summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorMarkus Friedl <markus@cvs.openbsd.org>2004-04-12 14:17:56 +0000
committerMarkus Friedl <markus@cvs.openbsd.org>2004-04-12 14:17:56 +0000
commit0c7e38ae3b741f840fa4517a8534762e726aa9d3 (patch)
tree63dcaa786c85a3b8c8221dccf2f56f318d8589d5 /sys
parent96b0e198b9a84ebd8c529fc8d3ea591a838c85f4 (diff)
factor out dropafterack_ratelim code, use ratelimit
for tcps_rcvacktoomuch, too; drop very old ACKs; ok deraadt@
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/tcp_input.c40
1 files changed, 25 insertions, 15 deletions
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 8a3b78fe9b6..a3fed0250a1 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tcp_input.c,v 1.159 2004/04/04 17:39:07 deraadt Exp $ */
+/* $OpenBSD: tcp_input.c,v 1.160 2004/04/12 14:17:55 markus Exp $ */
/* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */
/*
@@ -122,9 +122,9 @@ int tcp_rst_ppslim = 100; /* 100pps */
int tcp_rst_ppslim_count = 0;
struct timeval tcp_rst_ppslim_last;
-int tcp_synack_ppslim = 100; /* 100pps */
-int tcp_synack_ppslim_count = 0;
-struct timeval tcp_synack_ppslim_last;
+int tcp_ackdrop_ppslim = 100; /* 100pps */
+int tcp_ackdrop_ppslim_count = 0;
+struct timeval tcp_ackdrop_ppslim_last;
#endif /* TUBA_INCLUDE */
#define TCP_PAWS_IDLE (24 * 24 * 60 * 60 * PR_SLOWHZ)
@@ -1455,16 +1455,10 @@ trimthenstep6:
/*
* If a SYN is in the window, then this is an
- * error and we send an RST and drop the connection.
+ * error and we ACK and drop the packet.
*/
- if (tiflags & TH_SYN) {
- if (ppsratecheck(&tcp_synack_ppslim_last, &tcp_synack_ppslim_count,
- tcp_synack_ppslim) == 0) {
- /* XXX stat */
- goto drop;
- }
- goto dropafterack;
- }
+ if (tiflags & TH_SYN)
+ goto dropafterack_ratelim;
/*
* If the ACK bit is off we drop the segment and return.
@@ -1565,8 +1559,16 @@ trimthenstep6:
* Window shrinks
* Old ACK
*/
- if (tlen)
+ if (tlen) {
+ /* Drop very old ACKs unless th_seq matches */
+ if (th->th_seq != tp->rcv_nxt &&
+ SEQ_LT(th->th_ack,
+ tp->snd_una - tp->max_sndwnd)) {
+ /* XXX stat */
+ goto drop;
+ }
break;
+ }
/*
* If we get an old ACK, there is probably packet
* reordering going on. Be conservative and reset
@@ -1769,7 +1771,7 @@ trimthenstep6:
#endif
if (SEQ_GT(th->th_ack, tp->snd_max)) {
tcpstat.tcps_rcvacktoomuch++;
- goto dropafterack;
+ goto dropafterack_ratelim;
}
acked = th->th_ack - tp->snd_una;
tcpstat.tcps_rcvackpack++;
@@ -2127,6 +2129,14 @@ badsyn:
tp = NULL;
goto dropwithreset;
+dropafterack_ratelim:
+ if (ppsratecheck(&tcp_ackdrop_ppslim_last, &tcp_ackdrop_ppslim_count,
+ tcp_ackdrop_ppslim) == 0) {
+ /* XXX stat */
+ goto drop;
+ }
+ /* ...fall into dropafterack... */
+
dropafterack:
/*
* Generate an ACK dropping incoming segment if it occupies