reassembly: prevent long chain attack limit max # of fragments to 3 per packet by default add API option to configure the limit at runtime Change-Id: Ie4b9507bf5c6095b9a5925972b37fe0032f4f9e8 Signed-off-by: Klement Sekera <ksekera@cisco.com>

commit: 3a343d42d7bd90753ea6ed48fe750a7a209b1ddf [log] [tgz]
author: Klement Sekera <ksekera@cisco.com> Thu May 16 14:35:46 2019 +0200
committer: Ole Trøan <otroan@employees.org> Mon May 20 12:13:11 2019 +0000
tree: ba831c36c69365d67a2d20d7a6d447b831a1b88e
parent: b388e1a50603a07e20007141221ca4f4a18ab698 [diff] [blame]
diff --git a/src/vnet/ip/ip6_error.h b/src/vnet/ip/ip6_error.h
index 6a20de4..3ca2be6 100644
--- a/src/vnet/ip/ip6_error.h
+++ b/src/vnet/ip/ip6_error.h

@@ -81,6 +81,8 @@
   _ (REASS_DUPLICATE_FRAGMENT, "duplicate fragments")                   \
   _ (REASS_OVERLAPPING_FRAGMENT, "overlapping fragments")               \
   _ (REASS_LIMIT_REACHED, "drops due to concurrent reassemblies limit") \
+  _ (REASS_FRAGMENT_CHAIN_TOO_LONG, "fragment chain too long (drop)")   \
+  _ (REASS_NO_BUF, "out of buffers (drop)")                             \
   _ (REASS_TIMEOUT, "fragments dropped due to reassembly timeout")      \
   _ (REASS_INTERNAL_ERROR, "drops due to internal reassembly error")
commit	3a343d42d7bd90753ea6ed48fe750a7a209b1ddf	[log] [tgz]
author	Klement Sekera <ksekera@cisco.com>	Thu May 16 14:35:46 2019 +0200
committer	Ole Trøan <otroan@employees.org>	Mon May 20 12:13:11 2019 +0000
tree	ba831c36c69365d67a2d20d7a6d447b831a1b88e
parent	b388e1a50603a07e20007141221ca4f4a18ab698 [diff] [blame]