Welcome! Log In Create A New Profile

Advanced

Re: [PATCH 5 of 5] QUIC: limited the total number of frames

Roman Arutyunyan
October 13, 2021 07:54AM
On Tue, Oct 12, 2021 at 03:43:25PM +0300, Vladimir Homutov wrote:
> On Thu, Oct 07, 2021 at 02:36:18PM +0300, Roman Arutyunyan wrote:
> > # HG changeset patch
> > # User Roman Arutyunyan <arut@nginx.com>
> > # Date 1633603050 -10800
> > # Thu Oct 07 13:37:30 2021 +0300
> > # Branch quic
> > # Node ID 25aeebb9432182a6246fedba6b1024f3d61e959b
> > # Parent e20f00b8ac9005621993ea19375b1646c9182e7b
> > QUIC: limited the total number of frames.
> >
> > Exceeding 10000 allocated frames is considered a flood.
> >
> > diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
> > --- a/src/event/quic/ngx_event_quic_connection.h
> > +++ b/src/event/quic/ngx_event_quic_connection.h
> > @@ -228,10 +228,8 @@ struct ngx_quic_connection_s {
> > ngx_chain_t *free_bufs;
> > ngx_buf_t *free_shadow_bufs;
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> > ngx_uint_t nframes;
> > ngx_uint_t nbufs;
> > -#endif
>
> nbufs are actually used only inside NGX_QUIC_DEBUG_ALLOC macro...

We probably need to think about limiting nbufs too. Technically it's already
limited by flow control, but if we only use a small portion of each buffer
(like 1 byte), we can allocate much more than we need. This should probably
be optimized. I'm already working on it in my stream buffering patchset.
Until then let's leave it under the macro.

> > ngx_quic_streams_t streams;
> > ngx_quic_congestion_t congestion;
> > diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
> > --- a/src/event/quic/ngx_event_quic_frames.c
> > +++ b/src/event/quic/ngx_event_quic_frames.c
> > @@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
> > "quic reuse frame n:%ui", qc->nframes);
> > #endif
> >
> > - } else {
> > + } else if (qc->nframes < 10000) {
> > frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
> > if (frame == NULL) {
> > return NULL;
> > }
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> > ++qc->nframes;
> >
> > +#ifdef NGX_QUIC_DEBUG_ALLOC
> > ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > "quic alloc frame n:%ui", qc->nframes);
> > #endif
> > +
> > + } else {
> > + ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
> > + return NULL;
> > }
> >
> > ngx_memzero(frame, sizeof(ngx_quic_frame_t));
> > @@ -372,9 +376,9 @@ ngx_quic_alloc_buf(ngx_connection_t *c)
> >
> > cl->buf = b;
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> > ++qc->nbufs;
>
> ... so this change seems unnecessary
>
> >
> > +#ifdef NGX_QUIC_DEBUG_ALLOC
> > ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
> > "quic alloc buffer n:%ui", qc->nbufs);
> > #endif
>
> note: again, the patch follows approach used in HTTP/2 for limiting number of
> allocated frames and uses same constant.
>
> as a whole, should be working.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

--
Roman Arutyunyan
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1634125611 -10800
# Wed Oct 13 14:46:51 2021 +0300
# Branch quic
# Node ID 6acee7057a256068f73f70a6d85dd0106642bf94
# Parent c6bce9ed64c3ea3fe3d8bbfda3852ffa5c556e1a
QUIC: limited the total number of frames.

Exceeding 10000 allocated frames is considered a flood.

diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
--- a/src/event/quic/ngx_event_quic_connection.h
+++ b/src/event/quic/ngx_event_quic_connection.h
@@ -228,8 +228,8 @@ struct ngx_quic_connection_s {
ngx_chain_t *free_bufs;
ngx_buf_t *free_shadow_bufs;

+ ngx_uint_t nframes;
#ifdef NGX_QUIC_DEBUG_ALLOC
- ngx_uint_t nframes;
ngx_uint_t nbufs;
#endif

diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
"quic reuse frame n:%ui", qc->nframes);
#endif

- } else {
+ } else if (qc->nframes < 10000) {
frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
if (frame == NULL) {
return NULL;
}

-#ifdef NGX_QUIC_DEBUG_ALLOC
++qc->nframes;

+#ifdef NGX_QUIC_DEBUG_ALLOC
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"quic alloc frame n:%ui", qc->nframes);
#endif
+
+ } else {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+ return NULL;
}

ngx_memzero(frame, sizeof(ngx_quic_frame_t));
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH 0 of 5] QUIC flood detection

Roman Arutyunyan 123 October 07, 2021 07:38AM

[PATCH 1 of 5] HTTP/3: removed client-side encoder support

Roman Arutyunyan 13 October 07, 2021 07:38AM

Re: [PATCH 1 of 5] HTTP/3: removed client-side encoder support

Vladimir Homutov 6 October 12, 2021 08:46AM

[PATCH 2 of 5] HTTP/3: fixed request length calculation

Roman Arutyunyan 16 October 07, 2021 07:38AM

Re: [PATCH 2 of 5] HTTP/3: fixed request length calculation

Vladimir Homutov 16 October 12, 2021 08:48AM

[PATCH 3 of 5] HTTP/3: traffic-based flood detection

Roman Arutyunyan 18 October 07, 2021 07:38AM

Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection

Vladimir Homutov 9 October 13, 2021 05:08AM

Re: [PATCH 3 of 5] HTTP/3: traffic-based flood detection

Roman Arutyunyan 9 October 13, 2021 07:38AM

[PATCH 4 of 5] QUIC: traffic-based flood detection

Roman Arutyunyan 18 October 07, 2021 07:38AM

Re: [PATCH 4 of 5] QUIC: traffic-based flood detection

Vladimir Homutov 14 October 12, 2021 08:40AM

Re: [PATCH 4 of 5] QUIC: traffic-based flood detection

Roman Arutyunyan 9 October 13, 2021 07:42AM

[PATCH 5 of 5] QUIC: limited the total number of frames

Roman Arutyunyan 10 October 07, 2021 07:38AM

Re: [PATCH 5 of 5] QUIC: limited the total number of frames

Vladimir Homutov 9 October 12, 2021 08:44AM

Re: [PATCH 5 of 5] QUIC: limited the total number of frames

Roman Arutyunyan 7 October 13, 2021 07:54AM

Re: [PATCH 0 of 5] QUIC flood detection

Roman Arutyunyan 23 October 07, 2021 07:46AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 54
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready