lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 18 Oct 2008 09:30:28 -0400
From:	Neil Horman <>
To:	Eric Dumazet <>
Cc:	David Miller <>,,,,,,,,, Stephen Hemminger <>
Subject: Re: [PATCH] net: implement emergency route cache rebulds when
	gc_elasticity is exceeded

On Sat, Oct 18, 2008 at 06:36:10AM +0200, Eric Dumazet wrote:
> Neil Horman a écrit :
>> Sorry for the additional noise, but Eric just pointed out that I'd missed an
>> email from him and consequently a few comments.  I've made the appropriate
>> updates in this patch, which is otherwise unchanged.  The only comment I'd
>> skipped was the request for an additional stat in /proc/net/stat/rt_cache for a
>> per net rebuild count.  I figure thats a good break point to submit an
>> additional follow on patch for.
> OK, yet an admin cannot know if its route cache is disabled or not...
> Right its can be addressed in a follow path.
>> This is a patch to provide on demand route cache rebuilding.  Currently, our
>> route cache is rebulid periodically regardless of need.  This introduced
>> unneeded periodic latency.  This patch offers a better approach.  Using code
>> provided by Eric Dumazet, we compute the standard deviation of the average hash
>> bucket chain length while running rt_check_expire.  Should any given chain
>> length grow to larger that average plus 4 standard deviations, we trigger an
>> emergency hash table rebuild for that net namespace.  This allows for the common
>> case in which chains are well behaved and do not grow unevenly to not incur any
>> latency at all, while those systems (which may be being maliciously attacked),
>> only rebuild when the attack is detected.  This patch take 2 other factors into
>> account:
>> 1) chains with multiple entries that differ by attributes that do not affect the
>> hash value are only counted once, so as not to unduly bias system to rebuilding
>> if features like QOS are heavily used
>> 2) if rebuilding crosses a certain threshold (which is adjustable via the added
>> sysctl in this patch), route caching is disabled entirely for that net
>> namespace, since constant rebuilding is less efficient that no caching at all
>> Tested successfully by me.
>> Regards
>> Neil
>> Signed-off-by: Neil Horman <>
> OK, its almost done Neil :)

Copy that :).  I'll take the weekend to go over this and repost it with _all_
your suggestions monday afternoon-ish.

Thanks for all your input :)

 * Neil Horman <>
 * Software Engineer, Red Hat
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists