[ovs-dev] [PATCH 5/5] dpif-linux: Prevent a single port from monopolizing upcalls.
Jesse Gross
jesse at nicira.com
Tue Sep 20 16:00:42 UTC 2011
2011/9/20 Sébastien Riccio <sr at swisscenter.com>:
> On 20.09.2011 00:00, Jesse Gross wrote:
>>
>> Currently it is possible for a client on a single port to generate
>> a huge number of packets that miss in the kernel flow table and
>> monopolize the userspace/kernel communication path. This
>> effectively DoS's the machine because no new flow setups can take
>> place. This adds some additional fairness by separating each upcall
>> type for each object in the datapath onto a separate socket, each
>> with its own queue. Userspace then reads round-robin from each
>> socket so other flow setups can still succeed.
>>
>> Since the number of objects can potentially be large, we don't always
>> have a unique socket for each. Instead, we create 16 sockets and
>> spread the load around them in a round robin fashion. It's theoretically
>> possible to do better than this with some kind of active load balancing
>> scheme but this seems like a good place to start.
>>
>
> Hi,
>
> Just to let you know that I've recompiled a patched (your last 5 patches)
> version of
> openvswitch on a xen box I was before able to completly render unaccessible
> (ddos).
>
> It looks that you did very well with this patch. I am not able anymore to
> tear down the
> box issuing udp ping floods from virtual machines. Congrats!
Great, thanks for testing!
More information about the dev
mailing list