From owner-svn-src-head@freebsd.org  Tue Aug 14 17:30:47 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 02ABF107F5CD;
 Tue, 14 Aug 2018 17:30:47 +0000 (UTC) (envelope-from jtl@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A54A67D035;
 Tue, 14 Aug 2018 17:30:46 +0000 (UTC) (envelope-from jtl@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6F82C1E9D8;
 Tue, 14 Aug 2018 17:30:46 +0000 (UTC) (envelope-from jtl@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w7EHUkio017539;
 Tue, 14 Aug 2018 17:30:46 GMT (envelope-from jtl@FreeBSD.org)
Received: (from jtl@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w7EHUk3C017526;
 Tue, 14 Aug 2018 17:30:46 GMT (envelope-from jtl@FreeBSD.org)
Message-Id: <201808141730.w7EHUk3C017526@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: jtl set sender to jtl@FreeBSD.org
 using -f
From: "Jonathan T. Looney" <jtl@FreeBSD.org>
Date: Tue, 14 Aug 2018 17:30:46 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r337786 - head/sys/netinet
X-SVN-Group: head
X-SVN-Commit-Author: jtl
X-SVN-Commit-Paths: head/sys/netinet
X-SVN-Commit-Revision: 337786
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 17:30:47 -0000

Author: jtl
Date: Tue Aug 14 17:30:46 2018
New Revision: 337786
URL: https://svnweb.freebsd.org/changeset/base/337786

Log:
  Lower the default limits on the IPv4 reassembly queue.
  
  In particular, try to ensure that no bucket will have a reassembly
  queue larger than approximately 100 items. This limits the cost to
  find the correct reassembly queue when processing an incoming
  fragment.
  
  Due to the low limits on each bucket's length, increase the size of
  the hash table from 64 to 1024.
  
  Reviewed by:	jhb
  Security:	FreeBSD-SA-18:10.ip
  Security:	CVE-2018-6923

Modified:
  head/sys/netinet/ip_reass.c

Modified: head/sys/netinet/ip_reass.c
==============================================================================
--- head/sys/netinet/ip_reass.c	Tue Aug 14 17:29:41 2018	(r337785)
+++ head/sys/netinet/ip_reass.c	Tue Aug 14 17:30:46 2018	(r337786)
@@ -64,7 +64,7 @@ SYSCTL_DECL(_net_inet_ip);
 /*
  * Reassembly headers are stored in hash buckets.
  */
-#define	IPREASS_NHASH_LOG2	6
+#define	IPREASS_NHASH_LOG2	10
 #define	IPREASS_NHASH		(1 << IPREASS_NHASH_LOG2)
 #define	IPREASS_HMASK		(IPREASS_NHASH - 1)
 
@@ -116,6 +116,22 @@ ipq_drop(struct ipqbucket *bucket, struct ipq *fp)
 	ipq_free(bucket, fp);
 }
 
+/*
+ * By default, limit the number of IP fragments across all reassembly
+ * queues to  1/32 of the total number of mbuf clusters.
+ *
+ * Limit the total number of reassembly queues per VNET to the
+ * IP fragment limit, but ensure the limit will not allow any bucket
+ * to grow above 100 items. (The bucket limit is
+ * IP_MAXFRAGPACKETS / (IPREASS_NHASH / 2), so the 50 is the correct
+ * multiplier to reach a 100-item limit.)
+ * The 100-item limit was chosen as brief testing seems to show that
+ * this produces "reasonable" performance on some subset of systems
+ * under DoS attack.
+ */
+#define	IP_MAXFRAGS		(nmbclusters / 32)
+#define	IP_MAXFRAGPACKETS	(imin(IP_MAXFRAGS, IPREASS_NHASH * 50))
+
 static int		maxfrags;
 static volatile u_int	nfrags;
 SYSCTL_INT(_net_inet_ip, OID_AUTO, maxfrags, CTLFLAG_RW,
@@ -513,12 +529,12 @@ ipreass_init(void)
 	V_maxfragsperpacket = 16;
 	V_ipq_zone = uma_zcreate("ipq", sizeof(struct ipq), NULL, NULL, NULL,
 	    NULL, UMA_ALIGN_PTR, 0);
-	max = nmbclusters / 32;
+	max = IP_MAXFRAGPACKETS;
 	max = uma_zone_set_max(V_ipq_zone, max);
 	V_ipreass_maxbucketsize = imax(max / (IPREASS_NHASH / 2), 1);
 
 	if (IS_DEFAULT_VNET(curvnet)) {
-		maxfrags = nmbclusters / 32;
+		maxfrags = IP_MAXFRAGS;
 		EVENTHANDLER_REGISTER(nmbclusters_change, ipreass_zone_change,
 		    NULL, EVENTHANDLER_PRI_ANY);
 	}
@@ -622,8 +638,8 @@ ipreass_zone_change(void *tag)
 	VNET_ITERATOR_DECL(vnet_iter);
 	int max;
 
-	maxfrags = nmbclusters / 32;
-	max = nmbclusters / 32;
+	maxfrags = IP_MAXFRAGS;
+	max = IP_MAXFRAGPACKETS;
 	VNET_LIST_RLOCK_NOSLEEP();
 	VNET_FOREACH(vnet_iter) {
 		CURVNET_SET(vnet_iter);