reassembly: prevent long chain attack

limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera <ksekera@cisco.com>
author: Klement Sekera <ksekera@cisco.com> 2019-05-16 14:35:46 +0200
committer: Ole Trøan <otroan@employees.org> 2019-05-20 12:13:11 +0000
commit: 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch)
tree: ba831c36c69365d67a2d20d7a6d447b831a1b88e /src/vnet/ip/ip6_error.h
parent: b388e1a50603a07e20007141221ca4f4a18ab698 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 6a20de4f18e..3ca2be61a55 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h
@@ -81,6 +81,8 @@
   _ (REASS_DUPLICATE_FRAGMENT, "duplicate fragments")                   \
   _ (REASS_OVERLAPPING_FRAGMENT, "overlapping fragments")               \
   _ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \
+  _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)")   \
+  _ (REASS_NO_BUF, "out of buffers (drop)")                             \
   _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout")      \
   _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")
author	Klement Sekera <ksekera@cisco.com>	2019-05-16 14:35:46 +0200
committer	Ole Trøan <otroan@employees.org>	2019-05-20 12:13:11 +0000
commit	3a343d42d7bd90753ea6ed48fe750a7a209b1ddf (patch)
tree	ba831c36c69365d67a2d20d7a6d447b831a1b88e /src/vnet/ip/ip6_error.h
parent	b388e1a50603a07e20007141221ca4f4a18ab698 (diff)