diff options
author | Willem de Bruijn <willemb@google.com> | 2015-05-12 11:56:49 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2015-05-13 15:43:00 -0400 |
commit | 3b3a5b0aab5b9ad345d4beb9a364a7dd02c23d40 (patch) | |
tree | 07714d34021e3505276c82d8c84c39324c4ddc97 /net/packet/af_packet.c | |
parent | 2ccdbaa6d55b0656244ba57c4b56765a0af76c0a (diff) |
packet: rollover huge flows before small flows
Migrate flows from a socket to another socket in the fanout group not
only when the socket is full. Start migrating huge flows early, to
divert possible 4-tuple attacks without affecting normal traffic.
Introduce fanout_flow_is_huge(). This detects huge flows, which are
defined as taking up more than half the load. It does so cheaply, by
storing the rxhashes of the N most recent packets. If over half of
these are the same rxhash as the current packet, then drop it. This
only protects against 4-tuple attacks. N is chosen to fit all data in
a single cache line.
Tested:
Ran bench_rollover for 10 sec with 1.5 Mpps of single flow input.
lpbb5:/export/hda3/willemb# ./bench_rollover -l 1000 -r -s
cpu rx rx.k drop.k rollover r.huge r.failed
0 14 14 0 0 0 0
1 20 20 0 0 0 0
2 16 16 0 0 0 0
3 6168824 6168824 0 4867721 4867721 0
4 4867741 4867741 0 0 0 0
5 12 12 0 0 0 0
6 15 15 0 0 0 0
7 17 17 0 0 0 0
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/packet/af_packet.c')
-rw-r--r-- | net/packet/af_packet.c | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index 3a383fd72f82..8f0156b10f8d 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -1341,6 +1341,20 @@ static int fanout_rr_next(struct packet_fanout *f, unsigned int num) return x; } +static bool fanout_flow_is_huge(struct packet_sock *po, struct sk_buff *skb) +{ + u32 rxhash; + int i, count = 0; + + rxhash = skb_get_hash(skb); + for (i = 0; i < ROLLOVER_HLEN; i++) + if (po->rollover->history[i] == rxhash) + count++; + + po->rollover->history[prandom_u32() % ROLLOVER_HLEN] = rxhash; + return count > (ROLLOVER_HLEN >> 1); +} + static unsigned int fanout_demux_hash(struct packet_fanout *f, struct sk_buff *skb, unsigned int num) @@ -1381,11 +1395,16 @@ static unsigned int fanout_demux_rollover(struct packet_fanout *f, unsigned int num) { struct packet_sock *po, *po_next; - unsigned int i, j; + unsigned int i, j, room; po = pkt_sk(f->arr[idx]); - if (try_self && packet_rcv_has_room(po, skb) != ROOM_NONE) - return idx; + + if (try_self) { + room = packet_rcv_has_room(po, skb); + if (room == ROOM_NORMAL || + (room == ROOM_LOW && !fanout_flow_is_huge(po, skb))) + return idx; + } i = j = min_t(int, po->rollover->sock, num - 1); do { |