| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 Aug 2016 17:00:48 -0400 (EDT) From: Lance Richardson <lrichard@...hat.com> To: dev@...nvswitch.com, netdev@...r.kernel.org Cc: azhou@....org, David Miller <davem@...emloft.net> Subject: Re: [net] openvswitch: Allow deferred action fifo to expand during run time > From: "David Miller" <davem@...emloft.net> > To: azhou@....org > Cc: dev@...nvswitch.com, netdev@...r.kernel.org > Sent: Friday, March 18, 2016 5:19:09 PM > Subject: Re: [net] openvswitch: Allow deferred action fifo to expand during run time > > From: Andy Zhou <azhou@....org> > Date: Thu, 17 Mar 2016 21:32:13 -0700 > > > Current openvswitch implementation allows up to 10 recirculation actions > > for each packet. This limit was sufficient for most use cases in the > > past, but with more new features, such as supporting connection > > tracking, and testing in larger scale network environment, > > This limit may be too restrictive. > ... > > Actions that need to recirculate that many times are extremely poorly > designed, and will have significant performance problems. > > I think the way rules are put together and processed should be redone > before we do insane stuff like this. > > There is no way I'm applying a patch like this, sorry. > Apologies for coming into this thread so late, I happened on it after finding out that this is actually an issue in some production networks. The need to buffer so many deferred actions seems to be mostly due to having relatively simple rules (that have, say, one or two recirculations) that get multiplied per packet by the number of egress ports. For example, a configuration with 11 or more OVS bond ports in balance-tcp mode (which needs one recirculation) will exceed the deferred action fifo limit of 10 every time a broadcast (or multicast or unknown unicast) is forwarded by the OVS bridge because one entry will be consumed by each egress port. Since the order in which egress ports are handled is deterministic, this means e.g. broadcast ARP requests will only ever make it out the first 10 bond ports in this scenario. Note that bonding isn't necessary to have this issue, it just makes for a relatively straightforward example. Andy's patch certainly seems to be an improvement on this situation, but maybe there another/better way. Regards, Lance
Powered by blists - more mailing lists