Closed alan-maguire closed 10 months ago
For IPv[46] fragmentation reassembly, memory is capped at
net.ipv[46].ip[6]frag_high_thresh
Fragmentation reassembly can fail if this value is set too low; monitor for fragmentation reassembly and bump value if needed.
Avoid bumping it if assembly faiures constitute too high a proportion of reassembly events; this may signify a DoS.
Tests verify this works in non-global/global network namespaces.
To do: cap high_thresh?
For IPv[46] fragmentation reassembly, memory is capped at
net.ipv[46].ip[6]frag_high_thresh
Fragmentation reassembly can fail if this value is set too low; monitor for fragmentation reassembly and bump value if needed.
Avoid bumping it if assembly faiures constitute too high a proportion of reassembly events; this may signify a DoS.
Tests verify this works in non-global/global network namespaces.
To do: cap high_thresh?