| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 1 Feb 2015 14:26:11 +0200 From: "Michael S. Tsirkin" <mst@...hat.com> To: David Woodhouse <dwmw2@...radead.org> Cc: Herbert Xu <herbert@...dor.apana.org.au>, Eric Dumazet <eric.dumazet@...il.com>, Jan Kiszka <jan.kiszka@...mens.com>, "David S. Miller" <davem@...emloft.net>, Paul Moore <paul.moore@...com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, qemu-devel <qemu-devel@...gnu.org> Subject: Re: [PATCH] tun: orphan an skb on tx On Sun, Feb 01, 2015 at 11:20:33AM +0000, David Woodhouse wrote: > On Wed, 2010-04-14 at 08:58 +0800, Herbert Xu wrote: > > On Tue, Apr 13, 2010 at 08:31:03PM +0200, Eric Dumazet wrote: > > > > > > Herbert Acked your patch, so I guess its OK, but I think it can be > > > dangerous. > > > > The tun socket accounting was never designed to stop it from > > flooding another tun interface. It's there to stop it from > > transmitting above a destination interface TX bandwidth and > > cause unnecessary packet drops. It also limits the total amount > > of kernel memory that can be pinned down by a single tun interface. > > > > In this case, all we're doing is shifting the accounting from the > > "hardware" queue to the qdisc queue. > > > > So your ability to flood a tun interface is essentially unchanged. > > I've just been looking at VPN performance, using netperf to flood an > openconnect/ocserv connection over GigE and profiling my VPN client. > > If I run netperf over the *unencrypted* link, it only sends 1Gb/s of > packets — because the packets are correctly accounted to netperf's UDP > socket until the moment they're actually transmitted on the wire, and > the backpressure works correctly. > > When I run over the VPN, netperf thinks it sent 2½ times the amount of > TX traffic. At some level, it's expected: netperf's manual actually says: A UDP_STREAM test has no end-to-end flow control - UDP provides none and neither does netperf. However, if you wish, you can configure netperf with --enable-intervals=yes to enable the global command-line -b and -w options to pace bursts of traffic onto the network. > Packets are being dropped by the tun device before even > feeding them up to the VPN client to be sent — presumably because of > this skb_orphan() call. (The client itself should do the right thing, > and only suck packets out of the tun at the rate it can shove them out > *its* UDP socket.) A simple work-around is to limit the rate using a non work conservig qdisc. > Did we ever look at the alternative solution of taking ownership only > after a timeout, or on demand when we need to shut down the device? I've been thinking about this on and off, but didn't find a good safe solution yet. For timeout, the difficulty is to find a good timer value, low enough to avoid DOS attacks but high enough to avoid spurious packet drops (and expensive timer interrupts). -- MST -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists