| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4C04E3E2.7020209@trash.net> Date: Tue, 01 Jun 2010 12:41:38 +0200 From: Patrick McHardy <kaber@...sh.net> To: Eric Dumazet <eric.dumazet@...il.com> CC: Changli Gao <xiaosuo@...il.com>, hawk@...x.dk, Jesper Dangaard Brouer <hawk@...u.dk>, paulmck@...ux.vnet.ibm.com, Linux Kernel Network Hackers <netdev@...r.kernel.org>, Netfilter Developers <netfilter-devel@...r.kernel.org> Subject: Re: DDoS attack causing bad effect on conntrack searches Eric Dumazet wrote: > Le mardi 01 juin 2010 à 12:18 +0200, Patrick McHardy a écrit : > >> If a new conntrack is created in PRE_ROUTING or LOCAL_OUT, it will be >> added to the unconfirmed list and moved to the hash as soon as the >> packet passes POST_ROUTING. This means the number of unconfirmed entries >> created by the network is bound by the number of CPUs due to BH >> processing. The number created by locally generated packets is unbound >> in case of preemptible kernels however. >> > > OK, we should have a percpu list then. Yes, that makes sense. > BTW, I notice nf_conntrack_untracked is incorrectly annotated > '__read_mostly'. > > It can be written very often :( > > Should'nt we special case it and let be really const ? That would need quite a bit of special-casing to avoid touching the reference counts. So far this is completely hidden, so I'd say it just shouldn't be marked __read_mostly. Alternatively we can make "untracked" a nfctinfo state. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists