[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANn89iLH4nDuOHS-0AzYBYOz4f3byZndKXG3_VefVxUbujJZNg@mail.gmail.com>
Date: Mon, 29 Aug 2022 15:20:54 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Richard Gobert <richardbgobert@...il.com>
Cc: David Miller <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Jonathan Corbet <corbet@....net>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
Alexander Aring <alex.aring@...il.com>,
Stefan Schmidt <stefan@...enfreihafen.org>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Florian Westphal <fw@...len.de>,
Martin KaFai Lau <kafai@...com>,
netdev <netdev@...r.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>, linux-wpan@...r.kernel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org
Subject: Re: [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init
On Mon, Aug 29, 2022 at 4:48 AM Richard Gobert <richardbgobert@...il.com> wrote:
>
> Obtain the IPv6 peer in ip6frag_init, to allow for peer memory tracking
> in the IPv6 fragment reassembly logic.
Sorry, this is adding yet another bottleneck, and will make DDOS
attacks based on fragments more effective.
Whole concept of 'peers' based on IPv6 addresses is rather weak, as
hosts with IPv6 can easily
get millions of different 'addresses'.
>
> Signed-off-by: Richard Gobert <richardbgobert@...il.com>
> ---
> include/net/ipv6_frag.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
> index 5052c66e22d2..62760cd3bdd1 100644
> --- a/include/net/ipv6_frag.h
> +++ b/include/net/ipv6_frag.h
> @@ -6,6 +6,7 @@
> #include <net/addrconf.h>
> #include <net/ipv6.h>
> #include <net/inet_frag.h>
> +#include <net/inetpeer.h>
>
> enum ip6_defrag_Richard Goberts {
> IP6_DEFRAG_LOCAL_DELIVER,
> @@ -33,9 +34,11 @@ static inline void ip6frag_init(struct inet_frag_queue *q, const void *a)
> {
> struct frag_queue *fq = container_of(q, struct frag_queue, q);
> const struct frag_v6_compare_key *key = a;
> + const struct net *net = q->fqdir->net;
>
> q->key.v6 = *key;
> fq->ecn = 0;
> + q->peer = inet_getpeer_v6(net->ipv6.peers, &key->saddr, 1);
> }
>
> static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed)
> --
> 2.36.1
>
Powered by blists - more mailing lists