From owner-svn-src-head@freebsd.org Thu Oct 24 11:58:25 2019 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C0311699EB; Thu, 24 Oct 2019 11:58:25 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 46zQk90pKhz4tJM; Thu, 24 Oct 2019 11:58:25 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 003E6DC75; Thu, 24 Oct 2019 11:58:25 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x9OBwOWN020363; Thu, 24 Oct 2019 11:58:24 GMT (envelope-from bz@FreeBSD.org) Received: (from bz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x9OBwOhe020362; Thu, 24 Oct 2019 11:58:24 GMT (envelope-from bz@FreeBSD.org) Message-Id: <201910241158.x9OBwOhe020362@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bz set sender to bz@FreeBSD.org using -f From: "Bjoern A. Zeeb" Date: Thu, 24 Oct 2019 11:58:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r354019 - head/sys/netinet6 X-SVN-Group: head X-SVN-Commit-Author: bz X-SVN-Commit-Paths: head/sys/netinet6 X-SVN-Commit-Revision: 354019 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Oct 2019 11:58:25 -0000 Author: bz Date: Thu Oct 24 11:58:24 2019 New Revision: 354019 URL: https://svnweb.freebsd.org/changeset/base/354019 Log: frag6: check global limits before hash and lock Check whether we are accepting more fragments (based on global limits) before doing expensive operations of calculating the hash and taking the bucket lock. This slightly increases a "race" between check time and incrementing counters (which is already there) possibly allowing a few more fragments than the maximum limits. However, when under attack, we rather save this CPU time for other packets/work. MFC after: 3 weeks Sponsored by: Netflix Modified: head/sys/netinet6/frag6.c Modified: head/sys/netinet6/frag6.c ============================================================================== --- head/sys/netinet6/frag6.c Thu Oct 24 09:22:23 2019 (r354018) +++ head/sys/netinet6/frag6.c Thu Oct 24 11:58:24 2019 (r354019) @@ -458,6 +458,16 @@ frag6_input(struct mbuf **mp, int *offp, int proto) return (IPPROTO_DONE); } + /* + * Enforce upper bound on number of fragments for the entire system. + * If maxfrag is 0, never accept fragments. + * If maxfrag is -1, accept all fragments without limitation. + */ + if (ip6_maxfrags < 0) + ; + else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags) + goto dropfrag2; + /* Store receive network interface pointer for later. */ srcifp = m->m_pkthdr.rcvif; @@ -473,16 +483,6 @@ frag6_input(struct mbuf **mp, int *offp, int proto) IP6QB_LOCK(bucket); head = IP6QB_HEAD(bucket); - /* - * Enforce upper bound on number of fragments for the entire system. - * If maxfrag is 0, never accept fragments. - * If maxfrag is -1, accept all fragments without limitation. - */ - if (ip6_maxfrags < 0) - ; - else if (atomic_load_int(&frag6_nfrags) >= (u_int)ip6_maxfrags) - goto dropfrag; - TAILQ_FOREACH(q6, head, ip6q_tq) if (ip6f->ip6f_ident == q6->ip6q_ident && IN6_ARE_ADDR_EQUAL(&ip6->ip6_src, &q6->ip6q_src) && @@ -825,6 +825,7 @@ postinsert: dropfrag: IP6QB_UNLOCK(bucket); +dropfrag2: in6_ifstat_inc(dstifp, ifs6_reass_fail); IP6STAT_INC(ip6s_fragdropped); m_freem(m);