Page MenuHomeFreeBSD

Add Router and Prefix table limits.
Needs ReviewPublic

Authored by bz on Dec 6 2019, 9:58 PM.

Details

Summary

Implement limit checks for ND6 default routers, and ND6 prefixes learnt.
This avoids easy attacks exhausting resources, e.g., memory.

Limits are only setable on the base system and not on a
per-VNET base to avoid a VNET opening itself up as a target
for DoS taking the entire system down. Should there be a
need for per-VNET limits we can either do as frag6 and have
a system global maximum sum for all VNETs and a per-VNET
one, or we could implement a SYSCTL_PROC not allowing a VNET
to go beyond the global (per-VNET) limit.

In the end the goal here is to avoid a panic and not to provide
all possible counter measures. For some cases network
infrastructure could help a lot easier than we could with 100s
of lines of code.

PR: 157410
Sponsored by: Netflix (originally)

This is extracted from D22447.

Diff Detail

Repository
rS FreeBSD src repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 28016
Build 26173: arc lint + arc unit

Event Timeline

bz created this revision.Dec 6 2019, 9:58 PM
melifaro added inline comments.Dec 7 2019, 7:45 PM
sys/netinet6/nd6_rtr.c
1152

If we have a an existing router dropping it preference (high -> low) in "overflow" condition, we would update dr in the beginning, but fail to maintain sort order for V_nd6_defrouter.

Can we restrict this check to dr == NULL use case?