On Sun, Jun 08, 2003 at 11:56:22PM -0700, David S. Miller wrote:
> We have to walk the entire destination hash chain _ANYWAYS_ to verify
> that a matching entry has not been put into the cache while we were
> procuring the new one. During this walk we can also choose a
> candidate rtcache entry to free.
Ah, neat. I should try reading this stuff. :)
> Something like the patch at the end of this email, doesn't compile
> it's just a work in progress. The trick is picking TIMEOUT1 and
> TIMEOUT2 :)
>
> Another point is that the default ip_rt_gc_min_interval is
> absolutely horrible for DoS like attacks. When DoS traffic
> can fill the rtcache multiple times per second, using a GC
> interval of 5 seconds is the worst possible choice. :)
Yes, I've reduced the gc_min_interval to 1, and it has been that way for
some time. BTW, you may be interested in this old email from Alexey:
http://www.tux.org/hypermail/linux-kernel/1999week05/1113.html
(This was back when the GC was limited so much that legitimate traffic
was overflowing the table. DoS attacks must have been really effective
then. :))
Simon-
[ Simon Kirby ][ Network Operations ]
[ sim@xxxxxxxxxxxxx ][ NetNation Communications Inc. ]
[ Opinions expressed are not necessarily those of my employer. ]
|