| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20160309.121928.103638956202937455.davem@davemloft.net> Date: Wed, 09 Mar 2016 12:19:28 -0500 (EST) From: David Miller <davem@...emloft.net> To: gorcunov@...il.com Cc: eric.dumazet@...il.com, netdev@...r.kernel.org, solar@...nwall.com, vvs@...tuozzo.com, avagin@...tuozzo.com, xemul@...tuozzo.com, vdavydov@...tuozzo.com, khorenko@...tuozzo.com Subject: Re: [RFC] net: ipv4 -- Introduce ifa limit per net From: Cyrill Gorcunov <gorcunov@...il.com> Date: Wed, 9 Mar 2016 19:39:19 +0300 > 9.21% [kernel] [k] nf_ct_iterate_cleanup ... > Release > ------- > 24.26% [kernel] [k] _raw_spin_lock > 17.55% [kernel] [k] preempt_count_add > 14.81% [kernel] [k] __local_bh_enable_ip > 14.17% [kernel] [k] preempt_count_sub > 10.10% [kernel] [k] nf_ct_iterate_cleanup ... > The main problem still I think is that we allow to request > as many inet addresses as there is enough free memory and > of course kernel can't handle all in O(1) time, all resources > must be released so there always be some lagging moment. Thus > maybe introducing limits would be a good idea for sysadmins. Primary problem seems to be netfilter conntrack. It's at least 10 times more expensive than any of the other operations and probably is where all of the lock banging is coming from. I'm not adding a limit when there is so much low hanging fruit remaining, no way.
Powered by blists - more mailing lists