From: Jesper Dangaard Brouer <jbrouer@redhat.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, netdev <netdev@vger.kernel.org>,
Tom Herbert <therbert@google.com>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH v2 nf-next] netfilter: conntrack: remove the central spinlock
Date: Mon, 27 May 2013 14:33:46 +0200 [thread overview]
Message-ID: <20130527143346.2d19e854@redhat.com> (raw)
In-Reply-To: <1369403496.3301.401.camel@edumazet-glaptop>
On Fri, 24 May 2013 06:51:36 -0700
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Fri, 2013-05-24 at 15:16 +0200, Jesper Dangaard Brouer wrote:
[...cut...]
> > I'm amazed, this patch will actually make it a viable choice to load
> > the conntrack modules on a DDoS based filtering box, and use the
> > conntracks to protect against ACK and SYN+ACK attacks.
> >
> > Simply by not accepting the ACK or SYN+ACK to create a conntrack
> > entry. Via the command:
> > sysctl -w net/netfilter/nf_conntrack_tcp_loose=0
> >
> > A quick test show; now I can run a LISTEN process on the port, and
> > handle an SYN+ACK attack of approx 2580Kpps (and the same for ACK
> > attacks), while running a LISTEN process on the port.
> >
[...]
> >
>
> Wow, this is very interesting !
>
> Did you test the thing when expectations are possible ? (say ftp
> module loaded)
Nope. I'm not sure how to create a test case, that causes an
expectation to be created.
> I think we should add RCU in the fast path, instead of having to lock
> the expectation lock. Its totally doable.
Interesting! :-)
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2013-05-27 12:33 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-09 3:04 [PATCH nf-next] netfilter: conntrack: remove the central spinlock Eric Dumazet
2013-05-09 5:43 ` Cong Wang
2013-05-09 6:01 ` Eric Dumazet
2013-05-09 7:46 ` Cong Wang
2013-05-09 13:46 ` Eric Dumazet
2013-05-22 17:47 ` [PATCH v2 " Eric Dumazet
2013-05-22 18:20 ` Joe Perches
2013-05-22 19:26 ` Eric Dumazet
2013-05-22 19:57 ` Joe Perches
2013-05-22 20:16 ` Eric Dumazet
2013-05-22 20:38 ` Joe Perches
2013-05-22 20:48 ` Eric Dumazet
2013-05-22 21:12 ` Joe Perches
2013-05-22 21:29 ` David Miller
2013-05-22 21:34 ` Eric Dumazet
2013-05-24 13:16 ` Jesper Dangaard Brouer
2013-05-24 13:51 ` Eric Dumazet
2013-05-27 12:33 ` Jesper Dangaard Brouer [this message]
2013-05-27 12:36 ` Pablo Neira Ayuso
2013-08-23 14:42 ` Jesper Dangaard Brouer
2013-08-26 22:28 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130527143346.2d19e854@redhat.com \
--to=jbrouer@redhat.com \
--cc=eric.dumazet@gmail.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=therbert@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.