diff options
| author |   camield <camield@openbsd.org> | 2012-09-20 09:43:49 +0000 |
|---|---|---|
| committer | camield <camield@openbsd.org> | 2012-09-20 09:43:49 +0000 |
| commit | 5ed988c1ddb0274e1874b51f2250696d39724985 (patch) | |
| tree | a6fe3e71ef59f44e52bbfa2ee86ad0d7810cbc46 | |
| parent | envelope type is necessarily D_MDA here. (diff) | |
| download | wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.tar.xz wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.zip | |
Lower pf frags limit to not risk running out of mbuf clusters
when dealing with lots of IP fragments.
This sets the default to 25% of the mbuf cluster maximum (hint
from beck). And the example in the manpage is sane now.
ok mikeb henning beck deraadt
| -rw-r--r-- | share/man/man5/pf.conf.5 | 15 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 8 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 9 |
3 files changed, 21 insertions, 11 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 7aec79bbc76..96889f60152 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.520 2012/07/10 17:22:52 jmc Exp $ +.\" $OpenBSD: pf.conf.5,v 1.521 2012/09/20 09:43:49 camield Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: July 10 2012 $ +.Dd $Mdocdate: September 20 2012 $ .Dt PF.CONF 5 .Os .Sh NAME @@ -1177,9 +1177,14 @@ to 20000: .Dl set limit states 20000 .Pp To set the maximum number of entries in the memory pool used for fragment -reassembly to 20000: +reassembly to 2000: .Pp -.Dl set limit frags 20000 +.Dl set limit frags 2000 +.Pp +This maximum may not exceed, and should be well below, the maximum number +of mbuf clusters +.Pq sysctl kern.maxclusters +in the system. .Pp To set the maximum number of entries in the memory pool used for tracking source IP addresses (generated by the @@ -1202,7 +1207,7 @@ in tables to 100000. .Pp Various limits can be combined on a single line: .Bd -literal -offset indent -set limit { states 20000, frags 20000, src-nodes 2000 } +set limit { states 20000, frags 2000, src-nodes 2000 } .Ed .It Ar set loginterface Enable collection of packet and byte count statistics for the given diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 4b71d1a7d6c..f0db9cea7c1 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.254 2012/09/18 10:11:53 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.255 2012/09/20 09:43:49 camield Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1595,6 +1595,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EBUSY; goto fail; } + /* Fragments reference mbuf clusters. */ + if (pl->index == PF_LIMIT_FRAGS && pl->limit > nmbclust) { + error = EINVAL; + goto fail; + } + pf_pool_limits[pl->index].limit_new = pl->limit; pl->limit = pf_pool_limits[pl->index].limit; break; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 9f6f186edd7..b9a974c5da8 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.368 2012/09/18 10:11:53 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.369 2012/09/20 09:43:49 camield Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1482,10 +1482,9 @@ struct pf_divert { u_int16_t rdomain; }; -#define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ -#define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */ -#define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ -#define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ +/* Fragment entries reference mbuf clusters, so base the default on that. */ +#define PFFRAG_FRENT_HIWAT (NMBCLUSTERS / 4) /* Number of entries */ +#define PFFRAG_FRAG_HIWAT (NMBCLUSTERS / 8) /* Number of packets */ #define PFR_KTABLE_HIWAT 1000 /* Number of tables */ #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */ |