On 20.09.2011 00:00, Jesse Gross wrote:
Currently it is possible for a client on a single port to generate
a huge number of packets that miss in the kernel flow table and
monopolize the userspace/kernel communication path. This
effectively DoS's the machine because no new flow setups can take
place. This adds some additional fairness by separating each upcall
type for each object in the datapath onto a separate socket, each
with its own queue. Userspace then reads round-robin from each
socket so other flow setups can still succeed.
Since the number of objects can potentially be large, we don't always
have a unique socket for each. Instead, we create 16 sockets and
spread the load around them in a round robin fashion. It's theoretically
possible to do better than this with some kind of active load balancing
scheme but this seems like a good place to start.
Hi,
Just to let you know that I've recompiled a patched (your last 5
patches) version of
openvswitch on a xen box I was before able to completly render
unaccessible (ddos).
It looks that you did very well with this patch. I am not able anymore
to tear down the
box issuing udp ping floods from virtual machines. Congrats!
Cheers,
Sébastien
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
