ssize_t fdb_count_show(struct device *d, struct device_attribute *attr,
> +			    char *buf)
> +{
> +	struct net_bridge *br = to_bridge(d);
> +	return sprintf(buf, "%lu\n", br->fdb_count);
> +}
> +static DEVICE_ATTR_RO(fdb_count);
> +
>   #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
>   static ssize_t multicast_router_show(struct device *d,
>   				     struct device_attribute *attr, char *buf)
> @@ -830,6 +852,8 @@ static ssize_t vlan_stats_enabled_store(struct device *d,
>   	&dev_attr_gc_timer.attr,
>   	&dev_attr_group_addr.attr,
>   	&dev_attr_flush.attr,
> +	&dev_attr_max_fdb_count.attr,
> +	&dev_attr_fdb_count.attr,
>   #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
>   	&dev_attr_multicast_router.attr,
>   	&dev_attr_multicast_snooping.attr,
> 



Documentation/filesystems/sysfs.txt:

All new sysfs attributes must be documented in Documentation/ABI. See 
also Documentation/ABI/README for more information.


Egil

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ