| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Ok millert@
|
|
UDP PCB's if the socket is connected.
|
|
checksum errors as hardware checksum packets as well.
|
|
|
|
output hardware checksumming. Not tested yet, but should be done
tonight.
Remain to be solved: interactions with bridge, TCP/UDP output
checksumming, interactions of TCP/UDP checksumming with routing
changes.
|
|
are not taken into consideration in anything just yet.
|
|
|
|
|
|
|
|
PCB; store information from the TDB to the PCB, if it's not
initialized, so processed can eventually retrieve it.
|
|
|
|
|
|
|
|
|
|
|
|
with IPv6 TCP PMTUD is mandatory, compute mss size accordingly.
sync with kame
|
|
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.
Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.
|
|
makes upgrades/code sharing much easier.
|
|
|
|
validate ICMPv6 too big messages (pmtud) based on pcb. we accept
certain amount of non-validated ones, as IPv6 mandates ICMPv6 (so even for
traffic from unconnected pcb, we need pmtud).
sync with kame
|
|
to less than N per 1 second.
|
|
we don't support IPv4 mapped address,
and there are inconsistent bit manipulation code so it's safer to nuke them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
flag delayed to ip_output(). That halves the code and reduces most of
the route lookups. okay deraadt@
|
|
osuga@mml.yrp.nttdocomo.co.jp
|
|
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.
use of :: as source is not documented well in IPv6 specification.
not sure if it presents a real threat. the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
local address = my addres
remote address = :: (meaning "unconnected")
state = SYN_RCVD
note that SYN ACK will not be sent due to ip6_output() filter.
this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
being contacted (DoS).
|
|
on diff from "Pete Kazmier" <pete@kazmier.com>
|
|
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
|
|
Remove netinet.h within ifdef INET6; this is already included.
|
|
- protect IPv6 ND from being hosed (due to neighbor unreachability detection
hint) by wrong tcp traffic. still not sure if there's real attack, but
it is good to be cautious.
- avoid bitfield for router renumbering header decl.
- implement packet-per-sec limitation for icmp6 errors, turn interval
limit off (it is not very useful due to unix timer resolution).
|
|
cleanup (indentation, v4-or-v6 conditions)
|
|
inconsistency in corner cases (from NRL I believe).
todd (fries) and I have seen panic, with the following call chain:
ip6_input -> tcp_input -> tcp_respond -> ip_input -> bang!
more cleanups should be done, to decrease complexity.
for example, INP_IPV6_MAPPED should be nuked.
|
|
as per TCP-imply IETF WG draft(s). The correct approach is to just use
the relevant interface's MTU.
|
|
touch tcp header before m_adj, than the other way around.
(no behavior change with the current m_adj code, new code is safer against
any future m_adj changes)
|
|
|
|
(I mean, IPv4) do not try to use rmx_mtu on routing table.
this symptom was introduced by rmx_mtu initialization (necessary for IPv6
path MTU discovery) in net/route.c. now prior behavior is recovered.
From: Hugh Graham <hugh@openbsd.org>
there are several question about mssdflt semantics, though:
Question 1: with the current code, mssdflt does not override rmx_mtu value
(mssdflt overrides interface mtu only). should we override rmx_mtu by
mssdflt as well?
Question 2: with the current code, mssdflt overrides mss computed from
if mtu, only when the destination is IPv4 non-local. is it safe enough?
we may want to use mssdflt, whenever we are uncertain.
mss = if mtu - hdrsiz;
if (IPv4 non-local destination)
mss = min(mss, mssdflt);
|
|
- tcp_sack_adjust() was completely rewritten, since it was erroneously
referencing receiver side sequence numbers and comparing with sender
side sequence numbers (thanks to Arun Desai (adesai@cisco.com) who
discovered the problem)
- in tcp_output(), moved assignment of sendalot=0 to the piece of code
immediately following the search for sack-eligible retransmissions
(bug identified by Arun Desai).
- tcp_input() was not clearing t_dupacks if fewer than three dupacks arrived
between acks of new data. (bug identified by Gaurav Banga (gaurav@netapp.com))
|
|
SACK is disabled for the connection or via sysctl
|
|
malicious party may try to use v4 mapped addr as source/dest to
confuse tcp/udp layer, or to bypass security checks,
for example, naive stack can mistakingly think a packet with
src = ::ffff:127.0.0.1 is from local node.
(sync with kame)
|
|
set retransmit timer again if it was cleared, that can happen in SACK when
there are no elligble SACK holes to be retransmitted and the receiver window
is full.
|
|
|
|
replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support.
see sys/netinet6/{TODO,IMPLEMENTATION} for more details.
GENERIC configuration should work fine as before. GENERIC.v6 works fine
as well, but you'll need KAME userland tools to play with IPv6 (will be
bringed into soon).
|
|
Adapted from NetBSD:
Fix a retransmission bug introduced by the Brakmo and Peterson
RTO estimation changes. Under some circumstances it would
return a value of 0, while the old Van Jacobson RTO code would
return a minimum of 3. This would result in 12 retransmissions,
each 1 second apart. This takes care of those instances, and
ensures that t_rttmin is used everywhere as a lower bound.
|
