diff options
author | delphij <delphij@FreeBSD.org> | 2018-08-15 02:30:11 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2018-08-15 02:30:11 +0000 |
commit | 544d31706a541930a2b8f8984b7bd25861011b91 (patch) | |
tree | 6b210cc76f5ab1c3436cfd21521da7ccdfeefc70 /share | |
parent | 6d554063ca8c5d2a9bad18a2c238cd74dadeb33c (diff) | |
download | FreeBSD-src-544d31706a541930a2b8f8984b7bd25861011b91.zip FreeBSD-src-544d31706a541930a2b8f8984b7bd25861011b91.tar.gz |
Revis manual pages. [SA-18:08.tcp]
Fix L1 Terminal Fault (L1TF) kernel information disclosure.
[SA-18:09.l1tf]
Fix resource exhaustion in IP fragment reassembly. [SA-18:10.ip]
Fix unauthenticated EAPOL-Key decryption vulnerability.
[SA-18:11.hostapd]
Approved by: so
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man4/inet.4 | 37 | ||||
-rw-r--r-- | share/man/man4/inet6.4 | 39 | ||||
-rw-r--r-- | share/man/man4/tcp.4 | 2 |
3 files changed, 65 insertions, 13 deletions
diff --git a/share/man/man4/inet.4 b/share/man/man4/inet.4 index 49c050d..b0ccb25 100644 --- a/share/man/man4/inet.4 +++ b/share/man/man4/inet.4 @@ -28,7 +28,7 @@ .\" From: @(#)inet.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd Feb 4, 2016 +.Dd August 14, 2018 .Dt INET 4 .Os .Sh NAME @@ -229,15 +229,38 @@ At the same time, on high-speed links, it can decrease the ID reuse cycle greatly. Default is 0 (sequential IP IDs). IPv6 flow IDs and fragment IDs are always random. +.It Va ip.maxfrags +Integer: maximum number of fragments the host will accept and simultaneously +hold across all reassembly queues in all VNETs. +If set to 0, reassembly is disabled. +If set to -1, this limit is not applied. +This limit is recalculated when the number of mbuf clusters is changed. +This is a global limit. .It Va ip.maxfragpackets -Integer: maximum number of fragmented packets the host will accept and hold -in the reassembling queue simultaneously. -0 means that the host will not accept any fragmented packets. -\-1 means that the host will accept as many fragmented packets as it receives. +Integer: maximum number of fragmented packets the host will accept and +simultaneously hold in the reassembly queue for a particular VNET. +0 means that the host will not accept any fragmented packets for that VNET. +\-1 means that the host will not apply this limit for that VNET. +This limit is recalculated when the number of mbuf clusters is changed. +This is a per-VNET limit. +.It Va ip.maxfragbucketsize +Integer: maximum number of reassembly queues per bucket. +Fragmented packets are hashed to buckets. +Each bucket has a list of reassembly queues. +The system must compare the incoming packets to the existing reassembly queues +in the bucket to find a matching reassembly queue. +To preserve system resources, the system limits the number of reassembly +queues allowed in each bucket. +This limit is recalculated when the number of mbuf clusters is changed or +when the value of +.Va ip.maxfragpackets +changes. +This is a per-VNET limit. .It Va ip.maxfragsperpacket Integer: maximum number of fragments the host will accept and hold -in the reassembling queue for a packet. -0 means that the host will not accept any fragmented packets. +in the reassembly queue for a packet. +0 means that the host will not accept any fragmented packets for the VNET. +This is a per-VNET limit. .El .Sh SEE ALSO .Xr ioctl 2 , diff --git a/share/man/man4/inet6.4 b/share/man/man4/inet6.4 index 815dee7..40b5a17 100644 --- a/share/man/man4/inet6.4 +++ b/share/man/man4/inet6.4 @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd September 2, 2009 +.Dd August 14, 2018 .Dt INET6 4 .Os .Sh NAME @@ -219,12 +219,41 @@ packets. This value applies to all the transport protocols on top of .Tn IPv6 . There are APIs to override the value. +.It Dv IPV6CTL_MAXFRAGS +.Pq ip6.maxfrags +Integer: maximum number of fragments the host will accept and simultaneously +hold across all reassembly queues in all VNETs. +If set to 0, fragment reassembly is disabled. +If set to -1, this limit is not applied. +This limit is recalculated when the number of mbuf clusters is changed. +This is a global limit. .It Dv IPV6CTL_MAXFRAGPACKETS .Pq ip6.maxfragpackets -Integer: default maximum number of fragmented packets the node will accept. -0 means that the node will not accept any fragmented packets. --1 means that the node will accept as many fragmented packets as it receives. -The flag is provided basically for avoiding possible DoS attacks. +Integer: maximum number of fragmented packets the node will accept and +simultaneously hold in the reassembly queue for a particular VNET. +0 means that the node will not accept any fragmented packets for that VNET. +-1 means that the node will not apply this limit for that VNET. +This limit is recalculated when the number of mbuf clusters is changed. +This is a per-VNET limit. +.It Dv IPV6CTL_MAXFRAGBUCKETSIZE +.Pq ip6.maxfragbucketsize +Integer: maximum number of reassembly queues per bucket. +Fragmented packets are hashed to buckets. +Each bucket has a list of reassembly queues. +The system must compare the incoming packets to the existing reassembly queues +in the bucket to find a matching reassembly queue. +To preserve system resources, the system limits the number of reassembly +queues allowed in each bucket. +This limit is recalculated when the number of mbuf clusters is changed or +when the value of +.Va ip6.maxfragpackets +changes. +This is a per-VNET limit. +.It Dv IPV6CTL_MAXFRAGSPERPACKET +.Pq ip6.maxfragsperpacket +Integer: maximum number of fragments the host will accept and hold in the +ressembly queue for a packet. +This is a per-VNET limit. .It Dv IPV6CTL_ACCEPT_RTADV .Pq ip6.accept_rtadv Boolean: the default value of a per-interface flag to diff --git a/share/man/man4/tcp.4 b/share/man/man4/tcp.4 index 05a352c..e4ef694 100644 --- a/share/man/man4/tcp.4 +++ b/share/man/man4/tcp.4 @@ -34,7 +34,7 @@ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd February 6, 2017 +.Dd August 6, 2018 .Dt TCP 4 .Os .Sh NAME |