Obtain the IPv6 peer in ip6frag_init, to allow for peer memory tracking
in the IPv6 fragment reassembly logic.
Signed-off-by: Richard Gobert <[email protected]>
---
include/net/ipv6_frag.h | 3 +++
1 file changed, 3 insertions(+)
diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
index 5052c66e22d2..62760cd3bdd1 100644
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -6,6 +6,7 @@
#include <net/addrconf.h>
#include <net/ipv6.h>
#include <net/inet_frag.h>
+#include <net/inetpeer.h>
enum ip6_defrag_Richard Goberts {
IP6_DEFRAG_LOCAL_DELIVER,
@@ -33,9 +34,11 @@ static inline void ip6frag_init(struct inet_frag_queue *q, const void *a)
{
struct frag_queue *fq = container_of(q, struct frag_queue, q);
const struct frag_v6_compare_key *key = a;
+ const struct net *net = q->fqdir->net;
q->key.v6 = *key;
fq->ecn = 0;
+ q->peer = inet_getpeer_v6(net->ipv6.peers, &key->saddr, 1);
}
static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed)
--
2.36.1
On Mon, Aug 29, 2022 at 4:48 AM Richard Gobert <[email protected]> wrote:
>
> Obtain the IPv6 peer in ip6frag_init, to allow for peer memory tracking
> in the IPv6 fragment reassembly logic.
Sorry, this is adding yet another bottleneck, and will make DDOS
attacks based on fragments more effective.
Whole concept of 'peers' based on IPv6 addresses is rather weak, as
hosts with IPv6 can easily
get millions of different 'addresses'.
>
> Signed-off-by: Richard Gobert <[email protected]>
> ---
> include/net/ipv6_frag.h | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
> index 5052c66e22d2..62760cd3bdd1 100644
> --- a/include/net/ipv6_frag.h
> +++ b/include/net/ipv6_frag.h
> @@ -6,6 +6,7 @@
> #include <net/addrconf.h>
> #include <net/ipv6.h>
> #include <net/inet_frag.h>
> +#include <net/inetpeer.h>
>
> enum ip6_defrag_Richard Goberts {
> IP6_DEFRAG_LOCAL_DELIVER,
> @@ -33,9 +34,11 @@ static inline void ip6frag_init(struct inet_frag_queue *q, const void *a)
> {
> struct frag_queue *fq = container_of(q, struct frag_queue, q);
> const struct frag_v6_compare_key *key = a;
> + const struct net *net = q->fqdir->net;
>
> q->key.v6 = *key;
> fq->ecn = 0;
> + q->peer = inet_getpeer_v6(net->ipv6.peers, &key->saddr, 1);
> }
>
> static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed)
> --
> 2.36.1
>
On Mon, Aug 29, 2022 at 03:20:54PM -0700, Eric Dumazet wrote:
> Sorry, this is adding yet another bottleneck, and will make DDOS
> attacks based on fragments more effective.
>
> Whole concept of 'peers' based on IPv6 addresses is rather weak, as
> hosts with IPv6 can easily
> get millions of different 'addresses'.
I understand the problem with the implementation. Since peers don't
carry much weight in IPv6, this patch can be dropped.