git: 32004d854a2d - stable/14 - nfsserver: Rate-limit messages about requests from unprivileged ports

Thu, 25 Apr 2024 06:21:10 -0700 

The branch stable/14 has been updated by markj:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=32004d854a2d4b2d03e40ba57cd0f4bf1ea6a6b4

commit 32004d854a2d4b2d03e40ba57cd0f4bf1ea6a6b4
Author:     Mark Johnston <ma...@freebsd.org>
AuthorDate: 2024-04-17 14:36:58 +0000
Commit:     Mark Johnston <ma...@freebsd.org>
CommitDate: 2024-04-25 13:20:16 +0000

    nfsserver: Rate-limit messages about requests from unprivileged ports
    
    If access from unreserved ports is disabled, then a remote host can
    cause an NFS server to log a message by sending a packet.  This is
    useful for diagnosing problems but bad for resiliency in the case where
    the server is being spammed with a large number of rejected requests.
    
    Limit prints to once per second (racily).
    
    Reviewed by:    rmacklem, emaste
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D44819
    
    (cherry picked from commit b7e4666d7b69c22699a9299687018a892a5dad5b)
---
 sys/fs/nfsserver/nfs_nfsdkrpc.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdkrpc.c b/sys/fs/nfsserver/nfs_nfsdkrpc.c
index 25f9c05d6f0b..022f7403d28b 100644
--- a/sys/fs/nfsserver/nfs_nfsdkrpc.c
+++ b/sys/fs/nfsserver/nfs_nfsdkrpc.c
@@ -191,6 +191,12 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
                port = ntohs(sin->sin_port);
                if (port >= IPPORT_RESERVED &&
                    nd.nd_procnum != NFSPROC_NULL) {
+                       static struct timeval privport_ratecheck = {
+                               .tv_sec = 0, .tv_usec = 0
+                       };
+                       static const struct timeval privport_ratecheck_int = {
+                               .tv_sec = 1, .tv_usec = 0
+                       };
 #ifdef INET6
                        char buf[INET6_ADDRSTRLEN];
 #else
@@ -208,15 +214,19 @@ nfssvc_program(struct svc_req *rqst, SVCXPRT *xprt)
                            (buf))
 #endif
 #endif
-                       printf("NFS request from unprivileged port (%s:%d)\n",
+                       if (ratecheck(&privport_ratecheck,
+                           &privport_ratecheck_int)) {
+                               printf(
+                           "NFS request from unprivileged port (%s:%d)\n",
 #ifdef INET6
-                           sin->sin_family == AF_INET6 ?
-                           ip6_sprintf(buf, &satosin6(sin)->sin6_addr) :
+                                   sin->sin_family == AF_INET6 ?
+                                   ip6_sprintf(buf, &satosin6(sin)->sin6_addr) 
:
 #if defined(KLD_MODULE)
 #undef ip6_sprintf
 #endif
 #endif
-                           inet_ntoa_r(sin->sin_addr, buf), port);
+                                   inet_ntoa_r(sin->sin_addr, buf), port);
+                       }
                        svcerr_weakauth(rqst);
                        svc_freereq(rqst);
                        m_freem(nd.nd_mrep);

Reply via email to