Git-Mirrors/qubes-mirage-firewall
1
0
Fork 0
mirror of https://github.com/mirage/qubes-mirage-firewall.git synced 2024-10-01 01:05:39 -04:00
Code Issues Packages Projects Releases Wiki Activity

Reset NAT table if memory gets low

Browse Source
This commit is contained in:
Thomas Leonard 2016-01-02 15:50:05 +00:00
parent 1779f0fdbe
commit 425ba26286
3 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
firewall.ml
View File

@ -145,11 +145,17 @@ let apply_rules t rules info =
Log.info "Dropped packet (%s) %a" (fun f -> f reason pp_packet info); Log.info "Dropped packet (%s) %a" (fun f -> f reason pp_packet info);
return () return ()
let ipv4_from_client t frame = let handle_low_memory t =
match Memory_pressure.status () with match Memory_pressure.status () with
| `Memory_critical -> (* TODO: should happen before copying and async *) | `Memory_critical -> (* TODO: should happen before copying and async *)
Log.warn "Memory low - dropping packet" Logs.unit; Log.warn "Memory low - dropping packet and resetting NAT table" Logs.unit;
return () Router.reset t;
`Memory_critical
| `Ok -> `Ok
let ipv4_from_client t frame =
match handle_low_memory t with
| `Memory_critical -> return ()
| `Ok -> | `Ok ->
(* Check for existing NAT entry for this packet *) (* Check for existing NAT entry for this packet *)
match translate t frame with match translate t frame with
@ -161,10 +167,8 @@ let ipv4_from_client t frame =
| Some info -> apply_rules t Rules.from_client info | Some info -> apply_rules t Rules.from_client info
let ipv4_from_netvm t frame = let ipv4_from_netvm t frame =
match Memory_pressure.status () with match handle_low_memory t with
| `Memory_critical -> (* TODO: should happen before copying and async *) | `Memory_critical -> return ()
Log.warn "Memory low - dropping packet" Logs.unit;
return ()
| `Ok -> | `Ok ->
match classify t frame with match classify t frame with
| None -> return () | None -> return ()

5
router.ml
View File

@ -10,7 +10,7 @@ module Log = (val Logs.src_log src : Logs.LOG)
type t = { type t = {
client_eth : Client_eth.t; client_eth : Client_eth.t;
nat : Nat_lookup.t; mutable nat : Nat_lookup.t;
uplink : interface; uplink : interface;
} }
@ -42,3 +42,6 @@ let resolve t = function
| `Firewall_uplink -> Ipaddr.V4 t.uplink#my_ip | `Firewall_uplink -> Ipaddr.V4 t.uplink#my_ip
| `NetVM -> Ipaddr.V4 t.uplink#other_ip | `NetVM -> Ipaddr.V4 t.uplink#other_ip
| #Client_eth.host as host -> Client_eth.resolve t.client_eth host | #Client_eth.host as host -> Client_eth.resolve t.client_eth host
let reset t =
t.nat <- Nat_lookup.empty ()

5
router.mli
View File

@ -7,7 +7,7 @@ open Utils
type t = private { type t = private {
client_eth : Client_eth.t; client_eth : Client_eth.t;
nat : Nat_lookup.t; mutable nat : Nat_lookup.t;
uplink : interface; uplink : interface;
} }
(** A routing table. *) (** A routing table. *)
@ -30,3 +30,6 @@ val remove_client : t -> client_link -> unit
val classify : t -> Ipaddr.t -> Packet.host val classify : t -> Ipaddr.t -> Packet.host
val resolve : t -> Packet.host -> Ipaddr.t val resolve : t -> Packet.host -> Ipaddr.t
val reset : t -> unit
(** Clear the NAT table (to free memory). *)