Re: [net-next] ipv6: fix routing cache overflow for raw sockets

From: Julian Anastasov
Date: Tue Dec 20 2022 - 10:41:39 EST



Hello,

On Tue, 20 Dec 2022, Paolo Abeni wrote:

> Are other FLOWI_FLAG_KNOWN_NH users affected, too? e.g. nf_dup_ipv6,
> ipvs, seg6?

I forgot to mention one thing: IPVS can cache such routes in
its own storage, one per backend server, it still calls dst->ops->check
for them. So, such route can live for long time, that is why they were
created as uncached. So, IPVS requests one route, remembers it and then
can attach it to multiple packets for this backend server with
skb_dst_set_noref. So, IPVS have to use 4096 backend servers to
hit this limit.

It does not look correct in this patch to invalidate the
FLOWI_FLAG_KNOWN_NH flag with a FLOWI_FLAG_SKIP_RAW flag. The
same thing would be to not set FLOWI_FLAG_KNOWN_NH which is
wrong for the hdrincl case.

Regards

--
Julian Anastasov <ja@xxxxxx>