git: b7e4666d7b69 - main - nfsserver: Rate-limit messages about requests from unprivileged ports
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Apr 2024 14:43:06 UTC
The branch main has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=b7e4666d7b69c22699a9299687018a892a5dad5b commit b7e4666d7b69c22699a9299687018a892a5dad5b Author: Mark Johnston <markj@FreeBSD.org> AuthorDate: 2024-04-17 14:36:58 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2024-04-17 14:36:58 +0000 nfsserver: Rate-limit messages about requests from unprivileged ports If access from unreserved ports is disabled, then a remote host can cause an NFS server to log a message by sending a packet. This is useful for diagnosing problems but bad for resiliency in the case where the server is being spammed with a large number of rejected requests. Limit prints to once per second (racily). Reviewed by: rmacklem, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D44819 --- sys/fs/nfsserver/nfs_nfsdkrpc.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c index 25f9c05d6f0b..022f7403d28b 100644 --- a/sys/fs/nfsserver/nfs_nfsdkrpc.c +++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c @@ -191,6 +191,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) port = ntohs(sin->sin_port); if (port >= IPPORT_RESERVED && nd.nd_procnum != NFSPROC_NULL) { + static struct timeval privport_ratecheck = { + .tv_sec = 0, .tv_usec = 0 + }; + static const struct timeval privport_ratecheck_int = { + .tv_sec = 1, .tv_usec = 0 + }; #ifdef INET6 char buf[INET6_ADDRSTRLEN]; #else @@ -208,15 +214,19 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt) (buf)) #endif #endif - printf("NFS request from unprivileged port (%s:%d)\n", + if (ratecheck(&privport_ratecheck, + &privport_ratecheck_int)) { + printf( + "NFS request from unprivileged port (%s:%d)\n", #ifdef INET6 - sin->sin_family == AF_INET6 ? - ip6_sprintf(buf, &satosin6(sin)->sin6_addr) : + sin->sin_family == AF_INET6 ? + ip6_sprintf(buf, &satosin6(sin)->sin6_addr) : #if defined(KLD_MODULE) #undef ip6_sprintf #endif #endif - inet_ntoa_r(sin->sin_addr, buf), port); + inet_ntoa_r(sin->sin_addr, buf), port); + } svcerr_weakauth(rqst); svc_freereq(rqst); m_freem(nd.nd_mrep);