tech-net: Re: Hashing IP reassembly queues, phase 2 of 2: fragmeDoS

Subject: Re: Hashing IP reassembly queues, phase 2 of 2: fragmeDoS
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Jason Thorpe <thorpej@wasabisystems.com>
List: tech-net
Date: 12/13/2003 15:01:15

--Apple-Mail-19-707478881
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed


On Dec 13, 2003, at 2:53 PM, Jonathan Stone wrote:

> Roger that on the initialization and sysctl. I dont grok Andrew's new
> sysctl machinery well enough to just drop in a sysctl hook, let alone
> a sysctl hook that would auto-recompute ip_maxfrags when nmbclusters
> is changed via sysctl. (Which has pros and cons of its own:
> least-suprise cuts both ways on that one).

Here's what I'd do...

Cache the value of nmbclusters used to compute ip_maxfrags 
(ip_maxfrags_nmbclusters, call it), and then do:

	if (__predict_false(ip_maxfrags_nmbclusters != nmbclusters)) {
		ip_maxfrags_nmbclusters = nmbclusters;
		ip_maxfrags = ip_maxfrags_nmbclusters / 4;
	}

...no sysctl magic needed.

         -- Jason R. Thorpe <thorpej@wasabisystems.com>


--Apple-Mail-19-707478881
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/25o8OpVKkaBm8XkRAk2dAKCjrzqlDeORrUWzAc9GOxi1pYK4sACfQjvc
HY91TDCVBWJQ87DaNEITj1w=
=Pui4
-----END PGP SIGNATURE-----

--Apple-Mail-19-707478881--