diff --git a/sys/net/pflow.h b/sys/net/pflow.h index 456e3de52ab1..4c194e14e001 100644 --- a/sys/net/pflow.h +++ b/sys/net/pflow.h @@ -39,6 +39,8 @@ #include #endif +#define PFLOW_MAX_ENTRIES 128 + #define PFLOW_ID_LEN sizeof(u_int64_t) #define PFLOW_MAXFLOWS 30 diff --git a/sys/netpfil/pf/pflow.c b/sys/netpfil/pf/pflow.c index 0000aa05ee0d..17a68e0d9e57 100644 --- a/sys/netpfil/pf/pflow.c +++ b/sys/netpfil/pf/pflow.c @@ -176,7 +176,7 @@ vnet_pflowattach(void) CK_LIST_INIT(&V_pflowif_list); mtx_init(&V_pflowif_list_mtx, "pflow interface list mtx", NULL, MTX_DEF); - V_pflow_unr = new_unrhdr(0, INT_MAX, &V_pflowif_list_mtx); + V_pflow_unr = new_unrhdr(0, PFLOW_MAX_ENTRIES - 1, &V_pflowif_list_mtx); for (int i = 0; i < pflow_ncounters; i++) V_pflowstats.c[i] = counter_u64_alloc(M_WAITOK); @@ -1343,6 +1343,10 @@ pflow_nl_create(struct nlmsghdr *hdr, struct nl_pstate *npt) ghdr_new->reserved = 0; unit = alloc_unr(V_pflow_unr); + if (unit == -1) { + nlmsg_abort(nw); + return (ENOMEM); + } error = pflow_create(unit); if (error != 0) { diff --git a/tests/sys/netpfil/pf/pflow.sh b/tests/sys/netpfil/pf/pflow.sh index 10efcbb93ac4..f0552eb061da 100644 --- a/tests/sys/netpfil/pf/pflow.sh +++ b/tests/sys/netpfil/pf/pflow.sh @@ -282,6 +282,37 @@ rule_cleanup() pft_cleanup } +atf_test_case "max_entries" "cleanup" +max_entries_head() +{ + atf_set descr 'Test that we can only create X pflow senders' + atf_set require.user root +} + +max_entries_body() +{ + pflow_init + + vnet_mkjail alcatraz + + for i in `seq 1 128` + do + atf_check -s exit:0 -o ignore \ + jexec alcatraz pflowctl -c + done + + # We cannot create the 129th pflow sender + atf_check -s exit:1 -o ignore -e ignore \ + jexec alcatraz pflowctl -c + + jexec alcatraz pflowctl -l +} + +max_entries_cleanup() +{ + pft_cleanup +} + atf_test_case "obs_dom" "cleanup" obs_dom_head() { @@ -313,5 +344,6 @@ atf_init_test_cases() atf_add_test_case "v6" atf_add_test_case "nat" atf_add_test_case "rule" + atf_add_test_case "max_entries" atf_add_test_case "obs_dom" }