From: "Daniel Xu" <dxu@dxuuu.xyz>
To: "Pablo Neira Ayuso" <pablo@netfilter.org>,
"Jozsef Kadlecsik" <kadlec@netfilter.org>,
"Florian Westphal" <fw@strlen.de>,
netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, ppenkov@aviatrix.com
Subject: ip_set_hash_netiface
Date: Tue, 25 Oct 2022 00:19:55 -0600 [thread overview]
Message-ID: <9a91603a-7b8f-4c6d-9012-497335e4373b@app.fastmail.com> (raw)
Hi Pablo,
I'm following up with our hallway chat yesterday about how ipset
hash:net,iface can easily OOM.
Here's a quick reproducer (stolen from
https://bugzilla.kernel.org/show_bug.cgi?id=199107):
$ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0
$ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done
This used to cause a NULL ptr deref panic before
https://github.com/torvalds/linux/commit/2b33d6ffa9e38f344418976b06 .
Now it'll either allocate a huge amount of memory or fail a
vmalloc():
[Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages
<...>
[Tue Oct 25 00:13:08 2022] Call Trace:
[Tue Oct 25 00:13:08 2022] <TASK>
[Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60
[Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180
[Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760
[Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20
[Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90
[Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0
[Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710
<...>
Note that this behavior is somewhat documented
(https://ipset.netfilter.org/ipset.man.html):
> The internal restriction of the hash:net,iface set type is that the same
> network prefix cannot be stored with more than 64 different interfaces
> in a single set.
I'm not sure how hard it would be to enforce a limit, but I think it would
be a bit better to error than allocate many GBs of memory.
Thanks,
Daniel
next reply other threads:[~2022-10-25 6:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-25 6:19 Daniel Xu [this message]
2022-10-26 12:26 ` ip_set_hash_netiface Jozsef Kadlecsik
2022-10-27 9:06 ` ip_set_hash_netiface Daniel Xu
2022-10-28 7:51 ` ip_set_hash_netiface David Laight
2022-10-28 10:59 ` ip_set_hash_netiface Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9a91603a-7b8f-4c6d-9012-497335e4373b@app.fastmail.com \
--to=dxu@dxuuu.xyz \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=ppenkov@aviatrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.