diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-03-29 18:13:21 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2016-03-29 18:13:21 +0000 |
| commit | 0a2a6845363074fd8653e8d85fbc14dd1e8b21a8 (patch) | |
| tree | bb3b9278a7150e4fb6f47cd55a625d4631c7a1fb /sys/netinet/tcp_var.h | |
| parent | b2ec24303246d26975ff4320cbc5b78bd56fd85b (diff) | |
Allow to adjust tcp_syn_use_limit with sysctl net.inet.tcp.synuselimit.
This is convenient to test the feature and may be useful to defend
against syn flooding in a denial of service condition. It is
consistent to the existing syn cache sysctls. Move some declarations
to tcp_var.h to access the syn cache sets from tcp_sysctl().
OK mpi@
Diffstat (limited to 'sys/netinet/tcp_var.h')
| -rw-r--r-- | sys/netinet/tcp_var.h | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 65742dc8980..b99ba8a5cde 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_var.h,v 1.111 2016/03/27 19:19:01 bluhm Exp $ */ +/* $OpenBSD: tcp_var.h,v 1.112 2016/03/29 18:13:20 bluhm Exp $ */ /* $NetBSD: tcp_var.h,v 1.17 1996/02/13 23:44:24 christos Exp $ */ /* @@ -251,6 +251,10 @@ struct tcp_opt_info { /* * Data for the TCP compressed state engine. */ + +#define TCP_SYN_HASH_SIZE 293 +#define TCP_SYN_BUCKET_SIZE 35 + union syn_cache_sa { struct sockaddr sa; struct sockaddr_in sin; @@ -311,6 +315,13 @@ struct syn_cache_head { u_short sch_length; /* # entries in bucket */ }; +struct syn_cache_set { + struct syn_cache_head scs_buckethead[TCP_SYN_HASH_SIZE]; + int scs_count; + int scs_use; + u_int32_t scs_random[5]; +}; + #endif /* _KERNEL */ /* @@ -478,7 +489,8 @@ struct tcpstat { #define TCPCTL_SACKHOLE_LIMIT 20 /* max entries for tcp sack queues */ #define TCPCTL_STATS 21 /* TCP statistics */ #define TCPCTL_ALWAYS_KEEPALIVE 22 /* assume SO_KEEPALIVE is always set */ -#define TCPCTL_MAXID 23 +#define TCPCTL_SYN_USE_LIMIT 23 /* number of uses before reseeding hash */ +#define TCPCTL_MAXID 24 #define TCPCTL_NAMES { \ { 0, 0 }, \ @@ -503,7 +515,8 @@ struct tcpstat { { "drop", CTLTYPE_STRUCT }, \ { "sackholelimit", CTLTYPE_INT }, \ { "stats", CTLTYPE_STRUCT }, \ - { "always_keepalive", CTLTYPE_INT } \ + { "always_keepalive", CTLTYPE_INT }, \ + { "synuselimit", CTLTYPE_INT }, \ } #define TCPCTL_VARS { \ @@ -528,6 +541,8 @@ struct tcpstat { NULL, \ NULL, \ NULL, \ + NULL, \ + NULL, \ NULL \ } @@ -559,6 +574,8 @@ extern int tcp_reass_limit; /* max entries for tcp reass queues */ extern int tcp_syn_cache_limit; /* max entries for compressed state engine */ extern int tcp_syn_bucket_limit;/* max entries per hash bucket */ +extern int tcp_syn_use_limit; /* number of uses before reseeding hash */ +extern struct syn_cache_set tcp_syn_cache[]; int tcp_attach(struct socket *); void tcp_canceltimers(struct tcpcb *); |