CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	jtl <jtl@FreeBSD.org>
	Tue, 14 Aug 2018 17:59:42 +0000 (17:59 +0000)
committer	jtl <jtl@FreeBSD.org>
	Tue, 14 Aug 2018 17:59:42 +0000 (17:59 +0000)
commit	54c1ac1408df4b7b0186933e804da8a5a622c24f
tree	53b5d5cb2ff2707fa4ad26cc9d85dce3bf857c24	tree \| snapshot
parent	b3822a674366465673f831e3ff2b544e7292f924	commit \| diff

MFC r337781:
Make the IPv6 fragment limits be global, rather than per-VNET, limits.

The IPv6 reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
on enough VNETs), it is possible that the sum of all the VNET fragment
limits will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limits are intended (at least in part) to
regulate access to a global resource, the IPv6 fragment limit should
be applied on a global basis.

Note that it is still possible to disable fragmentation for a particular
VNET by setting the net.inet6.ip6.maxfragpackets sysctl to 0 for that
VNET. In addition, it is now possible to disable fragmentation globally
by setting the net.inet6.ip6.maxfrags sysctl to 0.

Approved by: so
Security: FreeBSD-SA-18:10.ip
Security: CVE-2018-6923

sys/netinet6/frag6.c		diff \| blob \| history
sys/netinet6/in6_proto.c		diff \| blob \| history
sys/netinet6/ip6_var.h		diff \| blob \| history