lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sun, 8 Mar 2020 11:57:42 +0100
From:   Alarig Le Lay <alarig@...rdarmor.fr>
To:     David Ahern <dsahern@...il.com>
Cc:     netdev@...r.kernel.org, jack@...ilfillan.uk,
        Vincent Bernat <bernat@...ian.org>
Subject: Re: IPv6 regression introduced by commit
 3b6761d18bc11f2af2a6fc494e9026d39593f22c

On sam.  7 mars 17:52:10 2020, David Ahern wrote:
> On 3/5/20 1:17 AM, Alarig Le Lay wrote:
> Kernel version?

I’ve seen this from 4.19 on my experience, it works at least until 4.15.

> you are monitoring neighbor states with 'ip monitor' or something else?

Yes, 'ip -ts monitor neigh' to be exact.

> The above does not reproduce for me on 5.6 or 4.19, and I would have
> been really surprised if it had, so I have to question the git bisect
> result.

My personal experience is that, while routing is activated (and having a
full-view, I don’t have any soft router without it), the neighbors are
flapping, thus causing a blackhole.
It doesn’t happen with a limit traffic processing. The limit is around
20 Mbps from what I can see.

> There is no limit on fib entries, and the number of FIB entries has no
> impact on the sysctl in question, net.ipv6.route.max_size. That sysctl
> limits the number of dst_entry instances. When the threshold is exceeded
> (and the gc_thesh for ipv6 defaults to 1024), each new alloc attempts to
> free one via gc. There are many legitimate reasons for why 4k entries
> have been created - mtu exceptions, redirects, per-cpu caching, vrfs, ...

I also tried to find a sysctl to ignore the MTU exceptions, as a router
it’s not my problem at all: if the packet is fragmentable, I will do it,
otherwise I will drop it. The MTU negotiation is on the duty of the ends.
I’m not taking the MSS clamping in account as it’s done with iptables
and the mangle table is empty (but CONFIG_IP_NF_MANGLE is enabled).

> In 4.9 FIB entries are created as an rt6_info which is a v6 wrapper
> around dst_entry. That changed in 4.15 or 4.16 - I forget which now, and
> the commit you reference above is part of the refactoring to make IPv6
> more like IPv4 with a different, smaller data structure for fib entries.
> A lot of other changes have also gone into IPv6 between 4.9 and top of
> tree, and at this point the whole gc thing can probably go away for v6
> like it was removed for ipv4.

As it works on 4.15 (the kernel shipped with proxomox 5), I would say
that it has been introduced in 4.16. But I didn’t checked each version
myself.

> Try the 5.4 LTS and see if you still hit a problem.

I have the problem with 5.3 (proxmox 6), so unless FIB handling has been
changed since then, I doubt that it will works, but I will try on
Monday.

Regards,
-- 
Alarig

Powered by blists - more mailing lists