git: b7e4666d7b69 - main - nfsserver: Rate-limit messages about requests from unprivileged ports

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Wed, 17 Apr 2024 14:43:06 UTC
The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=b7e4666d7b69c22699a9299687018a892a5dad5b

commit b7e4666d7b69c22699a9299687018a892a5dad5b
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2024-04-17 14:36:58 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2024-04-17 14:36:58 +0000

    nfsserver: Rate-limit messages about requests from unprivileged ports
    
    If access from unreserved ports is disabled, then a remote host can
    cause an NFS server to log a message by sending a packet.  This is
    useful for diagnosing problems but bad for resiliency in the case where
    the server is being spammed with a large number of rejected requests.
    
    Limit prints to once per second (racily).
    
    Reviewed by:    rmacklem, emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D44819
---
 sys/fs/nfsserver/nfs_nfsdkrpc.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c
index 25f9c05d6f0b..022f7403d28b 100644
--- a/sys/fs/nfsserver/nfs_nfsdkrpc.c
+++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@@ -191,6 +191,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 		port = ntohs(sin->sin_port);
 		if (port >= IPPORT_RESERVED &&
 		    nd.nd_procnum != NFSPROC_NULL) {
+			static struct timeval privport_ratecheck = {
+				.tv_sec = 0, .tv_usec = 0
+			};
+			static const struct timeval privport_ratecheck_int = {
+				.tv_sec = 1, .tv_usec = 0
+			};
 #ifdef INET6
 			char buf[INET6_ADDRSTRLEN];
 #else
@@ -208,15 +214,19 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 			    (buf))
 #endif
 #endif
-			printf("NFS request from unprivileged port (%s:%d)\n",
+			if (ratecheck(&privport_ratecheck,
+			    &privport_ratecheck_int)) {
+				printf(
+			    "NFS request from unprivileged port (%s:%d)\n",
 #ifdef INET6
-			    sin->sin_family == AF_INET6 ?
-			    ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
+				    sin->sin_family == AF_INET6 ?
+				    ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
 #if defined(KLD_MODULE)
 #undef ip6_sprintf
 #endif
 #endif
-			    inet_ntoa_r(sin->sin_addr, buf), port);
+				    inet_ntoa_r(sin->sin_addr, buf), port);
+			}
 			svcerr_weakauth(rqst);
 			svc_freereq(rqst);
 			m_freem(nd.nd_mrep);