From: Christian Brauner <christian.brauner@ubuntu.com>
To: David Ahern <dsahern@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next] ipv6/route: inherit max_sizes from current netns
Date: Wed, 20 May 2020 19:27:44 +0200 [thread overview]
Message-ID: <20200520172744.fytw6aojounuf735@wittgenstein> (raw)
In-Reply-To: <20200520172417.4m7pyalpftdd2xrm@wittgenstein>
On Wed, May 20, 2020 at 07:24:18PM +0200, Christian Brauner wrote:
> On Wed, May 20, 2020 at 10:54:21AM -0600, David Ahern wrote:
> > On 5/20/20 8:58 AM, Christian Brauner wrote:
> > > During NorthSec (cf. [1]) a very large number of unprivileged
> > > containers and nested containers are run during the competition to
> > > provide a safe environment for the various teams during the event. Every
> > > year a range of feature requests or bug reports come out of this and
> > > this year's no different.
> > > One of the containers was running a simple VPN server. There were about
> > > 1.5k users connected to this VPN over ipv6 and the container was setup
> > > with about 100 custom routing tables when it hit the max_sizes routing
> > > limit. After this no new connections could be established anymore,
> > > pinging didn't work anymore; you get the idea.
> > >
> >
> > should have been addressed by:
> >
> > commit d8882935fcae28bceb5f6f56f09cded8d36d85e6
> > Author: Eric Dumazet <edumazet@google.com>
> > Date: Fri May 8 07:34:14 2020 -0700
> > ipv6: use DST_NOCOUNT in ip6_rt_pcpu_alloc()
> > We currently have to adjust ipv6 route gc_thresh/max_size depending
> > on number of cpus on a server, this makes very little sense.
> >
> >
> > Did your tests include this patch?
>
> No, it's also pretty hard to trigger. The conference was pretty good for
> this.
> I tested on top of rc6. I'm probably missing the big picture here, could
> you briefy explain how this commit fixes the problem we ran into?
Hm, and it'd be great if we could expose the file - even just read-only
- to network namespaces owned by non-initial user namespaces. It doesn't
contain sensitive information and could probably be used to limit
connections etc.
Christian
prev parent reply other threads:[~2020-05-20 17:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 14:58 [PATCH net-next] ipv6/route: inherit max_sizes from current netns Christian Brauner
2020-05-20 16:54 ` David Ahern
2020-05-20 17:24 ` Christian Brauner
2020-05-20 17:27 ` David Ahern
2020-05-20 17:27 ` Christian Brauner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200520172744.fytw6aojounuf735@wittgenstein \
--to=christian.brauner@ubuntu.com \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=kuba@kernel.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).