[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iKMe7WZS-Q4rzqEUUD+ANL6Fmb6BnFo8TvX7y_EVi=HOw@mail.gmail.com>
Date: Thu, 1 Sep 2022 09:06:59 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Richard Gobert <richardbgobert@...il.com>
Cc: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Jonathan Corbet <corbet@....net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Alexander Aring <alex.aring@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Florian Westphal <fw@...len.de>,
Martin KaFai Lau <kafai@...com>,
netdev <netdev@...r.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, linux-wpan@...r.kernel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org
Subject: Re: [PATCH 3/4] net-next: frags: add inetpeer frag_mem tracking
On Thu, Sep 1, 2022 at 8:03 AM Richard Gobert <richardbgobert@...il.com> wrote:
>
> On Mon, Aug 29, 2022 at 03:15:47PM -0700, Eric Dumazet wrote:
> > We tried to get rid of any dependence over inetpeer, which is not
> > resistant against DDOS attacks.
> >
> > So I would not add a new dependency.
>
> I see your point. What do you suggest doing differently?
>
> The inetpeer mechanism is used for IPv4 frags. If it isn't resistant
> against DDoS attacks, can it perhaps be improved?
It can be disabled if needed, by changing ipfrag_max_dist sysctl.
Quite frankly IPv4 reassembly unit is a toy, I am always surprised
some applications are still relying on IP fragments.
Powered by blists - more mailing lists