pflow: limit to no more than 128 flow exporters
While there are no inherent limits to the number of exporters we're likely to scale rather badly to very large numbers. There's also no obvious use case for more than a handful. Limit to 128 exporters to prevent foot-shooting. Sponsored by: Rubicon Communications, LLC ("Netgate")
This commit is contained in:
parent
484e977f24
commit
63a5fe8343
|
@ -39,6 +39,8 @@
|
|||
#include <netinet/ip.h>
|
||||
#endif
|
||||
|
||||
#define PFLOW_MAX_ENTRIES 128
|
||||
|
||||
#define PFLOW_ID_LEN sizeof(u_int64_t)
|
||||
|
||||
#define PFLOW_MAXFLOWS 30
|
||||
|
|
|
@ -176,7 +176,7 @@ vnet_pflowattach(void)
|
|||
CK_LIST_INIT(&V_pflowif_list);
|
||||
mtx_init(&V_pflowif_list_mtx, "pflow interface list mtx", NULL, MTX_DEF);
|
||||
|
||||
V_pflow_unr = new_unrhdr(0, INT_MAX, &V_pflowif_list_mtx);
|
||||
V_pflow_unr = new_unrhdr(0, PFLOW_MAX_ENTRIES - 1, &V_pflowif_list_mtx);
|
||||
|
||||
for (int i = 0; i < pflow_ncounters; i++)
|
||||
V_pflowstats.c[i] = counter_u64_alloc(M_WAITOK);
|
||||
|
@ -1343,6 +1343,10 @@ pflow_nl_create(struct nlmsghdr *hdr, struct nl_pstate *npt)
|
|||
ghdr_new->reserved = 0;
|
||||
|
||||
unit = alloc_unr(V_pflow_unr);
|
||||
if (unit == -1) {
|
||||
nlmsg_abort(nw);
|
||||
return (ENOMEM);
|
||||
}
|
||||
|
||||
error = pflow_create(unit);
|
||||
if (error != 0) {
|
||||
|
|
|
@ -282,6 +282,37 @@ rule_cleanup()
|
|||
pft_cleanup
|
||||
}
|
||||
|
||||
atf_test_case "max_entries" "cleanup"
|
||||
max_entries_head()
|
||||
{
|
||||
atf_set descr 'Test that we can only create X pflow senders'
|
||||
atf_set require.user root
|
||||
}
|
||||
|
||||
max_entries_body()
|
||||
{
|
||||
pflow_init
|
||||
|
||||
vnet_mkjail alcatraz
|
||||
|
||||
for i in `seq 1 128`
|
||||
do
|
||||
atf_check -s exit:0 -o ignore \
|
||||
jexec alcatraz pflowctl -c
|
||||
done
|
||||
|
||||
# We cannot create the 129th pflow sender
|
||||
atf_check -s exit:1 -o ignore -e ignore \
|
||||
jexec alcatraz pflowctl -c
|
||||
|
||||
jexec alcatraz pflowctl -l
|
||||
}
|
||||
|
||||
max_entries_cleanup()
|
||||
{
|
||||
pft_cleanup
|
||||
}
|
||||
|
||||
atf_test_case "obs_dom" "cleanup"
|
||||
obs_dom_head()
|
||||
{
|
||||
|
@ -313,5 +344,6 @@ atf_init_test_cases()
|
|||
atf_add_test_case "v6"
|
||||
atf_add_test_case "nat"
|
||||
atf_add_test_case "rule"
|
||||
atf_add_test_case "max_entries"
|
||||
atf_add_test_case "obs_dom"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue