Page MenuHomeFreeBSD

Add Router and Prefix table limits.
Needs ReviewPublic

Authored by bz on Dec 6 2019, 9:58 PM.



Implement limit checks for ND6 default routers, and ND6 prefixes learnt.
This avoids easy attacks exhausting resources, e.g., memory.

Limits are only setable on the base system and not on a
per-VNET base to avoid a VNET opening itself up as a target
for DoS taking the entire system down. Should there be a
need for per-VNET limits we can either do as frag6 and have
a system global maximum sum for all VNETs and a per-VNET
one, or we could implement a SYSCTL_PROC not allowing a VNET
to go beyond the global (per-VNET) limit.

In the end the goal here is to avoid a panic and not to provide
all possible counter measures. For some cases network
infrastructure could help a lot easier than we could with 100s
of lines of code.

PR: 157410
Sponsored by: Netflix (originally)

This is extracted from D22447.

Diff Detail

rS FreeBSD src repository
No Linters Available
No Unit Test Coverage
Build Status
Buildable 28016
Build 26173: arc lint + arc unit

Event Timeline

bz created this revision.Dec 6 2019, 9:58 PM
melifaro added inline comments.Dec 7 2019, 7:45 PM

If we have a an existing router dropping it preference (high -> low) in "overflow" condition, we would update dr in the beginning, but fail to maintain sort order for V_nd6_defrouter.

Can we restrict this check to dr == NULL use case?