From: Diego Fronza Date: Fri, 22 Nov 2019 21:34:50 +0000 (-0300) Subject: Fix tcp-highwater initial value X-Git-Tag: v9.15.7~1^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ead7b3dc539f5edc867a4123a1a189364fcfe0df;p=thirdparty%2Fbind9.git Fix tcp-highwater initial value During BIND startup it scans for network interfaces available, in this process it ensures that for every interface it will bind and listen to, at least one socket will be always available accepting connections on that interface, this way avoiding some DOS attacks that could exploit tcp quota on some interface and make others unavailable. In the previous network implementation this initial "reserved" tcp-quota used by BIND was already been added to the tcp-highwater stats, but with the new network code it was necesary to add this workaround to ensure tcp-highwater stats reflect the tcp-quota used by BIND after startup. --- diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 3bbeee2a50b..1e9011bf11d 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -28,6 +28,7 @@ #include #include #include +#include #ifdef HAVE_NET_ROUTE_H #include @@ -458,6 +459,7 @@ ns_interface_listenudp(ns_interface_t *ifp) { static isc_result_t ns_interface_listentcp(ns_interface_t *ifp) { + unsigned int tcpquota; isc_result_t result; result = isc_nm_listentcpdns(ifp->mgr->nm, @@ -473,6 +475,16 @@ ns_interface_listentcp(ns_interface_t *ifp) { isc_result_totext(result)); } + /* + * We update tcp-highwater stats here, since named itself adds to + * the TCP quota when starting, as it ensures that at least one + * client will be created for every interface it is listening to. + */ + tcpquota = isc_quota_getused(&ifp->mgr->sctx->tcpquota); + ns_stats_update_if_greater(ifp->mgr->sctx->nsstats, + ns_statscounter_tcphighwater, + tcpquota); + #if 0 #ifndef ISC_ALLOW_MAPPED isc_socket_ipv6only(ifp->tcpsocket, true);