![]() ![]() ![]() Nla_put(skb, IFLA_BR_GROUP_ADDR, ETH_ALEN, br->group_addr) || Nla_put_u8(skb, IFLA_BR_TOPOLOGY_CHANGE_DETECTED, Return -1656,7 +1662,8 static int br_fill_info(struct sk_buff *skb, const struct net_device *brdev) +++ -1527,6 +1527,12 static int br_changelink(struct net_device *brdev, struct nlattr *tb, Hlist_add_head_rcu(&fdb->fdb_node, &br->fdb_list) ĭiff -git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c Return -408,6 +413,7 static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, + if (unlikely(br->fdb_max_entries & br->fdb_n_entries >= br->fdb_max_entries))įdb = kmem_cache_alloc(br_fdb_cache, GFP_ATOMIC) Rhashtable_remove_fast(&br->fdb_hash_tbl, &f->rhnode,įdb_notify(br, f, RTM_DELNEIGH, swdev_notify) Ĭall_rcu(&f->rcu, -391,6 +393,9 static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, +++ -329,6 +329,8 static void fdb_delete(struct net_bridge *br, struct net_bridge_fdb_entry *f, +++ -528,6 +528,8 void br_dev_setup(struct net_device *dev)īr->bridge_hello_time = br->hello_time = 2 * HZ īr->bridge_forward_delay = br->forward_delay = 15 * HZ īr->bridge_ageing_time = br->ageing_time = BR_DEFAULT_AGEING_TIME ĭiff -git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c The call paths are (✓ denotes thatīr->hash_lock is taken around the next call):ĥ files changed, 19 insertions(+), 1 deletion(-)ĭiff -git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.hĭiff -git a/net/bridge/br_device.c b/net/bridge/br_device.c Which, if nonzero, limits the amount of entries to a user specifiedįor backwards compatibility the default setting of 0 disables the limit.Īll changes to fdb_n_entries are under br->hash_lock, which means we do Mitigate this by adding a bridge netlink setting IFLA_BR_FDB_MAX_ENTRIES, Maximum amount of memory allocated for FDB entries is 2^31 * 128B =Ģ56GiB, which is too much for most computers. Net_bridge_fdb_entry, which is currently 128 bytes big. There are roughly 2^48 different MAC addresses, further limited by the With a random source MAC address, each of which will create an FDB entry,Įach of which is a dynamic allocation in the kernel. ![]() Paolo Abeni, Roopa Prabhu, Nikolay Aleksandrov, Johannes NixdorfĪ malicious actor behind one bridge port may spam the kernel with packets ` (2 more replies) 0 siblings, 3 replies 24+ messages in threadįrom: Johannes Nixdorf 8:50 UTC ( / raw)Ĭc: bridge, David S. 8:50 ` bridge: Add a sysctl to limit new brides " Johannes Nixdorf Bridge: Add a limit on FDB entries All of help / color / mirror / Atom feed * bridge: Add a limit on FDB entries 8:50 Johannes Nixdorf ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |