lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20160309.122400.951958972682394628.davem@davemloft.net>
Date:	Wed, 09 Mar 2016 12:24:00 -0500 (EST)
From:	David Miller <davem@...emloft.net>
To:	gorcunov@...il.com
Cc:	alexei.starovoitov@...il.com, eric.dumazet@...il.com,
	netdev@...r.kernel.org, solar@...nwall.com, vvs@...tuozzo.com,
	avagin@...tuozzo.com, xemul@...tuozzo.com, vdavydov@...tuozzo.com,
	khorenko@...tuozzo.com
Subject: Re: [RFC] net: ipv4 -- Introduce ifa limit per net

From: Cyrill Gorcunov <gorcunov@...il.com>
Date: Wed, 9 Mar 2016 20:09:21 +0300

> On Wed, Mar 09, 2016 at 08:58:52AM -0800, Alexei Starovoitov wrote:
> ...
>> 
>> above line is an indication that you have:
>> #if defined(CONFIG_DEBUG_PREEMPT) || defined(CONFIG_PREEMPT_TRACER)
>> turning it off will speed up things significantly.
> 
> Look, this won't change the overall picture. For sure it will
> speedup the kernel but it won't prevent the users from allowing
> allocating addresses. So timings will drop a bit but the main
> issue will remain -- there is no explicit way to limit this
> resource. We can create say 1K of netnamespaces and allocate
> 100K addresses in each, then start destorying the namespaces
> and node gonna be unreachable until everything is freed. The
> kernel works as it shold simply in case of highload is stops
> react due to big number of rtnl-locks taken.

We asked you for numbers without a lot of features enabled, it'll
help us diagnose which subsystem still causes a lot of overhead
much more clearly.

So please do so.

Although it's already pretty clear that netfilter conntrack
cleanup is insanely expensive.

You're also jumping to a lot of conclusions, work with us to fix the
fundamental performance problems rather than continually insisting on
a limit.

We should be able to remove millions of IP addresses in less than
half a second, no problem.  Limits make no sense at all.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ