lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bf6e0548-7cb3-41b4-b90e-57538e8303ff@linux.alibaba.com>
Date: Wed, 16 Oct 2024 15:28:15 +0800
From: Philo Lu <lulie@...ux.alibaba.com>
To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Cc: willemdebruijn.kernel@...il.com, davem@...emloft.net,
 edumazet@...gle.com, kuba@...nel.org, dsahern@...nel.org,
 antony.antony@...unet.com, steffen.klassert@...unet.com,
 linux-kernel@...r.kernel.org, dust.li@...ux.alibaba.com,
 jakub@...udflare.com, fred.cc@...baba-inc.com,
 yubing.qiuyubing@...baba-inc.com
Subject: Re: [PATCH v4 net-next 3/3] ipv4/udp: Add 4-tuple hash for connected
 socket



On 2024/10/14 18:19, Paolo Abeni wrote:
> On 10/12/24 03:29, Philo Lu wrote:
>> Currently, the udp_table has two hash table, the port hash and portaddr
>> hash. Usually for UDP servers, all sockets have the same local port and
>> addr, so they are all on the same hash slot within a reuseport group.
>>
>> In some applications, UDP servers use connect() to manage clients. In
>> particular, when firstly receiving from an unseen 4 tuple, a new socket
>> is created and connect()ed to the remote addr:port, and then the fd is
>> used exclusively by the client.
> 
> How do you handle the following somewhat racing scenario? a 2nd packet 
> beloning to the same 4-tulpe lands into the unconnected socket receive 
> queue just after the 1st one, before the connected socket is created. 
> The server process such packet after the connected socket creation.
> 

One method is to address it in application. Application maintains the 
information of connections, and it knows which connection to deliver 
incoming packets.

If the 2nd packet comes from the "listen" socket (i.e., the initial 
unconnected socket), app can search for the connection of it. Note that 
upon the 1st packet receiving, the connection is already created though 
the socket is not ready, so it can be found for the 2nd packet.

In this case, maybe several packets are processed with this method until 
the new connected socket created. Then it runs as we expect.

So I think it cannot be prevented but can be handled, depending on how 
applications use it.

> How many connected sockets is your system serving concurrently? Possibly 

About 10000 conns in general. So current same-sized hash4 table is 
enough for us now.

> it would make sense to allocate a larger hash table for the connected 
> UDP sockets, using separate/different min/max/scale values WRT to the 
> unconnected tables.
> 

Agreed that it's a good idea. But imo it could be left as future work 
when we definitely need it.

Thanks.
-- 
Philo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ