diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-12 14:17:56 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-12 14:17:56 +0000 |
| commit | 0c7e38ae3b741f840fa4517a8534762e726aa9d3 (patch) | |
| tree | 63dcaa786c85a3b8c8221dccf2f56f318d8589d5 /sys/netinet/tcp_input.c | |
| parent | 96b0e198b9a84ebd8c529fc8d3ea591a838c85f4 (diff) | |
factor out dropafterack_ratelim code, use ratelimit
for tcps_rcvacktoomuch, too; drop very old ACKs; ok deraadt@
Diffstat (limited to 'sys/netinet/tcp_input.c')
| -rw-r--r-- | sys/netinet/tcp_input.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 8a3b78fe9b6..a3fed0250a1 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.159 2004/04/04 17:39:07 deraadt Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.160 2004/04/12 14:17:55 markus Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -122,9 +122,9 @@ int tcp_rst_ppslim = 100; /* 100pps */ int tcp_rst_ppslim_count = 0; struct timeval tcp_rst_ppslim_last; -int tcp_synack_ppslim = 100; /* 100pps */ -int tcp_synack_ppslim_count = 0; -struct timeval tcp_synack_ppslim_last; +int tcp_ackdrop_ppslim = 100; /* 100pps */ +int tcp_ackdrop_ppslim_count = 0; +struct timeval tcp_ackdrop_ppslim_last; #endif /* TUBA_INCLUDE */ #define TCP_PAWS_IDLE (24 * 24 * 60 * 60 * PR_SLOWHZ) @@ -1455,16 +1455,10 @@ trimthenstep6: /* * If a SYN is in the window, then this is an - * error and we send an RST and drop the connection. + * error and we ACK and drop the packet. */ - if (tiflags & TH_SYN) { - if (ppsratecheck(&tcp_synack_ppslim_last, &tcp_synack_ppslim_count, - tcp_synack_ppslim) == 0) { - /* XXX stat */ - goto drop; - } - goto dropafterack; - } + if (tiflags & TH_SYN) + goto dropafterack_ratelim; /* * If the ACK bit is off we drop the segment and return. @@ -1565,8 +1559,16 @@ trimthenstep6: * Window shrinks * Old ACK */ - if (tlen) + if (tlen) { + /* Drop very old ACKs unless th_seq matches */ + if (th->th_seq != tp->rcv_nxt && + SEQ_LT(th->th_ack, + tp->snd_una - tp->max_sndwnd)) { + /* XXX stat */ + goto drop; + } break; + } /* * If we get an old ACK, there is probably packet * reordering going on. Be conservative and reset @@ -1769,7 +1771,7 @@ trimthenstep6: #endif if (SEQ_GT(th->th_ack, tp->snd_max)) { tcpstat.tcps_rcvacktoomuch++; - goto dropafterack; + goto dropafterack_ratelim; } acked = th->th_ack - tp->snd_una; tcpstat.tcps_rcvackpack++; @@ -2127,6 +2129,14 @@ badsyn: tp = NULL; goto dropwithreset; +dropafterack_ratelim: + if (ppsratecheck(&tcp_ackdrop_ppslim_last, &tcp_ackdrop_ppslim_count, + tcp_ackdrop_ppslim) == 0) { + /* XXX stat */ + goto drop; + } + /* ...fall into dropafterack... */ + dropafterack: /* * Generate an ACK dropping incoming segment if it occupies |