From ead7b3dc539f5edc867a4123a1a189364fcfe0df Mon Sep 17 00:00:00 2001 From: Diego Fronza Date: Fri, 22 Nov 2019 18:34:50 -0300 Subject: [PATCH] Fix tcp-highwater initial value During BIND startup it scans for network interfaces available, in this process it ensures that for every interface it will bind and listen to, at least one socket will be always available accepting connections on that interface, this way avoiding some DOS attacks that could exploit tcp quota on some interface and make others unavailable. In the previous network implementation this initial "reserved" tcp-quota used by BIND was already been added to the tcp-highwater stats, but with the new network code it was necesary to add this workaround to ensure tcp-highwater stats reflect the tcp-quota used by BIND after startup. --- lib/ns/interfacemgr.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c index 3bbeee2a50..1e9011bf11 100644 --- a/lib/ns/interfacemgr.c +++ b/lib/ns/interfacemgr.c @@ -28,6 +28,7 @@ #include #include #include +#include #ifdef HAVE_NET_ROUTE_H #include @@ -458,6 +459,7 @@ ns_interface_listenudp(ns_interface_t *ifp) { static isc_result_t ns_interface_listentcp(ns_interface_t *ifp) { + unsigned int tcpquota; isc_result_t result; result = isc_nm_listentcpdns(ifp->mgr->nm, @@ -473,6 +475,16 @@ ns_interface_listentcp(ns_interface_t *ifp) { isc_result_totext(result)); } + /* + * We update tcp-highwater stats here, since named itself adds to + * the TCP quota when starting, as it ensures that at least one + * client will be created for every interface it is listening to. + */ + tcpquota = isc_quota_getused(&ifp->mgr->sctx->tcpquota); + ns_stats_update_if_greater(ifp->mgr->sctx->nsstats, + ns_statscounter_tcphighwater, + tcpquota); + #if 0 #ifndef ISC_ALLOW_MAPPED isc_socket_ipv6only(ifp->tcpsocket, true);