aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/ip_fragment.c47
-rw-r--r--net/ipv4/sysctl_net_ipv4.c9
2 files changed, 31 insertions, 25 deletions
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index 321e694b72e8..0dd9a31df212 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -50,21 +50,8 @@
50 * as well. Or notify me, at least. --ANK 50 * as well. Or notify me, at least. --ANK
51 */ 51 */
52 52
53/* Fragment cache limits. We will commit 256K at one time. Should we
54 * cross that limit we will prune down to 192K. This should cope with
55 * even the most extreme cases without allowing an attacker to measurably
56 * harm machine performance.
57 */
58int sysctl_ipfrag_high_thresh __read_mostly = 256*1024;
59int sysctl_ipfrag_low_thresh __read_mostly = 192*1024;
60
61int sysctl_ipfrag_max_dist __read_mostly = 64; 53int sysctl_ipfrag_max_dist __read_mostly = 64;
62 54
63/* Important NOTE! Fragment queue must be destroyed before MSL expires.
64 * RFC791 is wrong proposing to prolongate timer each fragment arrival by TTL.
65 */
66int sysctl_ipfrag_time __read_mostly = IP_FRAG_TIME;
67
68struct ipfrag_skb_cb 55struct ipfrag_skb_cb
69{ 56{
70 struct inet_skb_parm h; 57 struct inet_skb_parm h;
@@ -87,6 +74,25 @@ struct ipq {
87 struct inet_peer *peer; 74 struct inet_peer *peer;
88}; 75};
89 76
77struct inet_frags_ctl ip4_frags_ctl __read_mostly = {
78 /*
79 * Fragment cache limits. We will commit 256K at one time. Should we
80 * cross that limit we will prune down to 192K. This should cope with
81 * even the most extreme cases without allowing an attacker to
82 * measurably harm machine performance.
83 */
84 .high_thresh = 256 * 1024,
85 .low_thresh = 192 * 1024,
86
87 /*
88 * Important NOTE! Fragment queue must be destroyed before MSL expires.
89 * RFC791 is wrong proposing to prolongate timer each fragment arrival
90 * by TTL.
91 */
92 .timeout = IP_FRAG_TIME,
93 .secret_interval = 10 * 60 * HZ,
94};
95
90static struct inet_frags ip4_frags; 96static struct inet_frags ip4_frags;
91 97
92int ip_frag_nqueues(void) 98int ip_frag_nqueues(void)
@@ -123,8 +129,6 @@ static unsigned int ipqhashfn(__be16 id, __be32 saddr, __be32 daddr, u8 prot)
123 ip4_frags.rnd) & (INETFRAGS_HASHSZ - 1); 129 ip4_frags.rnd) & (INETFRAGS_HASHSZ - 1);
124} 130}
125 131
126int sysctl_ipfrag_secret_interval __read_mostly = 10 * 60 * HZ;
127
128static void ipfrag_secret_rebuild(unsigned long dummy) 132static void ipfrag_secret_rebuild(unsigned long dummy)
129{ 133{
130 unsigned long now = jiffies; 134 unsigned long now = jiffies;
@@ -150,7 +154,7 @@ static void ipfrag_secret_rebuild(unsigned long dummy)
150 } 154 }
151 write_unlock(&ip4_frags.lock); 155 write_unlock(&ip4_frags.lock);
152 156
153 mod_timer(&ip4_frags.secret_timer, now + sysctl_ipfrag_secret_interval); 157 mod_timer(&ip4_frags.secret_timer, now + ip4_frags_ctl.secret_interval);
154} 158}
155 159
156/* Memory Tracking Functions. */ 160/* Memory Tracking Functions. */
@@ -237,7 +241,7 @@ static void ip_evictor(void)
237 struct list_head *tmp; 241 struct list_head *tmp;
238 int work; 242 int work;
239 243
240 work = atomic_read(&ip4_frags.mem) - sysctl_ipfrag_low_thresh; 244 work = atomic_read(&ip4_frags.mem) - ip4_frags_ctl.low_thresh;
241 if (work <= 0) 245 if (work <= 0)
242 return; 246 return;
243 247
@@ -326,7 +330,7 @@ static struct ipq *ip_frag_intern(struct ipq *qp_in)
326#endif 330#endif
327 qp = qp_in; 331 qp = qp_in;
328 332
329 if (!mod_timer(&qp->q.timer, jiffies + sysctl_ipfrag_time)) 333 if (!mod_timer(&qp->q.timer, jiffies + ip4_frags_ctl.timeout))
330 atomic_inc(&qp->q.refcnt); 334 atomic_inc(&qp->q.refcnt);
331 335
332 atomic_inc(&qp->q.refcnt); 336 atomic_inc(&qp->q.refcnt);
@@ -432,7 +436,7 @@ static int ip_frag_reinit(struct ipq *qp)
432{ 436{
433 struct sk_buff *fp; 437 struct sk_buff *fp;
434 438
435 if (!mod_timer(&qp->q.timer, jiffies + sysctl_ipfrag_time)) { 439 if (!mod_timer(&qp->q.timer, jiffies + ip4_frags_ctl.timeout)) {
436 atomic_inc(&qp->q.refcnt); 440 atomic_inc(&qp->q.refcnt);
437 return -ETIMEDOUT; 441 return -ETIMEDOUT;
438 } 442 }
@@ -733,7 +737,7 @@ int ip_defrag(struct sk_buff *skb, u32 user)
733 IP_INC_STATS_BH(IPSTATS_MIB_REASMREQDS); 737 IP_INC_STATS_BH(IPSTATS_MIB_REASMREQDS);
734 738
735 /* Start by cleaning up the memory. */ 739 /* Start by cleaning up the memory. */
736 if (atomic_read(&ip4_frags.mem) > sysctl_ipfrag_high_thresh) 740 if (atomic_read(&ip4_frags.mem) > ip4_frags_ctl.high_thresh)
737 ip_evictor(); 741 ip_evictor();
738 742
739 /* Lookup (or create) queue header */ 743 /* Lookup (or create) queue header */
@@ -758,9 +762,10 @@ void __init ipfrag_init(void)
758{ 762{
759 init_timer(&ip4_frags.secret_timer); 763 init_timer(&ip4_frags.secret_timer);
760 ip4_frags.secret_timer.function = ipfrag_secret_rebuild; 764 ip4_frags.secret_timer.function = ipfrag_secret_rebuild;
761 ip4_frags.secret_timer.expires = jiffies + sysctl_ipfrag_secret_interval; 765 ip4_frags.secret_timer.expires = jiffies + ip4_frags_ctl.secret_interval;
762 add_timer(&ip4_frags.secret_timer); 766 add_timer(&ip4_frags.secret_timer);
763 767
768 ip4_frags.ctl = &ip4_frags_ctl;
764 inet_frags_init(&ip4_frags); 769 inet_frags_init(&ip4_frags);
765} 770}
766 771
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index eb286abcf5dc..c98ef16effd2 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -19,6 +19,7 @@
19#include <net/route.h> 19#include <net/route.h>
20#include <net/tcp.h> 20#include <net/tcp.h>
21#include <net/cipso_ipv4.h> 21#include <net/cipso_ipv4.h>
22#include <net/inet_frag.h>
22 23
23/* From af_inet.c */ 24/* From af_inet.c */
24extern int sysctl_ip_nonlocal_bind; 25extern int sysctl_ip_nonlocal_bind;
@@ -357,7 +358,7 @@ ctl_table ipv4_table[] = {
357 { 358 {
358 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH, 359 .ctl_name = NET_IPV4_IPFRAG_HIGH_THRESH,
359 .procname = "ipfrag_high_thresh", 360 .procname = "ipfrag_high_thresh",
360 .data = &sysctl_ipfrag_high_thresh, 361 .data = &ip4_frags_ctl.high_thresh,
361 .maxlen = sizeof(int), 362 .maxlen = sizeof(int),
362 .mode = 0644, 363 .mode = 0644,
363 .proc_handler = &proc_dointvec 364 .proc_handler = &proc_dointvec
@@ -365,7 +366,7 @@ ctl_table ipv4_table[] = {
365 { 366 {
366 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH, 367 .ctl_name = NET_IPV4_IPFRAG_LOW_THRESH,
367 .procname = "ipfrag_low_thresh", 368 .procname = "ipfrag_low_thresh",
368 .data = &sysctl_ipfrag_low_thresh, 369 .data = &ip4_frags_ctl.low_thresh,
369 .maxlen = sizeof(int), 370 .maxlen = sizeof(int),
370 .mode = 0644, 371 .mode = 0644,
371 .proc_handler = &proc_dointvec 372 .proc_handler = &proc_dointvec
@@ -381,7 +382,7 @@ ctl_table ipv4_table[] = {
381 { 382 {
382 .ctl_name = NET_IPV4_IPFRAG_TIME, 383 .ctl_name = NET_IPV4_IPFRAG_TIME,
383 .procname = "ipfrag_time", 384 .procname = "ipfrag_time",
384 .data = &sysctl_ipfrag_time, 385 .data = &ip4_frags_ctl.timeout,
385 .maxlen = sizeof(int), 386 .maxlen = sizeof(int),
386 .mode = 0644, 387 .mode = 0644,
387 .proc_handler = &proc_dointvec_jiffies, 388 .proc_handler = &proc_dointvec_jiffies,
@@ -732,7 +733,7 @@ ctl_table ipv4_table[] = {
732 { 733 {
733 .ctl_name = NET_IPV4_IPFRAG_SECRET_INTERVAL, 734 .ctl_name = NET_IPV4_IPFRAG_SECRET_INTERVAL,
734 .procname = "ipfrag_secret_interval", 735 .procname = "ipfrag_secret_interval",
735 .data = &sysctl_ipfrag_secret_interval, 736 .data = &ip4_frags_ctl.secret_interval,
736 .maxlen = sizeof(int), 737 .maxlen = sizeof(int),
737 .mode = 0644, 738 .mode = 0644,
738 .proc_handler = &proc_dointvec_jiffies, 739 .proc_handler = &proc_dointvec_jiffies,