[PATCH 5 of 5] QUIC: limited the total number of frames

Vladimir Homutov vl at nginx.com
Tue Oct 12 12:43:25 UTC 2021 

On Thu, Oct 07, 2021 at 02:36:18PM +0300, Roman Arutyunyan wrote:
> # HG changeset patch
> # User Roman Arutyunyan <arut at nginx.com>
> # Date 1633603050 -10800
> #      Thu Oct 07 13:37:30 2021 +0300
> # Branch quic
> # Node ID 25aeebb9432182a6246fedba6b1024f3d61e959b
> # Parent  e20f00b8ac9005621993ea19375b1646c9182e7b
> QUIC: limited the total number of frames.
>
> Exceeding 10000 allocated frames is considered a flood.
>
> diff --git a/src/event/quic/ngx_event_quic_connection.h b/src/event/quic/ngx_event_quic_connection.h
> --- a/src/event/quic/ngx_event_quic_connection.h
> +++ b/src/event/quic/ngx_event_quic_connection.h
> @@ -228,10 +228,8 @@ struct ngx_quic_connection_s {
>      ngx_chain_t                      *free_bufs;
>      ngx_buf_t                        *free_shadow_bufs;
>
> -#ifdef NGX_QUIC_DEBUG_ALLOC
>      ngx_uint_t                        nframes;
>      ngx_uint_t                        nbufs;
> -#endif

nbufs are actually used only inside NGX_QUIC_DEBUG_ALLOC macro...

>
>      ngx_quic_streams_t                streams;
>      ngx_quic_congestion_t             congestion;
> diff --git a/src/event/quic/ngx_event_quic_frames.c b/src/event/quic/ngx_event_quic_frames.c
> --- a/src/event/quic/ngx_event_quic_frames.c
> +++ b/src/event/quic/ngx_event_quic_frames.c
> @@ -38,18 +38,22 @@ ngx_quic_alloc_frame(ngx_connection_t *c
>                         "quic reuse frame n:%ui", qc->nframes);
>  #endif
>
> -    } else {
> +    } else if (qc->nframes < 10000) {
>          frame = ngx_palloc(c->pool, sizeof(ngx_quic_frame_t));
>          if (frame == NULL) {
>              return NULL;
>          }
>
> -#ifdef NGX_QUIC_DEBUG_ALLOC
>          ++qc->nframes;
>
> +#ifdef NGX_QUIC_DEBUG_ALLOC
>          ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
>                         "quic alloc frame n:%ui", qc->nframes);
>  #endif
> +
> +    } else {
> +        ngx_log_error(NGX_LOG_INFO, c->log, 0, "quic flood detected");
> +        return NULL;
>      }
>
>      ngx_memzero(frame, sizeof(ngx_quic_frame_t));
> @@ -372,9 +376,9 @@ ngx_quic_alloc_buf(ngx_connection_t *c)
>
>      cl->buf = b;
>
> -#ifdef NGX_QUIC_DEBUG_ALLOC
>      ++qc->nbufs;

... so this change seems unnecessary

>
> +#ifdef NGX_QUIC_DEBUG_ALLOC
>      ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
>                     "quic alloc buffer n:%ui", qc->nbufs);
>  #endif

note: again, the patch follows approach used in HTTP/2 for limiting number of
allocated frames and uses same constant.

as a whole, should be working.

More information about the nginx-devel mailing list