From 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf Mon Sep 17 00:00:00 2001 From: Klement Sekera Date: Thu, 16 May 2019 14:35:46 +0200 Subject: reassembly: prevent long chain attack limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera --- src/vnet/ip/ip_api.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/vnet/ip/ip_api.c') diff --git a/src/vnet/ip/ip_api.c b/src/vnet/ip/ip_api.c index ce3456d77d9..5a6053d1f42 100644 --- a/src/vnet/ip/ip_api.c +++ b/src/vnet/ip/ip_api.c @@ -3328,12 +3328,14 @@ vl_api_ip_reassembly_set_t_handler (vl_api_ip_reassembly_set_t * mp) { rv = ip6_reass_set (clib_net_to_host_u32 (mp->timeout_ms), clib_net_to_host_u32 (mp->max_reassemblies), + clib_net_to_host_u32 (mp->max_reassembly_length), clib_net_to_host_u32 (mp->expire_walk_interval_ms)); } else { rv = ip4_reass_set (clib_net_to_host_u32 (mp->timeout_ms), clib_net_to_host_u32 (mp->max_reassemblies), + clib_net_to_host_u32 (mp->max_reassembly_length), clib_net_to_host_u32 (mp->expire_walk_interval_ms)); } @@ -3364,6 +3366,7 @@ vl_api_ip_reassembly_get_t_handler (vl_api_ip_reassembly_get_t * mp) { rmp->is_ip6 = 0; ip4_reass_get (&rmp->timeout_ms, &rmp->max_reassemblies, + &rmp->max_reassembly_length, &rmp->expire_walk_interval_ms); } rmp->timeout_ms = clib_host_to_net_u32 (rmp->timeout_ms); -- cgit 1.2.3-korg