All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init
@ 2022-08-29 11:46 Richard Gobert
  2022-08-29 22:20 ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: Richard Gobert @ 2022-08-29 11:46 UTC (permalink / raw)
  To: davem, edumazet, kuba, pabeni, corbet, yoshfuji, dsahern,
	alex.aring, stefan, pablo, kadlec, fw, kafai, netdev, linux-doc,
	linux-kernel, linux-wpan, netfilter-devel, coreteam

Obtain the IPv6 peer in ip6frag_init, to allow for peer memory tracking
in the IPv6 fragment reassembly logic.

Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
---
 include/net/ipv6_frag.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
index 5052c66e22d2..62760cd3bdd1 100644
--- a/include/net/ipv6_frag.h
+++ b/include/net/ipv6_frag.h
@@ -6,6 +6,7 @@
 #include <net/addrconf.h>
 #include <net/ipv6.h>
 #include <net/inet_frag.h>
+#include <net/inetpeer.h>
 
 enum ip6_defrag_Richard Goberts {
 	IP6_DEFRAG_LOCAL_DELIVER,
@@ -33,9 +34,11 @@ static inline void ip6frag_init(struct inet_frag_queue *q, const void *a)
 {
 	struct frag_queue *fq = container_of(q, struct frag_queue, q);
 	const struct frag_v6_compare_key *key = a;
+	const struct net *net = q->fqdir->net;
 
 	q->key.v6 = *key;
 	fq->ecn = 0;
+	q->peer = inet_getpeer_v6(net->ipv6.peers, &key->saddr, 1);
 }
 
 static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed)
-- 
2.36.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init
  2022-08-29 11:46 [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init Richard Gobert
@ 2022-08-29 22:20 ` Eric Dumazet
  2022-09-01 14:48   ` Richard Gobert
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2022-08-29 22:20 UTC (permalink / raw)
  To: Richard Gobert
  Cc: David Miller, Jakub Kicinski, Paolo Abeni, Jonathan Corbet,
	Hideaki YOSHIFUJI, David Ahern, Alexander Aring, Stefan Schmidt,
	Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	Martin KaFai Lau, netdev, open list:DOCUMENTATION, LKML,
	linux-wpan, netfilter-devel, coreteam

On Mon, Aug 29, 2022 at 4:48 AM Richard Gobert <richardbgobert@gmail.com> wrote:
>
> Obtain the IPv6 peer in ip6frag_init, to allow for peer memory tracking
> in the IPv6 fragment reassembly logic.

Sorry, this is adding yet another bottleneck, and will make DDOS
attacks based on fragments more effective.

Whole concept of 'peers' based on IPv6 addresses is rather weak, as
hosts with IPv6 can easily
get millions of different 'addresses'.

>
> Signed-off-by: Richard Gobert <richardbgobert@gmail.com>
> ---
>  include/net/ipv6_frag.h | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/include/net/ipv6_frag.h b/include/net/ipv6_frag.h
> index 5052c66e22d2..62760cd3bdd1 100644
> --- a/include/net/ipv6_frag.h
> +++ b/include/net/ipv6_frag.h
> @@ -6,6 +6,7 @@
>  #include <net/addrconf.h>
>  #include <net/ipv6.h>
>  #include <net/inet_frag.h>
> +#include <net/inetpeer.h>
>
>  enum ip6_defrag_Richard Goberts {
>         IP6_DEFRAG_LOCAL_DELIVER,
> @@ -33,9 +34,11 @@ static inline void ip6frag_init(struct inet_frag_queue *q, const void *a)
>  {
>         struct frag_queue *fq = container_of(q, struct frag_queue, q);
>         const struct frag_v6_compare_key *key = a;
> +       const struct net *net = q->fqdir->net;
>
>         q->key.v6 = *key;
>         fq->ecn = 0;
> +       q->peer = inet_getpeer_v6(net->ipv6.peers, &key->saddr, 1);
>  }
>
>  static inline u32 ip6frag_key_hashfn(const void *data, u32 len, u32 seed)
> --
> 2.36.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init
  2022-08-29 22:20 ` Eric Dumazet
@ 2022-09-01 14:48   ` Richard Gobert
  0 siblings, 0 replies; 3+ messages in thread
From: Richard Gobert @ 2022-09-01 14:48 UTC (permalink / raw)
  To: Eric Dumazet
  Cc: David Miller, Jakub Kicinski, Paolo Abeni, Jonathan Corbet,
	Hideaki YOSHIFUJI, David Ahern, Alexander Aring, Stefan Schmidt,
	Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	Martin KaFai Lau, netdev, open list:DOCUMENTATION, LKML,
	linux-wpan, netfilter-devel, coreteam

On Mon, Aug 29, 2022 at 03:20:54PM -0700, Eric Dumazet wrote:
> Sorry, this is adding yet another bottleneck, and will make DDOS
> attacks based on fragments more effective.
> 
> Whole concept of 'peers' based on IPv6 addresses is rather weak, as
> hosts with IPv6 can easily
> get millions of different 'addresses'.

I understand the problem with the implementation. Since peers don't 
carry much weight in IPv6, this patch can be dropped.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-09-01 14:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-29 11:46 [PATCH 2/4] net-next: ip6: fetch inetpeer in ip6frag_init Richard Gobert
2022-08-29 22:20 ` Eric Dumazet
2022-09-01 14:48   ` Richard Gobert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.