From: Eric Dumazet <edumazet@google.com>
To: "David S . Miller" <davem@davemloft.net>,
Willem de Bruijn <willemb@google.com>,
Mahesh Bandewar <maheshb@google.com>
Cc: netdev <netdev@vger.kernel.org>,
Eric Dumazet <edumazet@google.com>,
Eric Dumazet <eric.dumazet@gmail.com>
Subject: [PATCH net-next 6/8] net/packet: implement shortcut in tpacket_rcv()
Date: Wed, 12 Jun 2019 09:52:31 -0700 [thread overview]
Message-ID: <20190612165233.109749-7-edumazet@google.com> (raw)
In-Reply-To: <20190612165233.109749-1-edumazet@google.com>
tpacket_rcv() can be hit under DDOS quite hard, since
it will always grab a socket spinlock, to eventually find
there is no room for an additional packet.
Using tcpdump [1] on a busy host can lead to catastrophic consequences,
because of all cpus spinning on a contended spinlock.
This replicates a similar strategy used in packet_rcv()
[1] Also some applications mistakenly use af_packet socket
bound to ETH_P_ALL only to send packets.
Receive queue is never drained and immediately full.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/packet/af_packet.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2d499679811af53886ce0c8a1cdd74cd73107eac..860ca3e6abf5198214612e9acc095530b61dac40 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2193,6 +2193,12 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
if (!res)
goto drop_n_restore;
+ /* If we are flooded, just give up */
+ if (__packet_rcv_has_room(po, skb) == ROOM_NONE) {
+ atomic_inc(&po->tp_drops);
+ goto drop_n_restore;
+ }
+
if (skb->ip_summed == CHECKSUM_PARTIAL)
status |= TP_STATUS_CSUMNOTREADY;
else if (skb->pkt_type != PACKET_OUTGOING &&
--
2.22.0.rc2.383.gf4fbbf30c2-goog
next prev parent reply other threads:[~2019-06-12 16:52 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-12 16:52 [PATCH net-next 0/8] net/packet: better behavior under DDOS Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 1/8] net/packet: constify __packet_get_status() argument Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 2/8] net/packet: constify packet_lookup_frame() and __tpacket_has_room() Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 3/8] net/packet: constify prb_lookup_block() and __tpacket_v3_has_room() Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 4/8] net/packet: constify __packet_rcv_has_room() Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 5/8] net/packet: make tp_drops atomic Eric Dumazet
2019-06-12 16:52 ` Eric Dumazet [this message]
2019-06-12 16:52 ` [PATCH net-next 7/8] net/packet: remove locking from packet_rcv_has_room() Eric Dumazet
2019-06-12 16:52 ` [PATCH net-next 8/8] net/packet: introduce packet_rcv_try_clear_pressure() helper Eric Dumazet
2019-06-13 0:11 ` Vinicius Costa Gomes
2019-06-12 17:15 ` [PATCH net-next 0/8] net/packet: better behavior under DDOS Willem de Bruijn
2019-06-15 1:53 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190612165233.109749-7-edumazet@google.com \
--to=edumazet@google.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=maheshb@google.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.