In commit
c0482d5a8a this check was added. Now one can e.g. disable by
> require('ffi').C.the_network.min_udp_source_port = 0
(typically used inside YAML config at /lua/script or /lua/script-file)
}
}
- // We're aware of no use cases for low source ports,
- // and they might be useful for attacks with spoofed source IPs.
- if (!s->outgoing && kr_inaddr_port(comm_addr) < 1024) {
+ if (!s->outgoing && kr_inaddr_port(comm_addr) < the_network->min_udp_source_port) {
kr_log_debug(IO, "<= ignoring UDP from suspicious port: '%s'\n",
kr_straddr(comm_addr));
return;
int rcv;
} listen_tcp_buflens;
_Bool enable_connect_udp;
+ uint16_t min_udp_source_port;
};
struct args *the_args;
struct endpoint {
the_network->tcp.user_timeout = 1000; // 1s should be more than enough
the_network->tcp_backlog = tcp_backlog;
the_network->enable_connect_udp = true;
+ the_network->min_udp_source_port = 1024;
// On Linux, unset means some auto-tuning mechanism also depending on RAM,
// which might be OK default (together with the user_timeout above)
* a slight improvement in syscall processing efficiency.
* Note: This does not necessarily lead to overall performance gains. */
bool enable_connect_udp;
+
+ /** Low source port (e.g. 53) might be useful for attacks with spoofed source IPs. */
+ uint16_t min_udp_source_port;
};
/** Pointer to the singleton network state. NULL if not initialized. */
projects / thirdparty / knot-resolver.git / commitdiff
