net.inet.ip.maxfragpackets defines the maximum size of ip reass queue

(prevents fragment flood from chewing up mbuf memory space). derived from KAME net.inet6.ip6.maxfragpackets.
2001-03-27 02:24:38 +00:00 · 2001-03-27 02:24:38 +00:00 · 4b72eeeee5
parent eb5ddb38e4
commit 4b72eeeee5
4 changed files with 44 additions and 5 deletions
--- a/lib/libc/gen/sysctl.3
+++ b/lib/libc/gen/sysctl.3
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.3,v 1.74 2001/02/08 16:07:39 itojun Exp $
+.\"	$NetBSD: sysctl.3,v 1.75 2001/03/27 02:24:40 itojun Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -677,6 +677,7 @@ The currently defined protocols and names are:
 .It ip	gifttl	integer	yes
 .It ip	lowportmin	integer	yes
 .It ip	lowportmax	integer	yes
+.It ip	maxfragpacket	integer	yes
 .It icmp	maskrepl	integer	yes
 .It icmp	errppslimit	integer	yes
 .It tcp	rfc1323	integer	yes
@ -758,6 +759,11 @@ The highest port number to use for TCP and UDP reserved port allocation.
 This cannot be set to less than 0 or greater than 1024, and must
 be greater than
 .Li ip.lowportmin .
+.It Li ip.maxfragpackets
+The maximum number of fragmented packets the node will accept.
+0 means that the node will not accept any fragmented packets.
+-1 means that the node will accept as many fragmented packets as it receives.
+The flag is provided basically for avoiding possible DoS attacks.
 .It Li icmp.maskrepl
 Returns 1 if ICMP network mask requests are to be answered.
 .It Li icmp.errppslimit
--- a/sbin/sysctl/sysctl.8
+++ b/sbin/sysctl/sysctl.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: sysctl.8,v 1.65 2001/03/09 01:02:10 chs Exp $
+.\"	$NetBSD: sysctl.8,v 1.66 2001/03/27 02:24:39 itojun Exp $
 .\"
 .\" Copyright (c) 1993
 .\"	The Regents of the University of California.  All rights reserved.
@ -218,6 +218,7 @@ privilege can change the value.
 .It net.inet.ip.directed-broadcast	integer		yes
 .It net.inet.ip.forwarding	integer	yes
 .It net.inet.ip.forwsrcrt	integer	yes
+.It net.inet.ip.maxfragpacket	integer	yes
 .It net.inet.ip.lowportmax	integer	yes
 .It net.inet.ip.lowportmin	integer	yes
 .It net.inet.ip.mtudisc	integer	yes
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@ -1,4 +1,4 @@
-/*	$NetBSD: in.h,v 1.52 2001/01/19 09:01:48 kleink Exp $	*/
+/*	$NetBSD: in.h,v 1.53 2001/03/27 02:24:39 itojun Exp $	*/

 /*
 * Copyright (c) 1982, 1986, 1990, 1993
@ -355,7 +355,8 @@ struct ip_mreq {
 #define	IPCTL_GIF_TTL 	       15	/* default TTL for gif encap packet */
 #define	IPCTL_LOWPORTMIN       16	/* minimum reserved port */
 #define	IPCTL_LOWPORTMAX       17	/* maximum reserved port */
-#define	IPCTL_MAXID	       18
+#define	IPCTL_MAXFRAGPACKETS   18	/* max packets reassembly queue */
+#define	IPCTL_MAXID	       19

 #define	IPCTL_NAMES { \
 	{ 0, 0 }, \
@ -376,6 +377,7 @@ struct ip_mreq {
 	{ "gifttl", CTLTYPE_INT }, \
 	{ "lowportmin", CTLTYPE_INT }, \
 	{ "lowportmax", CTLTYPE_INT }, \
+	{ "maxfragpackets", CTLTYPE_INT }, \
 }
 #endif /* !_XOPEN_SOURCE */

--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.130 2001/03/02 04:26:10 itojun Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.131 2001/03/27 02:24:38 itojun Exp $	*/

 /*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -211,6 +211,8 @@ struct pfil_head inet_pfil_hook;

 struct ipqhead ipq;
 int	ipq_locked;
+int	ip_nfragpackets = 0;
+int	ip_maxfragpackets = -1;

 static __inline int ipq_lock_try __P((void));
 static __inline void ipq_unlock __P((void));
@ -781,6 +783,17 @@ ip_reass(ipqe, fp)
 	 * If first fragment to arrive, create a reassembly queue.
 	 */
 	if (fp == 0) {
+		/*
+		 * Enforce upper bound on number of fragmented packets
+		 * for which we attempt reassembly;
+		 * If maxfrag is 0, never accept fragments.
+		 * If maxfrag is -1, accept all fragments without limitation.
+		 */
+		if (ip_maxfragpackets < 0)
+			;
+		else if (ip_nfragpackets >= ip_maxfragpackets)
+			goto dropfrag;
+		ip_nfragpackets++;
 		MALLOC(fp, struct ipq *, sizeof (struct ipq),
 		    M_FTABLE, M_NOWAIT);
 		if (fp == NULL)
@ -896,6 +909,7 @@ insert:
 	ip->ip_dst = fp->ipq_dst;
 	LIST_REMOVE(fp, ipq_q);
 	FREE(fp, M_FTABLE);
+	ip_nfragpackets--;
 	m->m_len += (ip->ip_hl << 2);
 	m->m_data -= (ip->ip_hl << 2);
 	/* some debugging cruft by sklower, below, will go away soon */
@ -934,6 +948,7 @@ ip_freef(fp)
 	}
 	LIST_REMOVE(fp, ipq_q);
 	FREE(fp, M_FTABLE);
+	ip_nfragpackets--;
 }

 /*
@ -955,6 +970,17 @@ ip_slowtimo()
 			ip_freef(fp);
 		}
 	}
+	/*
+	 * If we are over the maximum number of fragments
+	 * (due to the limit being lowered), drain off
+	 * enough to get down to the new limit.
+	 */
+	if (ip_maxfragpackets < 0)
+		;
+	else {
+		while (ip_nfragpackets > ip_maxfragpackets && ipq.lh_first)
+			ip_freef(ipq.lh_first);
+	}
 	IPQ_UNLOCK();
 #ifdef GATEWAY
 	ipflow_slowtimo();
@ -1791,6 +1817,10 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 		return (error);
 #endif

+	case IPCTL_MAXFRAGPACKETS:
+		return (sysctl_int(oldp, oldlenp, newp, newlen,
+		    &ip_maxfragpackets));
+
 	default:
 		return (EOPNOTSUPP);
 	}