K 10
svn:author
V 3
jtl
K 8
svn:date
V 27
2018-08-14T17:59:42.056574Z
K 7
svn:log
V 974
MFC r337781:
 Make the IPv6 fragment limits be global, rather than per-VNET, limits.

 The IPv6 reassembly fragment limit is based on the number of mbuf clusters,
 which are a global resource. However, the limit is currently applied
 on a per-VNET basis. Given enough VNETs (or given sufficient customization
 on enough VNETs), it is possible that the sum of all the VNET fragment
 limits will exceed the number of mbuf clusters available in the system.

 Given the fact that the fragment limits are intended (at least in part) to
 regulate access to a global resource, the IPv6 fragment limit should
 be applied on a global basis.

 Note that it is still possible to disable fragmentation for a particular
 VNET by setting the net.inet6.ip6.maxfragpackets sysctl to 0 for that
 VNET. In addition, it is now possible to disable fragmentation globally
 by setting the net.inet6.ip6.maxfrags sysctl to 0.

Approved by:	so
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923

END