| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
were performed to determine if the received packet should be reset. This
created erroneous ratelimiting and false alarms in some cases. The code
has now been reorganized so that the checks for validity come before
the call to badport_bandlim. Additionally, a few changes in the symbolic
names of the bandlim types have been made, as well as a clarification of
exactly which type each RST case falls under.
Submitted by: Mike Silbersack <silby@silby.com>
Notes:
svn path=/head/; revision=72357
|
| |
|
|
| |
Notes:
svn path=/head/; revision=71594
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1. ICMP ECHO and TSTAMP replies are now rate limited.
2. RSTs generated due to packets sent to open and unopen ports
are now limited by seperate counters.
3. Each rate limiting queue now has its own description, as
follows:
Limiting icmp unreach response from 439 to 200 packets per second
Limiting closed port RST response from 283 to 200 packets per second
Limiting open port RST response from 18724 to 200 packets per second
Limiting icmp ping response from 211 to 200 packets per second
Limiting icmp tstamp response from 394 to 200 packets per second
Submitted by: Mike Silbersack <silby@silby.com>
Notes:
svn path=/head/; revision=70070
|
| |
|
|
|
|
|
|
| |
Submitted by: josh@zipperup.org
Submitted by: Robert Drehmel <robd@gmx.net>
Notes:
svn path=/head/; revision=69781
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
only be checked if the system is currently performing New Reno style
fast recovery. However, this value was being checked regardless of the
NR state, with the end result being that the congestion window was never
opened.
Change the logic to check t_dupack instead; the only code path that
allows it to be nonzero at this point is NewReno, so if it is nonzero,
we are in fast recovery mode and should not touch the congestion window.
Tested by: phk
Notes:
svn path=/head/; revision=68318
|
| |
|
|
|
|
|
|
|
|
|
|
| |
delete the cloned route that is associated with the connection.
This does not exhaust the routing table memory when the system
is under a SYN flood attack. The route entry is not deleted if there
is any prior information cached in it.
Reviewed by: Peter Wemm,asmodai
Notes:
svn path=/head/; revision=63745
|
| |
|
|
|
|
|
|
| |
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
Notes:
svn path=/head/; revision=62846
|
| |
|
|
|
|
|
|
|
|
| |
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
(also syntax change)
Notes:
svn path=/head/; revision=62587
|
| |
|
|
|
|
|
| |
Suggested by: des/nbm
Notes:
svn path=/head/; revision=60798
|
| |
|
|
| |
Notes:
svn path=/head/; revision=60687
|
| |
|
|
|
|
|
| |
Also-missed-by: peter
Notes:
svn path=/head/; revision=60662
|
| |
|
|
|
|
|
|
|
|
| |
code retransmitting data from the wrong offset.
As a footnote, the newreno code was partially derived from NetBSD
and Tom Henderson <tomh@cs.berkeley.edu>
Notes:
svn path=/head/; revision=60619
|
| |
|
|
|
|
|
|
|
|
|
| |
better recovery for multiple packet losses in a single window.
The algorithm can be toggled via the sysctl net.inet.tcp.newreno,
which defaults to "on".
Submitted by: Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
Notes:
svn path=/head/; revision=60067
|
| |
|
|
|
|
|
|
|
| |
ESTABLISHED.
Obtained from: KAME Project
Notes:
svn path=/head/; revision=59334
|
| |
|
|
|
|
|
| |
Submitted by: ume
Notes:
svn path=/head/; revision=58907
|
| |
|
|
|
|
|
| |
supports them.
Notes:
svn path=/head/; revision=58698
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now most big problem of IPv6 is getting IPv6 address
assignment.
6to4 solve the problem. 6to4 addr is defined like below,
2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID
The most important point of the address format is that an IPv4 addr
is embeded in it. So any user who has IPv4 addr can get IPv6 address
block with 2byte subnet space. Also, the IPv4 addr is used for
semi-automatic IPv6 over IPv4 tunneling.
With 6to4, getting IPv6 addr become dramatically easy.
The attached patch enable 6to4 extension, and confirmed to work,
between "Richard Seaman, Jr." <dick@tar.com> and me.
Approved by: jkh
Reviewed by: itojun
Notes:
svn path=/head/; revision=57903
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o Drop all broadcast and multicast source addresses in tcp_input.
o Enable ICMP_BANDLIM in GENERIC.
o Change default to 200/s from 100/s. This will still stop the attack, but
is conservative enough to do this close to code freeze.
This is not the optimal patch for the problem, but is likely the least
intrusive patch that can be made for this.
Obtained from: Don Lewis and Matt Dillon.
Reviewed by: freebsd-security
Notes:
svn path=/head/; revision=56724
|
| |
|
|
|
|
|
|
|
|
| |
for an mbuf whose M_PKTHDR is set.
PR: related to kern/15175
Reviewed by: archie
Notes:
svn path=/head/; revision=56565
|
| |
|
|
|
|
|
|
|
|
| |
-opt_ipsec.h was missing on some tcp files (sorry for basic mistake)
-made buildable as above fix
-also added some missing IPv4 mapped IPv6 addr consideration into
ipsec4_getpolicybysock
Notes:
svn path=/head/; revision=56041
|
| |
|
|
| |
Notes:
svn path=/head/; revision=55875
|
| |
|
|
|
|
|
|
|
|
| |
also a small patch to sys/nfs/nfs_socket.c, as max_hdr size change.
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
Notes:
svn path=/head/; revision=55679
|
| |
|
|
|
|
|
|
|
|
|
| |
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
Notes:
svn path=/head/; revision=55009
|
| |
|
|
|
|
|
| |
Reviewed by: truckman
Notes:
svn path=/head/; revision=54601
|
| |
|
|
|
|
|
|
|
|
| |
is within the receive window. Follow this behavior, instead of only
allowing resets at last_ack_sent.
Pointed out by: jayanth@yahoo-inc.com
Notes:
svn path=/head/; revision=54421
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
packet divert at kernel for IPv6/IPv4 translater daemon
This includes queue related patch submitted by jburkhol@home.com.
Submitted by: queue related patch from jburkhol@home.com
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
Notes:
svn path=/head/; revision=54263
|
| |
|
|
|
|
|
| |
usage limit.
Notes:
svn path=/head/; revision=52070
|
| |
|
|
|
|
|
|
| |
net.inet.tcp.drop_synfin sysctl, which for some mysterious reason said
"Drop TCP packets with FIN+ACK set" (instead of "...with SYN+FIN set")
Notes:
svn path=/head/; revision=51279
|
| |
|
|
|
|
|
|
| |
variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel
options, respectively. See the comments in LINT for details.
Notes:
svn path=/head/; revision=51209
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- eliminate the fast/slow timeout lists for TCP and instead use a
callout entry for each timer.
- increase the TCP timer granularity to HZ
- implement "bad retransmit" recovery, as presented in
"On Estimating End-to-End Network Path Properties", by Allman and Paxson.
Submitted by: jlemon, wollmann
Notes:
svn path=/head/; revision=50673
|
| |
|
|
|
|
|
|
|
| |
plus wrap some long lines from that revision.
While here, wrap some other long lines.
Notes:
svn path=/head/; revision=50596
|
| |
|
|
| |
Notes:
svn path=/head/; revision=50477
|
| |
|
|
|
|
|
|
|
| |
style(9) fixes
Submitted by: Jonathon Lemon
Notes:
svn path=/head/; revision=50043
|
| |
|
|
|
|
|
|
|
|
|
|
| |
drop any segment arriving at a closed port.
tcp.blackhole=1 - only drop SYN without RST
tcp.blackhole=2 - drop everything without RST
tcp.blackhole=0 - always send RST - default behaviour
This confuses nmap -sF or -sX or -sN quite badly.
Notes:
svn path=/head/; revision=50015
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
sysctl knobs.
With these knobs on, refused connection attempts are dropped
without sending a RST, or Port unreachable in the UDP case.
In the TCP case, sending of RST is inhibited iff the incoming
segment was a SYN.
Docs and rc.conf settings to follow.
Notes:
svn path=/head/; revision=49968
|
| |
|
|
| |
Notes:
svn path=/head/; revision=48886
|
| |
|
|
|
|
|
| |
if/else nesting.
Notes:
svn path=/head/; revision=46568
|
| |
|
|
|
|
|
|
|
|
| |
PR: kern/11197
Submitted by: Adrian Chadd <adrian@FreeBSD.org>
Reviewed by: billf(spelling/style/minor nits)
Looked at by: bde(style)
Notes:
svn path=/head/; revision=46381
|
| |
|
|
|
|
|
|
|
|
|
| |
This was missed in the 4.4-Lite2 merge.
Noticed by: Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and
jayanth@loc201.tandem.com (vijayaraghavan_jayanth)
on the tcp-impl mailing list.
Notes:
svn path=/head/; revision=43691
|
| |
|
|
|
|
|
| |
kernel compile
Notes:
svn path=/head/; revision=43305
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option
is specified in kernel config, icmplim defaults to 100 pps. Setting it
to 0 will disable the feature. This feature limits ICMP error responses
for packets sent to bad tcp or udp ports, which does a lot to help the
machine handle network D.O.S. attacks.
The kernel will report packet rates that exceed the limit at a rate of
one kernel printf per second. There is one issue in regards to the
'tail end' of an attack... the kernel will not output the last report
until some unrelated and valid icmp error packet is return at some
point after the attack is over. This is a minor reporting issue only.
Notes:
svn path=/head/; revision=41487
|
| |
|
|
|
|
|
|
| |
PR: 7892
Submitted by: Don.Lewis@tsc.tdk.com
Notes:
svn path=/head/; revision=39078
|
| |
|
|
|
|
|
|
|
| |
ip header which can't work on alpha since pointers are too big.
Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Notes:
svn path=/head/; revision=38513
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.
/sbin/ipfw must be recompiled!!!
Reviewed by: Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
Notes:
svn path=/head/; revision=37409
|
| |
|
|
|
|
|
|
|
| |
tcp "know" about it. A pending upcall would be missed, eg: used by NFS.
Obtained from: NetBSD
Notes:
svn path=/head/; revision=36529
|
| |
|
|
| |
Notes:
svn path=/head/; revision=36161
|
| |
|
|
|
|
|
| |
Pointed out by: Garrett Wollmand
Notes:
svn path=/head/; revision=36159
|
| |
|
|
|
|
|
|
|
|
|
| |
the TCP_NOPUSH socket option.
This disables TAO for those services that do not know about T/TCP.
Reviewed by: Garrett Wollman
Submitted by: Peter Wemm
Notes:
svn path=/head/; revision=35698
|
| |
|
|
|
|
|
| |
net.inet.tcp.delack_enabled -> net.inet.tcp.delayed_ack
Notes:
svn path=/head/; revision=35421
|
| |
|
|
| |
Notes:
svn path=/head/; revision=35256
|
