2011/9/20 Sébastien Riccio <s...@swisscenter.com>: > On 20.09.2011 00:00, Jesse Gross wrote: >> >> Currently it is possible for a client on a single port to generate >> a huge number of packets that miss in the kernel flow table and >> monopolize the userspace/kernel communication path. This >> effectively DoS's the machine because no new flow setups can take >> place. This adds some additional fairness by separating each upcall >> type for each object in the datapath onto a separate socket, each >> with its own queue. Userspace then reads round-robin from each >> socket so other flow setups can still succeed. >> >> Since the number of objects can potentially be large, we don't always >> have a unique socket for each. Instead, we create 16 sockets and >> spread the load around them in a round robin fashion. It's theoretically >> possible to do better than this with some kind of active load balancing >> scheme but this seems like a good place to start. >> > > Hi, > > Just to let you know that I've recompiled a patched (your last 5 patches) > version of > openvswitch on a xen box I was before able to completly render unaccessible > (ddos). > > It looks that you did very well with this patch. I am not able anymore to > tear down the > box issuing udp ping floods from virtual machines. Congrats!
Great, thanks for testing! _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
