Introduce tmp properties for Netty decoderEnforceMaxRstFramesPerWindow
#2728
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: Netty 4.1.100 introduced a new feature for HTTP/2 to protect from DDoS vector (see GHSA-xpw8-rcwv-8f8p) This is unknown if users of libraries that work on top of Netty may be impacted by false positives or not. For the next major release we should either remove these properties or promote them to public API. Modifications: - Temporarily introduce the following system properties to control underlying netty-codec-http2: `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxConsecutiveEmptyFrames=200` `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.secondsPerWindow=30` Result: If necessary, users can control new netty options via system properties.
tkountis
approved these changes
Oct 10, 2023
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Oct 27, 2023
Motivation: apple#2728 introduces 2 properties to control Netty `decoderEnforceMaxRstFramesPerWindow` settings: `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxConsecutiveEmptyFrames=200` `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.secondsPerWindow=30` The first property was named incorrectly, it must be `maxRstFramesPerWindow`. Modifications: - Add a new property: `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxRstFramesPerWindow=200`; - Use previous `maxConsecutiveEmptyFrames` value as a fallback for backward compatibility; Result: Properties names are consistent with their names in Netty.
idelpivnitskiy
added a commit
that referenced
this pull request
Oct 30, 2023
…2740) Motivation: #2728 introduces 2 properties to control Netty `decoderEnforceMaxRstFramesPerWindow` settings: `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxConsecutiveEmptyFrames=200` `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.secondsPerWindow=30` The first property was named incorrectly, it must be `maxRstFramesPerWindow`. Modifications: - Add a new property: `-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxRstFramesPerWindow=200`; - Use previous `maxConsecutiveEmptyFrames` value as a fallback for backward compatibility; Result: Properties names are consistent with their names in Netty.
idelpivnitskiy
added a commit
to idelpivnitskiy/servicetalk
that referenced
this pull request
Nov 12, 2023
Motivation: Netty 4.1.100 introduced a new feature for HTTP/2 to protect from DDoS vector, and we added system properties to control its settings in apple#2728. In version 4.1.101 Netty disabled this protection for clients by default, but due to how we use our system properties, that change won't automatically apply to ServiceTalk. Modifications: - `OptimizedHttp2FrameCodecBuilder.decoderEnforceMaxRstFramesPerWindow` now considers `isServer` flag to decide if the inferred values should be applied or not; Result: `decoderEnforceMaxRstFramesPerWindow` is enabled only for HTTP/2 servers.
idelpivnitskiy
added a commit
that referenced
this pull request
Nov 13, 2023
Motivation: Netty 4.1.100 introduced a new feature for HTTP/2 to protect from DDoS vector, and we added system properties to control its settings in #2728. In version 4.1.101 Netty disabled this protection for clients by default, but due to how we use our system properties, that change won't automatically apply to ServiceTalk. Modifications: - `OptimizedHttp2FrameCodecBuilder.decoderEnforceMaxRstFramesPerWindow` now considers `isServer` flag to decide if the inferred values should be applied or not; Result: `decoderEnforceMaxRstFramesPerWindow` is enabled only for HTTP/2 servers.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
Netty 4.1.100 introduced a new feature for HTTP/2 to protect from DDoS vector (see
GHSA-xpw8-rcwv-8f8p) This is unknown if users of libraries that work on top of Netty may be impacted by false positives or not. For the next major release we should either remove these properties or promote them to public API.
Modifications:
-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.maxConsecutiveEmptyFrames=200-Dio.servicetalk.http.netty.http2.decoderEnforceMaxRstFramesPerWindow.secondsPerWindow=30Result:
If necessary, users can control new netty options via system properties.