diff options
author | silby <silby@FreeBSD.org> | 2001-07-08 02:20:47 +0000 |
---|---|---|
committer | silby <silby@FreeBSD.org> | 2001-07-08 02:20:47 +0000 |
commit | 2be73222cb19a5095c4726a24bf5b1a64fbc420f (patch) | |
tree | fef63dda5be2e0301de334e984f17a9b61cf3d84 /sys/netinet/tcp_timewait.c | |
parent | 6027a078967acc487d07764badb87d2df9e6a48a (diff) | |
download | FreeBSD-src-2be73222cb19a5095c4726a24bf5b1a64fbc420f.zip FreeBSD-src-2be73222cb19a5095c4726a24bf5b1a64fbc420f.tar.gz |
Temporary feature: Runtime tuneable tcp initial sequence number
generation scheme. Users may now select between the currently used
OpenBSD algorithm and the older random positive increment method.
While the OpenBSD algorithm is more secure, it also breaks TIME_WAIT
handling; this is causing trouble for an increasing number of folks.
To switch between generation schemes, one sets the sysctl
net.inet.tcp.tcp_seq_genscheme. 0 = random positive increments,
1 = the OpenBSD algorithm. 1 is still the default.
Once a secure _and_ compatible algorithm is implemented, this sysctl
will be removed.
Reviewed by: jlemon
Tested by: numerous subscribers of -net
Diffstat (limited to 'sys/netinet/tcp_timewait.c')
-rw-r--r-- | sys/netinet/tcp_timewait.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 221e541..b126cbd 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -139,6 +139,10 @@ static int icmp_may_rst = 1; SYSCTL_INT(_net_inet_tcp, OID_AUTO, icmp_may_rst, CTLFLAG_RW, &icmp_may_rst, 0, "Certain ICMP unreachable messages may abort connections in SYN_SENT"); +static int tcp_seq_genscheme = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcp_seq_genscheme, CTLFLAG_RW, + &tcp_seq_genscheme, 0, "TCP ISN generation scheme"); + static void tcp_cleartaocache __P((void)); static void tcp_notify __P((struct inpcb *, int)); @@ -182,6 +186,7 @@ tcp_init() { int hashsize = TCBHASHSIZE; + tcp_iss = arc4random(); /* wrong, but better than a constant */ tcp_ccgen = 1; tcp_cleartaocache(); @@ -1107,6 +1112,26 @@ tcp6_ctlinput(cmd, sa, d) } #endif /* INET6 */ +tcp_seq +tcp_new_isn() +{ + if ((tcp_seq_genscheme > 1) || (tcp_seq_genscheme < 0)) + tcp_seq_genscheme = 1; + + switch (tcp_seq_genscheme) { + case 0: /* + * Random positive increments + */ + tcp_iss += TCP_ISSINCR/2; + return tcp_iss; + case 1: /* + * OpemBSD randomized scheme + */ + return tcp_rndiss_next(); + } + +} + #define TCP_RNDISS_ROUNDS 16 #define TCP_RNDISS_OUT 7200 #define TCP_RNDISS_MAX 30000 |