From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ed1-f67.google.com ([209.85.208.67]:44353 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730000AbeGQSOE (ORCPT ); Tue, 17 Jul 2018 14:14:04 -0400 MIME-Version: 1.0 References: <20180717120651.15748-1-dsahern@kernel.org> In-Reply-To: <20180717120651.15748-1-dsahern@kernel.org> From: Cong Wang Date: Tue, 17 Jul 2018 10:40:09 -0700 Message-ID: Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace Content-Type: text/plain; charset="UTF-8" Sender: linux-wpan-owner@vger.kernel.org List-ID: To: dsahern@kernel.org Cc: Linux Kernel Network Developers , nikita.leshchenko@oracle.com, Roopa Prabhu , Stephen Hemminger , Ido Schimmel , Jiri Pirko , Saeed Mahameed , alex.aring@gmail.com, linux-wpan@vger.kernel.org, NetFilter , LKML , David Ahern On Tue, Jul 17, 2018 at 5:11 AM wrote: > > From: David Ahern > > Nikita Leshenko reported that neighbor entries in one namespace can > evict neighbor entries in another. The problem is that the neighbor > tables have entries across all namespaces without separate accounting > and with global limits on when to scan for entries to evict. It is nothing new, people including me already noticed this before. > > Resolve by making the neighbor tables for ipv4, ipv6 and decnet per > namespace and making the accounting and threshold limits per namespace. The last discussion about this a long time ago concluded that neigh table entries are controllable by remote, so after moving it to per netns, it would be easier to DOS the host.