nfsserver: Rate-limit messages about requests from unprivileged ports

If access from unreserved ports is disabled, then a remote host can cause an NFS server to log a message by sending a packet. This is useful for diagnosing problems but bad for resiliency in the case where the server is being spammed with a large number of rejected requests. Limit prints to once per second (racily). Reviewed by: rmacklem, emaste MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D44819 (cherry picked from commit b7e4666d7b69c22699a9299687018a892a5dad5b)
2026-05-28 04:12:45 -04:00 · 2024-04-17 10:36:58 -04:00 · 2024-04-17 10:36:58 -04:00 · 32004d854a
commit 32004d854a
parent eff68b69df
1 changed files with 14 additions and 4 deletions
--- a/sys/fs/nfsserver/nfs_nfsdkrpc.c
+++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@ -191,6 +191,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 		port = ntohs(sin->sin_port);
 		if (port >= IPPORT_RESERVED &&
 		    nd.nd_procnum != NFSPROC_NULL) {
+			static struct timeval privport_ratecheck = {
+				.tv_sec = 0, .tv_usec = 0
+			};
+			static const struct timeval privport_ratecheck_int = {
+				.tv_sec = 1, .tv_usec = 0
+			};
 #ifdef INET6
 			char buf[INET6_ADDRSTRLEN];
 #else
@ -208,15 +214,19 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
 			    (buf))
 #endif
 #endif
-			printf("NFS request from unprivileged port (%s:%d)\n",
+			if (ratecheck(&privport_ratecheck,
+			    &privport_ratecheck_int)) {
+				printf(
+			    "NFS request from unprivileged port (%s:%d)\n",
 #ifdef INET6
-			    sin->sin_family == AF_INET6 ?
-			    ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
+				    sin->sin_family == AF_INET6 ?
+				    ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
 #if defined(KLD_MODULE)
 #undef ip6_sprintf
 #endif
 #endif
-			    inet_ntoa_r(sin->sin_addr, buf), port);
+				    inet_ntoa_r(sin->sin_addr, buf), port);
+			}
 			svcerr_weakauth(rqst);
 			svc_freereq(rqst);
 			m_freem(nd.nd_mrep);