Fix tcp-highwater initial value

During BIND startup it scans for network interfaces available, in this
process it ensures that for every interface it will bind and listen to,
at least one socket will be always available accepting connections on
that interface, this way avoiding some DOS attacks that could exploit
tcp quota on some interface and make others unavailable.

In the previous network implementation this initial "reserved" tcp-quota
used by BIND was already been added to the tcp-highwater stats, but with
the new network code it was necesary to add this workaround to ensure
tcp-highwater stats reflect the tcp-quota used by BIND after startup.

diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index 3bbeee2a50be3bf36755659e674c4b7e905f4b5c..1e9011bf11defcbbf3204310b81239dd5c1e8e86 100644 (file)
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -28,6 +28,7 @@
 #include <ns/log.h>
 #include <ns/interfacemgr.h>
 #include <ns/server.h>
+#include <ns/stats.h>
 
 #ifdef HAVE_NET_ROUTE_H
 #include <net/route.h>
@@ -458,6 +459,7 @@ ns_interface_listenudp(ns_interface_t *ifp) {
 
 static isc_result_t
 ns_interface_listentcp(ns_interface_t *ifp) {
+       unsigned int tcpquota;
        isc_result_t result;
 
        result = isc_nm_listentcpdns(ifp->mgr->nm,
@@ -473,6 +475,16 @@ ns_interface_listentcp(ns_interface_t *ifp) {
                                 isc_result_totext(result));
        }
 
+       /*
+        * We update tcp-highwater stats here, since named itself adds to
+        * the TCP quota when starting, as it ensures that at least one
+        * client will be created for every interface it is listening to.
+        */
+       tcpquota = isc_quota_getused(&ifp->mgr->sctx->tcpquota);
+       ns_stats_update_if_greater(ifp->mgr->sctx->nsstats,
+                                  ns_statscounter_tcphighwater,
+                                  tcpquota);
+
 #if 0
 #ifndef ISC_ALLOW_MAPPED
        isc_socket_ipv6only(ifp->tcpsocket, true);