Comment 3 for bug 1732294
Revision history for this message
| Sarah Newman (srn-f) wrote Re: [Bug 1732294] Re: Probable DOS in linuxbridge | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
On 11/14/2017 05:01 PM, Tristan Cacqueray wrote:
> It sounds like a kernel bug... Neutron-coresec, could you check if the
> propose mitigation could be implemented?
>
> Sarah, maybe it would help to know what is the kernel version you are
> running?
>
It was 4.9.39 under Xen, but I'm able to reproduce with 3.18.25.
Regardless of whether filtering is enabled, unless I missed something in newer kernels, there appears to be no way to limit either the size of the mac
address cache or rate limit how often the bulk of br_fdb_update runs. You're right that probably something needs to change in the kernel and I'm not
sure of the best place to direct that conversation. Do you think that would be <email address hidden> or one of the network related mailing lists?
For the kernel, I think the fastest solution to implement would be a hard limit controlled by sysctl (maybe defaulting to 1024, the same as ipv4/ipv6
gc_thresh3) and for the mac address count to be incremented in br_fdb_update and decremented in fdb_delete.
--Sarah