Displaying 4 results from an estimated 4 matches for "fdb_n_entries".
2023 May 15
5
[Bridge] [PATCH net-next 1/2] bridge: Add a limit on FDB entries
...31 * 128B =
256GiB, which is too much for most computers.
Mitigate this by adding a bridge netlink setting IFLA_BR_FDB_MAX_ENTRIES,
which, if nonzero, limits the amount of entries to a user specified
maximum.
For backwards compatibility the default setting of 0 disables the limit.
All changes to fdb_n_entries are under br->hash_lock, which means we do
not need additional locking. The call paths are (? denotes that
br->hash_lock is taken around the next call):
- fdb_delete <-+- fdb_delete_local <-+- br_fdb_changeaddr ?
| +- br_fdb_change_mac_address ?...
2023 May 15
3
[Bridge] [PATCH net-next 1/2] bridge: Add a limit on FDB entries
...r most computers.
>
> Mitigate this by adding a bridge netlink setting IFLA_BR_FDB_MAX_ENTRIES,
> which, if nonzero, limits the amount of entries to a user specified
> maximum.
>
> For backwards compatibility the default setting of 0 disables the limit.
>
> All changes to fdb_n_entries are under br->hash_lock, which means we do
> not need additional locking. The call paths are (? denotes that
> br->hash_lock is taken around the next call):
>
> - fdb_delete <-+- fdb_delete_local <-+- br_fdb_changeaddr ?
> | +- br_fdb...
2023 Jun 19
2
[Bridge] [PATCH net-next v2 2/3] bridge: Add a limit on learned FDB entries
...hich, if nonzero, limits the amount
of learned entries to a user specified maximum.
For backwards compatibility the default setting of 0 disables the limit.
User-added entries by netlink or from bridge or bridge port addresses
are never blocked and do not count towards that limit.
All changes to fdb_n_entries are under br->hash_lock, which means we do
not need additional locking. The call paths are (? denotes that
br->hash_lock is taken around the next call):
- fdb_delete <-+- fdb_delete_local <-+- br_fdb_changeaddr ?
| +- br_fdb_change_mac_address ?...
2023 Jun 19
4
[Bridge] [PATCH net-next v2 0/3, iproute2-next 0/1] bridge: Add a limit on learned FDB entries
Introduce a limit on the amount of learned FDB entries on a bridge,
configured by netlink with a build time default on bridge creation in
the kernel config.
For backwards compatibility the kernel config default is disabling the
limit (0).
Without any limit a malicious actor may OOM a kernel by spamming packets
with changing MAC addresses on their bridge port, so allow the bridge
creator to limit