Lower pf frags limit to not risk running out of mbuf clusters

when dealing with lots of IP fragments. This sets the default to 25% of the mbuf cluster maximum (hint from beck). And the example in the manpage is sane now. ok mikeb henning beck deraadt
author: camield <camield@openbsd.org> 2012-09-20 09:43:49 +0000
committer: camield <camield@openbsd.org> 2012-09-20 09:43:49 +0000
commit: 5ed988c1ddb0274e1874b51f2250696d39724985 (patch)
tree: a6fe3e71ef59f44e52bbfa2ee86ad0d7810cbc46 /sys/net/pf_ioctl.c
parent: envelope type is necessarily D_MDA here. (diff)
download: wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.tar.xz
wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 4b71d1a7d6c..f0db9cea7c1 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.254 2012/09/18 10:11:53 henning Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.255 2012/09/20 09:43:49 camield Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1595,6 +1595,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			error = EBUSY;
 			goto fail;
 		}
+		/* Fragments reference mbuf clusters. */
+		if (pl->index == PF_LIMIT_FRAGS && pl->limit > nmbclust) {
+			error = EINVAL;
+			goto fail;
+		}
+
 		pf_pool_limits[pl->index].limit_new = pl->limit;
 		pl->limit = pf_pool_limits[pl->index].limit;
 		break;
author	camield <camield@openbsd.org>	2012-09-20 09:43:49 +0000
committer	camield <camield@openbsd.org>	2012-09-20 09:43:49 +0000
commit	5ed988c1ddb0274e1874b51f2250696d39724985 (patch)
tree	a6fe3e71ef59f44e52bbfa2ee86ad0d7810cbc46 /sys/net/pf_ioctl.c
parent	envelope type is necessarily D_MDA here. (diff)
download	wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.tar.xz wireguard-openbsd-5ed988c1ddb0274e1874b51f2250696d39724985.zip