aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/ip_fragment.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4/ip_fragment.c')
-rw-r--r--net/ipv4/ip_fragment.c26
1 files changed, 13 insertions, 13 deletions
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 70d241c8d2a8..80c2c19196cd 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -75,14 +75,6 @@ struct ipq {
75}; 75};
76 76
77static struct inet_frags_ctl ip4_frags_ctl __read_mostly = { 77static struct inet_frags_ctl ip4_frags_ctl __read_mostly = {
78 /*
79 * Fragment cache limits. We will commit 256K at one time. Should we
80 * cross that limit we will prune down to 192K. This should cope with
81 * even the most extreme cases without allowing an attacker to
82 * measurably harm machine performance.
83 */
84 .high_thresh = 256 * 1024,
85 .low_thresh = 192 * 1024,
86 .secret_interval = 10 * 60 * HZ, 78 .secret_interval = 10 * 60 * HZ,
87}; 79};
88 80
@@ -582,7 +574,7 @@ int ip_defrag(struct sk_buff *skb, u32 user)
582 574
583 net = skb->dev->nd_net; 575 net = skb->dev->nd_net;
584 /* Start by cleaning up the memory. */ 576 /* Start by cleaning up the memory. */
585 if (atomic_read(&net->ipv4.frags.mem) > ip4_frags_ctl.high_thresh) 577 if (atomic_read(&net->ipv4.frags.mem) > net->ipv4.frags.high_thresh)
586 ip_evictor(net); 578 ip_evictor(net);
587 579
588 /* Lookup (or create) queue header */ 580 /* Lookup (or create) queue header */
@@ -610,7 +602,7 @@ static struct ctl_table ip4_frags_ctl_table[] = {
610 { 602 {
611 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH, 603 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH,
612 .procname = "ipfrag_high_thresh", 604 .procname = "ipfrag_high_thresh",
613 .data = &ip4_frags_ctl.high_thresh, 605 .data = &init_net.ipv4.frags.high_thresh,
614 .maxlen = sizeof(int), 606 .maxlen = sizeof(int),
615 .mode = 0644, 607 .mode = 0644,
616 .proc_handler = &proc_dointvec 608 .proc_handler = &proc_dointvec
@@ -618,7 +610,7 @@ static struct ctl_table ip4_frags_ctl_table[] = {
618 { 610 {
619 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH, 611 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH,
620 .procname = "ipfrag_low_thresh", 612 .procname = "ipfrag_low_thresh",
621 .data = &ip4_frags_ctl.low_thresh, 613 .data = &init_net.ipv4.frags.low_thresh,
622 .maxlen = sizeof(int), 614 .maxlen = sizeof(int),
623 .mode = 0644, 615 .mode = 0644,
624 .proc_handler = &proc_dointvec 616 .proc_handler = &proc_dointvec
@@ -663,8 +655,8 @@ static int ip4_frags_ctl_register(struct net *net)
663 if (table == NULL) 655 if (table == NULL)
664 goto err_alloc; 656 goto err_alloc;
665 657
666 table[0].mode &= ~0222; 658 table[0].data = &net->ipv4.frags.high_thresh;
667 table[1].mode &= ~0222; 659 table[1].data = &net->ipv4.frags.low_thresh;
668 table[2].data = &net->ipv4.frags.timeout; 660 table[2].data = &net->ipv4.frags.timeout;
669 table[3].mode &= ~0222; 661 table[3].mode &= ~0222;
670 table[4].mode &= ~0222; 662 table[4].mode &= ~0222;
@@ -706,6 +698,14 @@ static inline void ip4_frags_ctl_unregister(struct net *net)
706static int ipv4_frags_init_net(struct net *net) 698static int ipv4_frags_init_net(struct net *net)
707{ 699{
708 /* 700 /*
701 * Fragment cache limits. We will commit 256K at one time. Should we
702 * cross that limit we will prune down to 192K. This should cope with
703 * even the most extreme cases without allowing an attacker to
704 * measurably harm machine performance.
705 */
706 net->ipv4.frags.high_thresh = 256 * 1024;
707 net->ipv4.frags.low_thresh = 192 * 1024;
708 /*
709 * Important NOTE! Fragment queue must be destroyed before MSL expires. 709 * Important NOTE! Fragment queue must be destroyed before MSL expires.
710 * RFC791 is wrong proposing to prolongate timer each fragment arrival 710 * RFC791 is wrong proposing to prolongate timer each fragment arrival
711 * by TTL. 711 * by TTL.