diff options
| author | melifaro <melifaro@FreeBSD.org> | 2014-11-11 02:52:40 +0000 |
|---|---|---|
| committer | melifaro <melifaro@FreeBSD.org> | 2014-11-11 02:52:40 +0000 |
| commit | 12580bcaa8a78094978261a456034eb3684e9f58 (patch) | |
| tree | 03ac2d127be5e5ef838975d007a62d8250819cc3 /share/man/man7/security.7 | |
| parent | 42e544acc78653110a142e99a4c7ce581b8e3689 (diff) | |
| download | FreeBSD-src-12580bcaa8a78094978261a456034eb3684e9f58.zip FreeBSD-src-12580bcaa8a78094978261a456034eb3684e9f58.tar.gz | |
Kill custom in_matroute() radix mathing function removing one rte mutex lock.
Initially in_matrote() in_clsroute() in their current state was introduced by
r4105 20 years ago. Instead of deleting inactive routes immediately, we kept them
in route table, setting RTPRF_OURS flag and some expire time. After that, either
GC came or RTPRF_OURS got removed on first-packet. It was a good solution
in that days (and probably another decade after that) to keep TCP metrics.
However, after moving metrics to TCP hostcache in r122922, most of in_rmx
functionality became unused. It might had been used for flushing icmp-originated
routes before rte mutexes/refcounting, but I'm not sure about that.
So it looks like this is nearly impossible to make GC do its work nowadays:
in_rtkill() ignores non-RTPRF_OURS routes.
route can only become RTPRF_OURS after dropping last reference via rtfree()
which calls in_clsroute(), which, it turn, ignores UP and non-RTF_DYNAMIC routes.
Dynamic routes can still be installed via received redirect, but they
have default lifetime (no specific rt_expire) and no one has another trie walker
to call RTFREE() on them.
So, the changelist:
* remove custom rnh_match / rnh_close matching function.
* remove all GC functions
* partially revert r256695 (proto3 is no more used inside kernel,
it is not possible to use rt_expire from user point of view, proto3 support
is not complete)
* Finish r241884 (similar to this commit) and remove remaining IPv6 parts
MFC after: 1 month
Diffstat (limited to 'share/man/man7/security.7')
| -rw-r--r-- | share/man/man7/security.7 | 35 |
1 files changed, 0 insertions, 35 deletions
diff --git a/share/man/man7/security.7 b/share/man/man7/security.7 index d51eea2..d84e4a2 100644 --- a/share/man/man7/security.7 +++ b/share/man/man7/security.7 @@ -894,41 +894,6 @@ A competent sysadmin will turn off all of these .Xr inetd 8 Ns -internal test services. -.Pp -Spoofed packet attacks may also be used to overload the kernel route cache. -Refer to the -.Va net.inet.ip.rtexpire , net.inet.ip.rtminexpire , -and -.Va net.inet.ip.rtmaxcache -.Xr sysctl 8 -variables. -A spoofed packet attack that uses a random source IP will cause -the kernel to generate a temporary cached route in the route table, viewable -with -.Dq Li "netstat -rna | fgrep W3" . -These routes typically timeout in 1600 -seconds or so. -If the kernel detects that the cached route table has gotten -too big it will dynamically reduce the -.Va rtexpire -but will never decrease it to -less than -.Va rtminexpire . -There are two problems: (1) The kernel does not react -quickly enough when a lightly loaded server is suddenly attacked, and (2) The -.Va rtminexpire -is not low enough for the kernel to survive a sustained attack. -If your servers are connected to the internet via a T3 or better it may be -prudent to manually override both -.Va rtexpire -and -.Va rtminexpire -via -.Xr sysctl 8 . -Never set either parameter to zero -(unless you want to crash the machine :-)). -Setting both parameters to 2 seconds should be sufficient to protect the route -table from attack. .Sh ACCESS ISSUES WITH KERBEROS AND SSH There are a few issues with both Kerberos and SSH that need to be addressed if you intend to use them. |
