diff options
| author | andre <andre@FreeBSD.org> | 2005-04-21 14:29:34 +0000 |
|---|---|---|
| committer | andre <andre@FreeBSD.org> | 2005-04-21 14:29:34 +0000 |
| commit | 4f8537607278c0fbb4d30ab96c2fac657d5fdeaf (patch) | |
| tree | f9fb2ed28a25065dedd8eb4f8192b59cb2728403 /sys/netinet/ip_icmp.h | |
| parent | 510a2f302a52427fe35f48836697a480c0caeef2 (diff) | |
| download | FreeBSD-src-4f8537607278c0fbb4d30ab96c2fac657d5fdeaf.zip FreeBSD-src-4f8537607278c0fbb4d30ab96c2fac657d5fdeaf.tar.gz | |
Move Path MTU discovery ICMP processing from icmp_input() to
tcp_ctlinput() and subject it to active tcpcb and sequence
number checking. Previously any ICMP unreachable/needfrag
message would cause an update to the TCP hostcache. Now only
ICMP PMTU messages belonging to an active TCP session with
the correct src/dst/port and sequence number will update the
hostcache and complete the path MTU discovery process.
Note that we don't entirely implement the recommended counter
measures of Section 7.2 of the paper. However we close down
the possible degradation vector from trivially easy to really
complex and resource intensive. In addition we have limited
the smallest acceptable MTU with net.inet.tcp.minmss sysctl
for some time already, further reducing the effect of any
degradation due to an attack.
Security: draft-gont-tcpm-icmp-attacks-03.txt Section 7.2
MFC after: 3 days
Diffstat (limited to 'sys/netinet/ip_icmp.h')
| -rw-r--r-- | sys/netinet/ip_icmp.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/ip_icmp.h b/sys/netinet/ip_icmp.h index 9d58529..6acff63 100644 --- a/sys/netinet/ip_icmp.h +++ b/sys/netinet/ip_icmp.h @@ -193,6 +193,7 @@ struct icmp { #ifdef _KERNEL void icmp_error(struct mbuf *, int, int, n_long, struct ifnet *); void icmp_input(struct mbuf *, int); +int ip_next_mtu(int, int); #endif #endif |
