| Age | Commit message (Collapse) | Author |
|---|
|
|
|
attack against our hash function. In this case, switch to the
passive syn cache as soon as possible. It will start with a new
random seed for the hash.
input and OK mpi@
|
|
This is convenient to test the feature and may be useful to defend
against syn flooding in a denial of service condition. It is
consistent to the existing syn cache sysctls. Move some declarations
to tcp_var.h to access the syn cache sets from tcp_sysctl().
OK mpi@
|
|
stack reseeds the hash function every time the cache is empty.
Unfortunatly the attacker can prevent the reseeding by sending
unanswered SYN packes periodically.
Fix this by having an active syn cache that gets new entries and a
passive one that is idling out. When the passive one is empty and
the active one has been used 100000 times, they switch roles and
the hash function is reseeded with new random.
tedu@ agrees; OK mpi@
|
|
This shows how often the hash function is reseeded and the random
bucket distribution changes.
OK mpi@ claudio@
|
|
ok mpi@ millert@
|
|
ok mpi@
|
|
ok henning
|
|
pf_inp_...() lookup, link and unlink functions as an interface.
Locking can be added to them later. Remove the first linking at
the beginning of tcp_input() and udp_input() as it is not necessary.
It will be done later anyway. That code was a relict, from the
time before I had added the second linking.
Input from mikeb@ and sashan@; OK sashan@
|
|
layer will be turned mpsafe. We're not there yet.
Reported by David Hill, ok florian@
|
|
Tested by and ok sthen@, ok visa@
|
|
While here remove unused argument and convert the route check to
rtisvalid(9).
ok bluhm@
|
|
die and ifp->if_mtu is the one true mtu.
Suggested by and OK mpi@
|
|
Appart from the usual inet6 axe murdering exercise to keep you fit, this
allows us to get rid of a lot of layer violation due to the use of per-
ifp variables to store the current hop limit.
Imputs from bluhm@, ok phessler@, florian@, bluhm@
|
|
ifpp - XXX: just for statistics
ifpp is always NULL in all callers so that statistic confirms ifpp is
dying
OK mpi@
|
|
cache hash. That makes it trivial to create syn cache collisions.
Take the full address, xor it with random data and put it into the
hash function.
OK markus@
|
|
OK dlg@
|
|
global variables should also live there.
OK markus@
|
|
splsoftnet() explicitly. The function syn_cache_lookup() is always
called at IPL_SOFTNET so a splsoftassert() is better than a needless
splsoftnet().
OK markus@ dlg@
|
|
same prefix for all variables. Convert the counter type to int,
the limit is also int. Before searching the cache, check that it
is not empty. Do not access the counter outside of the syn cache
from tcp_ctlinput(), let the syn_cache_lookup() function handle it.
OK dlg@
|
|
OK markus@
|
|
inline functions. They have the advantage to check the old type
before casting.
OK dlg@
|
|
ok guenther@, henning@
|
|
ok stsp mpi
|
|
OK deraadt@
|
|
ok claudio@
|
|
receiving interface in the packet header of every mbuf.
The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.
Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.
Tested by jmatthew@ and krw@, discussed with many.
ok mikeb@, bluhm@, dlg@
|
|
something based on an address family and later assumes one of the paths
was taken. This was initially just calls to panic until guenther
suggested a function to reduce the amount of strings needed.
This reduces the amount of noise with static analysers and acts
as a sanity check.
ok guenther@ bluhm@
|
|
annoying trailing, leading and embedded whitespace. No change to
.o files.
ok deraadt@
|
|
ok krw@ miod@
|
|
ok mikeb
|
|
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
|
listen queue (backlog) limit or the memory shortage in syn-cache.
ok henning reyk claudio
|
|
long live the one true internet.
ok henning mikeb
|
|
ok mikeb@, krw@, bluhm@, tedu@
|
|
for a multicast/broadcast destination address.
These checks have already been done in the Ethernet and IP layers and
the mbuf(9) should contain all the required information at this point.
But since we cannot trust this spaghetti stack, be paranoid and make
sure to set the flags in the IP input routines.
Use explicit comments, requested by deraadt@. ok claudio@
|
|
to include that than rdnvar.h. ok deraadt dlg
|
|
ok dlg@, uebayasi@, mikeb@
|
|
From Florian Riehm
|
|
kill the macro.
ok mikeb@, henning@
|
|
OK henning@
|
|
|
|
state to the socket pcb. Add an additional assert to narrow down
the panics.
OK henning@
|
|
This function is used only once in our tree to optimize the size of the
MSS if the forward address correspond to a host on one of our subnets,
but only if ip.mutdisc is disable, which is not the default!
While here get rid of the "#ifdef RTV_MTU", it is here.
ok henning@, mikeb@, bluhm@
|
|
ever used to pass on uint32 (for ipsec). stop that madness and just pass
the uint32, 0 in all cases but the two that pass the ipsec flowinfo.
ok deraadt reyk guenther
|
|
ok gcc & md5 (alas, no binary change)
|
|
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
|
statistics sideeffects before. ok lteo naddy
|
|
are are lie, since the software engine emulates hardware offloading
and that is later indistinguishable. so kill the hw cksummed counters.
introduce software checksummed packet counters instead.
tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum.
as before we still have a miscounting bug for inbound with pf on, to be
fixed in the next step.
found by, prodding & ok naddy
|
|
the ifp pointer which can be NULL. This prevents a crash reported
by David Hill <dhill at mindcry ! org>. OK bluhm
|
