lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <25693a6e-1919-f02d-6026-46839ea11bf7@gmail.com>
Date:   Sat, 25 Sep 2021 09:25:38 -0600
From:   David Ahern <dsahern@...il.com>
To:     Florian Westphal <fw@...len.de>, Jakub Kicinski <kuba@...nel.org>
Cc:     Alexander Kuznetsov <wwfq@...dex-team.ru>, netdev@...r.kernel.org,
        zeil@...dex-team.ru
Subject: Re: [PATCH] ipv6: enable net.ipv6.route sysctls in network namespace

On 9/21/21 9:32 AM, Florian Westphal wrote:
> Jakub Kicinski <kuba@...nel.org> wrote:
>> On Tue, 21 Sep 2021 09:22:04 +0300 Alexander Kuznetsov wrote:
>>> We want to increase route cache size in network namespace
>>> created with user namespace. Currently ipv6 route settings
>>> are disabled for non-initial network namespaces.
>>> Since routes are per network namespace it is safe
>>> to enable these sysctls.
> 
> Are routes accounted towards memcg or something like that?
> 
> Otherwise userns could start eating up memory by cranking the limit
> up to 11 and just adds a gazillion routes?
> 

Adding FIB entries I believe is now handled after commit:

commit 6126891c6d4f6f4ef50323d2020635ee255a796e
Author: Vasily Averin <vvs@...tuozzo.com>
Date:   Mon Jul 19 13:44:31 2021 +0300

    memcg: enable accounting for IP address and routing-related objects


The ip6_rt_max_size sysctl manages the number of dst entries (cached
dst's and exceptions) that can be created, and there should be some
limit that network namespace users can not exceed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ