| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Dec 2021 11:19:45 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Antony Antony <antony.antony@...unet.com>
CC: Thomas Egerer <thomas.egerer@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
"Jakub Kicinski" <kuba@...nel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH ipsec-next v3] xfrm: rate limit SA mapping change message
to user space
On Wed, Dec 22, 2021 at 02:11:18PM +0100, Antony Antony wrote:
> Kernel generates mapping change message, XFRM_MSG_MAPPING,
> when a source port chage is detected on a input state with UDP
> encapsulation set. Kernel generates a message for each IPsec packet
> with new source port. For a high speed flow per packet mapping change
> message can be excessive, and can overload the user space listener.
>
> Introduce rate limiting for XFRM_MSG_MAPPING message to the user space.
>
> The rate limiting is configurable via netlink, when adding a new SA or
> updating it. Use the new attribute XFRMA_MTIMER_THRESH in seconds.
>
> v1->v2 change:
> update xfrm_sa_len()
>
> v2->v3 changes:
> use u32 insted unsigned long to reduce size of struct xfrm_state
> fix xfrm_ompat size Reported-by: kernel test robot <lkp@...el.com>
> accept XFRM_MSG_MAPPING only when XFRMA_ENCAP is present
>
> Co-developed-by: Thomas Egerer <thomas.egerer@...unet.com>
> Signed-off-by: Thomas Egerer <thomas.egerer@...unet.com>
> Signed-off-by: Antony Antony <antony.antony@...unet.com>
Applied, thanks a lot!
Powered by blists - more mailing lists