On 11/15/2017 11:27 AM, Sarah Newman wrote: > Current memory and CPU usage for managing bridge fdb entries is unbounded. > Add a parameter max_fdb_count, controlled from sysfs, which places an upper > limit on the number of entries. Defaults to 1024. > > When max_fdb_count is met or exceeded, whether traffic is sent out a > given port should depend on its flooding behavior. > > This may instead be mitigated by filtering mac address entries in the > PREROUTING chain of the ebtables nat table, but this is only practical > when mac addresses are known in advance. > > Signed-off-by: Sarah Newman <s...@prgmr.com>
I would love to improve this patch, but have limited time to devote to this... What I would try first would be to maintain a data structure roughly ordered based on both number of times an address was observed as well as age and evict the least used, oldest entry when max_fdb_count was reached. --Sarah
