❦ 2 décembre 2019 21:58 +01, Alarig Le Lay <ala...@swordarmor.fr>:
>> For IPv6, this is the size of the routing cache. If you have more than >> 4096 active hosts, Linux will aggressively try to run garbage >> collection, eating CPU. In this case, increase both >> net.ipv6.route.max_size and net.ipv6.route.gc_thresh. > > Do you know what are the risks when we raise those parameters? A bit > more RAM consumption? You are mostly safe with RAM. Increasing the value to 512k would eat 256MB of RAM. However, if an attacker is still able to overflow the cache, it is costly in term of CPU. This is a bit similar to the route cache for IPv4, so you need to play with threshold, interval and timeout to try to keep CPU usage down, but ultimately, a fast enough attacker can do a lot of damage here. I don't have real-life experience with this aspect. Also, from 4.2, the cache entries are only created for exceptions (PMTU notably). So, in fact, the initial value should be mostly safe. You can monitor it with `/proc/net/rt6_stats`. This is the before last value. If you can share what you have, I would be curious to know how low it is (compared to the 4th entry notably). -- Writing is turning one's worst moments into money. -- J.P. Donleavy