| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20171127233008.GA1418@salvia>
Date: Tue, 28 Nov 2017 00:30:08 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Linus Lüssing <linus.luessing@...3.blue>
Cc: netfilter-devel@...r.kernel.org,
Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>,
Florian Westphal <fw@...len.de>,
Stephen Hemminger <stephen@...workplumber.org>,
"David S . Miller" <davem@...emloft.net>, coreteam@...filter.org,
bridge@...ts.linux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule
state
Hi Linus,
On Sat, Nov 25, 2017 at 08:44:18AM +0100, Linus Lüssing wrote:
> So far any changes with ebtables will reset the state of limit rules,
> leading to spikes in traffic. This is especially noticeable if changes
> are done frequently, for instance via a daemon.
>
> This patch fixes this by bailing out from (re)setting if the limit
> rule was initialized before.
>
> When sending packets every 250ms for 600s, with a
> "--limit 1/sec --limit-burst 50" rule and a command like this
> in the background:
>
> $ ebtables -N VOIDCHAIN
> $ while true; do ebtables -F VOIDCHAIN; sleep 30; done
>
> The results are:
>
> Before: ~1600 packets
> After: 650 packets
>
> Signed-off-by: Linus Lüssing <linus.luessing@...3.blue>
> ---
> net/bridge/netfilter/ebt_limit.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/bridge/netfilter/ebt_limit.c b/net/bridge/netfilter/ebt_limit.c
> index 61a9f1be1263..f74b48633feb 100644
> --- a/net/bridge/netfilter/ebt_limit.c
> +++ b/net/bridge/netfilter/ebt_limit.c
> @@ -69,6 +69,10 @@ static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
> {
> struct ebt_limit_info *info = par->matchinfo;
>
> + /* Do not reset state on unrelated table changes */
> + if (info->prev)
> + return 0;
What kernel version are you using? I suspect you don't have this
applied?
commit ec23189049651b16dc2ffab35a4371dc1f491aca
Author: Willem de Bruijn <willemb@...gle.com>
Date: Mon Jan 2 17:19:46 2017 -0500
xtables: extend matches and targets with .usersize
Powered by blists - more mailing lists