Date: Thu, 24 Oct 2019 11:58:24 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r354019 - head/sys/netinet6 Message-ID: <201910241158.x9OBwOhe020362@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Thu Oct 24 11:58:24 2019 New Revision: 354019 URL: https://svnweb.freebsd.org/changeset/base/354019 Log: frag6: check global limits before hash and lock Check whether we are accepting more fragments (based on global limits) before doing expensive operations of calculating the hash and taking the bucket lock. This slightly increases a "race" between check time and incrementing counters (which is already there) possibly allowing a few more fragments than the maximum limits. However, when under attack, we rather save this CPU time for other packets/work. MFC after: 3 weeks Sponsored by: Netflix Modified: head/sys/netinet6/frag6.c Modified: head/sys/netinet6/frag6.c ============================================================================== --- head/sys/netinet6/frag6.c Thu Oct 24 09:22:23 2019 (r354018) +++ head/sys/netinet6/frag6.c Thu Oct 24 11:58:24 2019 (r354019) @@ -458,6 +458,16 @@ frag6_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } + /* + * Enforce upper bound on number of fragments for the entire system. + * If maxfrag is 0, never accept fragments. + * If maxfrag is -1, accept all fragments without limitation. + */ + if (ip6_maxfrags < 0) + ; + else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags) + goto dropfrag2; + /* Store receive network interface pointer for later. */ srcifp = m->m_pkthdr.rcvif; @@ -473,16 +483,6 @@ frag6_input(struct mbuf **mp, int *offp, int proto) IP6QB_LOCK(bucket); head = IP6QB_HEAD(bucket); - /* - * Enforce upper bound on number of fragments for the entire system. - * If maxfrag is 0, never accept fragments. - * If maxfrag is -1, accept all fragments without limitation. - */ - if (ip6_maxfrags < 0) - ; - else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags) - goto dropfrag; - TAILQ_FOREACH(q6, head, ip6q_tq) if (ip6f->ip6f_ident == q6->ip6q_ident && IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &q6->ip6q_src) && @@ -825,6 +825,7 @@ postinsert: dropfrag: IP6QB_UNLOCK(bucket); +dropfrag2: in6_ifstat_inc(dstifp, ifs6_reass_fail); IP6STAT_INC(ip6s_fragdropped); m_freem(m);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201910241158.x9OBwOhe020362>