From: tb <tb@openbsd.org>
Date: Mon, 8 Apr 2024 14:02:13 +0000 (+0000)
Subject: Fix capping of VAPs
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=7e284d508f03134ed914e01310f81a72255d0731;p=openbsd

Fix capping of VAPs

The previous approach introduced a cap, but it might not always be hit as
intended (I missed this on review). Fix this to check the cap after merging
an ASPA into an already existing VAP. Also free the list of providers since
nothing should be looking at it anymore.

Count VAPs that hit the limit with a new overflowed counter. There are
still a few aspects of the accounting that probably aren't entirely right.
This will be fixed at another point. It's just statistics after all.

with/ok claudio, ok job
---

diff --git a/usr.sbin/rpki-client/aspa.c b/usr.sbin/rpki-client/aspa.c
index 6f4945aea9b..6e42be76d19 100644
--- a/usr.sbin/rpki-client/aspa.c
+++ b/usr.sbin/rpki-client/aspa.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: aspa.c,v 1.29 2024/04/05 16:05:15 job Exp $ */
+/*	$OpenBSD: aspa.c,v 1.30 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -339,7 +339,7 @@ aspa_insert_vaps(char *fn, struct vap_tree *tree, struct aspa *aspa,
 	v->expires = aspa->expires;
 
 	if ((found = RB_INSERT(vap_tree, tree, v)) != NULL) {
-		if (found->invalid) {
+		if (found->overflowed) {
 			free(v);
 			return;
 		}
@@ -357,14 +357,6 @@ aspa_insert_vaps(char *fn, struct vap_tree *tree, struct aspa *aspa,
 	} else
 		repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_UNIQUE);
 
-	if (v->providersz >= MAX_ASPA_PROVIDERS) {
-		v->invalid = 1;
-		repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_INVALID);
-		warnx("%s: too many providers for ASPA Customer ASID "
-		    "(more than %d)", fn, MAX_ASPA_PROVIDERS);
-		return;
-	}
-
 	repo_stat_inc(rp, aspa->talid, RTYPE_ASPA, STYPE_TOTAL);
 
 	v->providers = reallocarray(v->providers,
@@ -391,6 +383,17 @@ aspa_insert_vaps(char *fn, struct vap_tree *tree, struct aspa *aspa,
 		if (j < v->providersz)
 			j++;
 	}
+
+	if (v->providersz >= MAX_ASPA_PROVIDERS) {
+		v->overflowed = 1;
+		free(v->providers);
+		v->providers = NULL;
+		v->providersz = 0;
+		repo_stat_inc(rp, v->talid, RTYPE_ASPA, STYPE_OVERFLOW);
+		warnx("%s: too many providers for ASPA Customer ASID %u "
+		    "(more than %d)", fn, v->custasid, MAX_ASPA_PROVIDERS);
+		return;
+	}
 }
 
 static inline int
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index 5ddf6524886..c0d74715830 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.214 2024/04/05 16:05:15 job Exp $ */
+/*	$OpenBSD: extern.h,v 1.215 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -403,7 +403,7 @@ struct vap {
 	time_t			 expires;
 	int			 talid;
 	unsigned int		 repoid;
-	int			 invalid;
+	int			 overflowed;
 };
 
 /*
@@ -573,6 +573,7 @@ enum stype {
 	STYPE_UNIQUE,
 	STYPE_DEC_UNIQUE,
 	STYPE_PROVIDERS,
+	STYPE_OVERFLOW,
 };
 
 struct repo;
@@ -601,6 +602,7 @@ struct repotalstats {
 	uint32_t	 vaps; /* total number of Validated ASPA Payloads */
 	uint32_t	 vaps_uniqs; /* total number of unique VAPs */
 	uint32_t	 vaps_pas; /* total number of providers */
+	uint32_t	 vaps_overflowed; /* VAPs with too many providers */
 	uint32_t	 vrps; /* total number of Validated ROA Payloads */
 	uint32_t	 vrps_uniqs; /* number of unique vrps */
 	uint32_t	 spls; /* signed prefix list */
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index e996179d26d..3a124ef8448 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.256 2024/04/05 16:05:15 job Exp $ */
+/*	$OpenBSD: main.c,v 1.257 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -773,6 +773,7 @@ sum_stats(const struct repo *rp, const struct repotalstats *in, void *arg)
 	out->vaps += in->vaps;
 	out->vaps_uniqs += in->vaps_uniqs;
 	out->vaps_pas += in->vaps_pas;
+	out->vaps_overflowed += in->vaps_overflowed;
 	out->spls += in->spls;
 	out->spls_fail += in->spls_fail;
 	out->spls_invalid += in->spls_invalid;
@@ -1502,8 +1503,9 @@ main(int argc, char *argv[])
 	    stats.repo_stats.extra_files, stats.repo_stats.del_extra_files);
 	printf("VRP Entries: %u (%u unique)\n", stats.repo_tal_stats.vrps,
 	    stats.repo_tal_stats.vrps_uniqs);
-	printf("VAP Entries: %u (%u unique)\n", stats.repo_tal_stats.vaps,
-	    stats.repo_tal_stats.vaps_uniqs);
+	printf("VAP Entries: %u (%u unique, %u overflowed)\n",
+	    stats.repo_tal_stats.vaps, stats.repo_tal_stats.vaps_uniqs,
+	    stats.repo_tal_stats.vaps_overflowed);
 	printf("VSP Entries: %u (%u unique)\n", stats.repo_tal_stats.vsps,
 	    stats.repo_tal_stats.vsps_uniqs);
 
diff --git a/usr.sbin/rpki-client/output-bgpd.c b/usr.sbin/rpki-client/output-bgpd.c
index 1ca6c9913a5..fc6af38a417 100644
--- a/usr.sbin/rpki-client/output-bgpd.c
+++ b/usr.sbin/rpki-client/output-bgpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-bgpd.c,v 1.30 2024/04/05 16:05:15 job Exp $ */
+/*	$OpenBSD: output-bgpd.c,v 1.31 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -58,7 +58,7 @@ output_bgpd(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 	if (fprintf(out, "\naspa-set {\n") < 0)
 		return -1;
 	RB_FOREACH(vap, vap_tree, vaps) {
-		if (vap->invalid)
+		if (vap->overflowed)
 			continue;
 		if (fprintf(out, "\tcustomer-as %d expires %lld "
 		    "provider-as { ", vap->custasid,
diff --git a/usr.sbin/rpki-client/output-json.c b/usr.sbin/rpki-client/output-json.c
index 4c56d547603..afea19f3f28 100644
--- a/usr.sbin/rpki-client/output-json.c
+++ b/usr.sbin/rpki-client/output-json.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-json.c,v 1.47 2024/04/05 16:05:15 job Exp $ */
+/*	$OpenBSD: output-json.c,v 1.48 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  *
@@ -93,7 +93,7 @@ print_vap(struct vap *v)
 {
 	size_t i;
 
-	if (v->invalid)
+	if (v->overflowed)
 		return;
 
 	json_do_object("aspa", 1);
diff --git a/usr.sbin/rpki-client/output-ometric.c b/usr.sbin/rpki-client/output-ometric.c
index c6d9f5869f4..a2795f12578 100644
--- a/usr.sbin/rpki-client/output-ometric.c
+++ b/usr.sbin/rpki-client/output-ometric.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-ometric.c,v 1.9 2024/02/26 15:40:33 job Exp $ */
+/*	$OpenBSD: output-ometric.c,v 1.10 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2022 Claudio Jeker <claudio@openbsd.org>
  *
@@ -82,6 +82,8 @@ set_common_stats(const struct repotalstats *in, struct ometric *metric,
 	    OKV("type", "state"), OKV("vap", "unique"), ol);
 	ometric_set_int_with_labels(metric, in->vaps_pas,
 	    OKV("type", "state"), OKV("vap providers", "total"), ol);
+	ometric_set_int_with_labels(metric, in->vaps_overflowed,
+	    OKV("type", "state"), OKV("vap overflowed"), ol);
 
 	ometric_set_int_with_labels(metric, in->spls,
 	    OKV("type", "state"), OKV("spl", "valid"), ol);
diff --git a/usr.sbin/rpki-client/repo.c b/usr.sbin/rpki-client/repo.c
index 1b7fa574430..7290dcfe4bb 100644
--- a/usr.sbin/rpki-client/repo.c
+++ b/usr.sbin/rpki-client/repo.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: repo.c,v 1.55 2024/03/22 03:38:12 job Exp $ */
+/*	$OpenBSD: repo.c,v 1.56 2024/04/08 14:02:13 tb Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -1490,6 +1490,9 @@ repo_stat_inc(struct repo *rp, int talid, enum rtype type, enum stype subtype)
 		case STYPE_PROVIDERS:
 			rp->stats[talid].vaps_pas++;
 			break;
+		case STYPE_OVERFLOW:
+			rp->stats[talid].vaps_overflowed++;
+			break;
 		default:
 			break;
 		}