[Bug 192888] ipfw NAT vulnerable to simple DOS attacks
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue May 4 16:24:29 UTC 2021
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192888
Lutz Donnerhacke <donner at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Open |In Progress
--- Comment #4 from Lutz Donnerhacke <donner at FreeBSD.org> ---
I went through the source code and can drill the problem down to an full scan
of an unsorted linked list in a given hash bucket. This eats CPU cycles for
breakfast.
A workaround is to increase the hash table size in
sys/netinet/libalias/alias_local.h:
#define LINK_TABLE_OUT_SIZE 4001
A short term solution is to make the hard coded parameters tunable.
But the real solution is to find a data structure which allows sub linear
access methods to the flow data. Possibly using a non blocking algorithm for
access and modification.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the freebsd-ipfw
mailing list