Re: [PATCH 5 of 5] QUIC: limited the total number of frames

Roman Arutyunyan Wed, 13 Oct 2021 04:53:05 -0700

On Tue, Oct 12, 2021 at 03:43:25PM +0300, Vladimir Homutov wrote:
> On Thu, Oct 07, 2021 at 02:36:18PM +0300, Roman Arutyunyan wrote:
> > # HG changeset patch
> > # User Roman Arutyunyan <a...@nginx.com>
> > # Date 1633603050 -10800
> > #      Thu Oct 07 13:37:30 2021 +0300
> > # Branch quic
> > # Node ID 25aeebb9432182a6246fedba6b1024f3d61e959b
> > # Parent  e20f00b8ac9005621993ea19375b1646c9182e7b
> > QUIC: limited the total number of frames.
> >
> > Exceeding 10000 allocated frames is considered a flood.
> >
> > diff --git a/src/event/quic/ngx_event_quic_connection.h 
> > b/src/event/quic/ngx_event_quic_connection.h
> > --- a/src/event/quic/ngx_event_quic_connection.h
> > +++ b/src/event/quic/ngx_event_quic_connection.h
> > @@ -228,10 +228,8 @@ struct ngx_quic_connection_s {
> >      ngx_chain_t                      *free_bufs;
> >      ngx_buf_t                        *free_shadow_bufs;
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> >      ngx_uint_t                        nframes;
> >      ngx_uint_t                        nbufs;
> > -#endif
> 
> nbufs are actually used only inside NGX_QUIC_DEBUG_ALLOC macro...


We probably need to think about limiting nbufs too.  Technically it's already
limited by flow control, but if we only use a small portion of each buffer
(like 1 byte), we can allocate much more than we need.  This should probably
be optimized.  I'm already working on it in my stream buffering patchset.
Until then let's leave it under the macro.

> >      ngx_quic_streams_t                streams;
> >      ngx_quic_congestion_t             congestion;
> > diff --git a/src/event/quic/ngx_event_quic_frames.c 
> > b/src/event/quic/ngx_event_quic_frames.c
> > --- a/src/event/quic/ngx_event_quic_frames.c
> > +++ b/src/event/quic/ngx_event_quic_frames.c
> > @@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
> >                         "quic reuse frame n:%ui", qc->nframes);
> >  #endif
> >
> > -    } else {
> > +    } else if (qc->nframes < 10000) {
> >          frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
> >          if (frame == NULL) {
> >              return NULL;
> >          }
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> >          ++qc->nframes;
> >
> > +#ifdef NGX_QUIC_DEBUG_ALLOC
> >          ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
> >                         "quic alloc frame n:%ui", qc->nframes);
> >  #endif
> > +
> > +    } else {
> > +        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
> > +        return NULL;
> >      }
> >
> >      ngx_memzero(frame, sizeof(ngx_quic_frame_t));
> > @@ -372,9 +376,9 @@ ngx_quic_alloc_buf(ngx_connection_t *c)
> >
> >      cl->buf = b;
> >
> > -#ifdef NGX_QUIC_DEBUG_ALLOC
> >      ++qc->nbufs;
> 
> ... so this change seems unnecessary
> 
> >
> > +#ifdef NGX_QUIC_DEBUG_ALLOC
> >      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
> >                     "quic alloc buffer n:%ui", qc->nbufs);
> >  #endif
> 
> note: again, the patch follows approach used in HTTP/2 for limiting number of
> allocated frames and uses same constant.
> 
> as a whole, should be working.
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Roman Arutyunyan

# HG changeset patch
# User Roman Arutyunyan <a...@nginx.com>
# Date 1634125611 -10800
#      Wed Oct 13 14:46:51 2021 +0300
# Branch quic
# Node ID 6acee7057a256068f73f70a6d85dd0106642bf94
# Parent  c6bce9ed64c3ea3fe3d8bbfda3852ffa5c556e1a
QUIC: limited the total number of frames.

Exceeding 10000 allocated frames is considered a flood.

diff --git a/src/event/quic/ngx_event_quic_connection.h 
b/src/event/quic/ngx_event_quic_connection.h
--- a/src/event/quic/ngx_event_quic_connection.h
+++ b/src/event/quic/ngx_event_quic_connection.h
@@ -228,8 +228,8 @@ struct ngx_quic_connection_s {
     ngx_chain_t                      *free_bufs;
     ngx_buf_t                        *free_shadow_bufs;
 
+    ngx_uint_t                        nframes;
 #ifdef NGX_QUIC_DEBUG_ALLOC
-    ngx_uint_t                        nframes;
     ngx_uint_t                        nbufs;
 #endif
 
diff --git a/src/event/quic/ngx_event_quic_frames.c 
b/src/event/quic/ngx_event_quic_frames.c
--- a/src/event/quic/ngx_event_quic_frames.c
+++ b/src/event/quic/ngx_event_quic_frames.c
@@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
                        "quic reuse frame n:%ui", qc->nframes);
 #endif
 
-    } else {
+    } else if (qc->nframes < 10000) {
         frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
         if (frame == NULL) {
             return NULL;
         }
 
-#ifdef NGX_QUIC_DEBUG_ALLOC
         ++qc->nframes;
 
+#ifdef NGX_QUIC_DEBUG_ALLOC
         ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                        "quic alloc frame n:%ui", qc->nframes);
 #endif
+
+    } else {
+        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
+        return NULL;
     }
 
     ngx_memzero(frame, sizeof(ngx_quic_frame_t));

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [PATCH 5 of 5] QUIC: limited the total number of frames

Reply via email to