From 59d4a58565d71b3e3c492e3af1d1fa4f7c0b0534 Mon Sep 17 00:00:00 2001 From: claudio Date: Fri, 5 May 2023 07:28:08 +0000 Subject: [PATCH] Limit the socket buffer size to 64k for all sessions. Long time ago setting the size to 64k was increasing the size but now auto-scaling could grow the buffer size much more. The origianl idea was that sessions without protection had a small window size to make window attacks harder. This problem was fixed long time ago and is no longer relevant. Limiting the buffer size to a reasonable size ensures that not too many updates end up queued in the TCP stack. OK benno@ (some time ago) --- usr.sbin/bgpd/session.c | 25 ++++++++++--------------- 1 file changed, 10 insertions(+), 15 deletions(-) diff --git a/usr.sbin/bgpd/session.c b/usr.sbin/bgpd/session.c index 137fda97619..c8debdb4d15 100644 --- a/usr.sbin/bgpd/session.c +++ b/usr.sbin/bgpd/session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.443 2023/04/20 12:53:27 claudio Exp $ */ +/* $OpenBSD: session.c,v 1.444 2023/05/05 07:28:08 claudio Exp $ */ /* * Copyright (c) 2003, 2004, 2005 Henning Brauer @@ -1189,20 +1189,15 @@ session_setup_socket(struct peer *p) return (-1); } - /* only increase bufsize (and thus window) if md5 or ipsec is in use */ - if (p->conf.auth.method != AUTH_NONE) { - /* try to increase bufsize. no biggie if it fails */ - bsize = 65535; - while (bsize > 8192 && - setsockopt(p->fd, SOL_SOCKET, SO_RCVBUF, &bsize, - sizeof(bsize)) == -1 && errno != EINVAL) - bsize /= 2; - bsize = 65535; - while (bsize > 8192 && - setsockopt(p->fd, SOL_SOCKET, SO_SNDBUF, &bsize, - sizeof(bsize)) == -1 && errno != EINVAL) - bsize /= 2; - } + /* limit bufsize. no biggie if it fails */ + bsize = 65535; + while (bsize > 8192 && setsockopt(p->fd, SOL_SOCKET, SO_RCVBUF, + &bsize, sizeof(bsize)) == -1 && errno != EINVAL) + bsize /= 2; + bsize = 65535; + while (bsize > 8192 && setsockopt(p->fd, SOL_SOCKET, SO_SNDBUF, + &bsize, sizeof(bsize)) == -1 && errno != EINVAL) + bsize /= 2; return (0); } -- 2.20.1