| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Submitted by: Michael Butler <imb@protected-networks.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
information into the ISN (initial sequence number) without the additional
use of timestamp bits and switching to the very fast and cryptographically
strong SipHash-2-4 MAC hash algorithm to protect the SYN cookie against
forgeries.
The purpose of SYN cookies is to encode all necessary session state in
the 32 bits of our initial sequence number to avoid storing any information
locally in memory. This is especially important when under heavy spoofed
SYN attacks where we would either run out of memory or the syncache would
fill with bogus connection attempts swamping out legitimate connections.
The original SYN cookies method only stored an indexed MSS values in the
cookie. This isn't sufficient anymore and breaks down in the presence of
WSCALE information which is only exchanged during SYN and SYN-ACK. If we
can't keep track of it then we may severely underestimate the available
send or receive window. This is compounded with large windows whose size
information on the TCP segment header is even lower numerically. A number
of years back SYN cookies were extended to store the additional state in
the TCP timestamp fields, if available on a connection. While timestamps
are common among the BSD, Linux and other *nix systems Windows never enabled
them by default and thus are not present for the vast majority of clients
seen on the Internet.
The common parameters used on TCP sessions have changed quite a bit since
SYN cookies very invented some 17 years ago. Today we have a lot more
bandwidth available making the use window scaling almost mandatory. Also
SACK has become standard making recovering from packet loss much more
efficient.
This change moves all necessary information into the ISS removing the need
for timestamps. Both the MSS (16 bits) and send WSCALE (4 bits) are stored
in 3 bit indexed form together with a single bit for SACK. While this is
significantly less than the original range, it is sufficient to encode all
common values with minimal rounding.
The MSS depends on the MTU of the path and with the dominance of ethernet
the main value seen is around 1460 bytes. Encapsulations for DSL lines
and some other overheads reduce it by a few more bytes for many connections
seen. Rounding down to the next lower value in some cases isn't a problem
as we send only slightly more packets for the same amount of data.
The send WSCALE index is bit more tricky as rounding down under-estimates
the available send space available towards the remote host, however a small
number values dominate and are carefully selected again.
The receive WSCALE isn't encoded at all but recalculated based on the local
receive socket buffer size when a valid SYN cookie returns. A listen socket
buffer size is unlikely to change while active.
The index values for MSS and WSCALE are selected for minimal rounding errors
based on large traffic surveys. These values have to be periodically
validated against newer traffic surveys adjusting the arrays tcp_sc_msstab[]
and tcp_sc_wstab[] if necessary.
In addition the hash MAC to protect the SYN cookies is changed from MD5
to SipHash-2-4, a much faster and cryptographically secure algorithm.
Reviewed by: dwmalone
Tested by: Fabian Keil <fk@fabiankeil.de>
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
hash function) optimized for speed on short messages returning a 64bit hash/
digest value.
SipHash is simpler and much faster than other secure MACs and competitive
in speed with popular non-cryptographic hash functions. It uses a 128-bit
key without the hidden cost of a key expansion step. SipHash iterates a
simple round function consisting of four additions, four xors, and six
rotations, interleaved with xors of message blocks for a pre-defined number
of compression and finalization rounds. The absence of secret load/store
addresses or secret branch conditions avoid timing attacks. No state is
shared between messages. Hashing is deterministic and doesn't use nonces.
It is not susceptible to length extension attacks.
Target applications include network traffic authentication, message
authentication (MAC) and hash-tables protection against hash-flooding
denial-of-service attacks.
The number of update/finalization rounds is defined during initialization:
SipHash24_Init() for the fast and reasonable strong version.
SipHash48_Init() for the strong version (half as fast).
SipHash usage is similar to other hash functions:
struct SIPHASH_CTX ctx;
char *k = "16bytes long key"
char *s = "string";
uint64_t h = 0;
SipHash24_Init(&ctx);
SipHash_SetKey(&ctx, k);
SipHash_Update(&ctx, s, strlen(s));
SipHash_Final(&h, &ctx); /* or */
h = SipHash_End(&ctx); /* or */
h = SipHash24(&ctx, k, s, strlen(s));
It was designed by Jean-Philippe Aumasson and Daniel J. Bernstein and
is described in the paper "SipHash: a fast short-input PRF", 2012.09.18:
https://131002.net/siphash/siphash.pdf
Permanent ID: b9a943a805fbfc6fde808af9fc0ecdfa
Implemented by: andre (based on the paper)
Reviewed by: cperciva
|
| |
|
|
|
|
| |
rounded limit making a call to uma_zone_get_max(9) unnecessary.
MFC after: 1 day
|
| |
|
|
|
|
|
|
| |
expose the value of the tunable maxmbufmem as "kern.ipc.maxmbufmem"
through sysctl.
Reported by: smh
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
is being wired now. The entry wired count is changed to non-zero in
advance, before the map lock is dropped. This makes the vm_fault() to
perceive the entry as wired, and breaks the fragment which moves the
wire count from the shadowed page, to the upper page, making the code
unwiring non-wired page.
On the other hand, the vm_fault() calls from vm_fault_wire() should be
allowed to proceed, so only drain MAP_ENTRY_IN_TRANSITION from
vm_fault() when wiring_thread is not current.
Reported and tested by: pho
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
parallel creation of the map entries, e.g. by mmap() or stack growing.
It also breaks when other entry is wired in parallel.
The vm_map_wire() iterates over the map entries in the region, and
assumes that map entries it finds are marked as in transition before,
also that any entry marked as in transition, are marked by the current
invocation of vm_map_wire(). This is not true for new entries in the
holes.
Add the thread owner of the MAP_ENTRY_IN_TRANSITION flag to struct
vm_map_entry. In vm_map_wire() and vm_map_unwire(), only process the
entries which transition owner is the current thread.
Reported and tested by: pho
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
msync(MS_INVALIDATE). The vm_fault_copy_entry() requires that object
range which corresponds to the user-wired vm_map_entry, is always
fully populated.
Add OBJPR_NOTWIRED flag for vm_object_page_remove() to request the
preserving behaviour, use it when calling vm_object_page_remove() from
vm_object_sync().
Reported and tested by: pho
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
| |
not busy, since its only caller brelse() can legitimately call it on
busy page. This happens for VOP_PUTPAGES() on filesystems that use
buffers and which VOP_WRITE() method marked the buffer containing page
as non-cacheable.
Reported and tested by: pho
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
error if any user wired mappings exist. Doing the invalidation
destroys the user wiring.
The change is the temporal measure to close the bug, the more proper
fix is to delegate the invalidation of the page to upper layers
always.
Reported and tested by: pho
Reviewed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
ptelist KVA is exhausted. Currently this cannot happen, the added
panic serves as assert.
Discussed with: alc
Sponsored by: The FreeBSD Foundation
|
| |
|
|
|
|
|
| |
Clear m->object for the page taken from the delayed free list in
pmap_pv_reclaim().
Noted by: alc
|
| |
|
|
|
|
|
| |
by FreeBSD and UEFI.
Tested with nvram(4).
Reviewed by: neel
|
| |
|
|
| |
MFC after: 2 days
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
|
| |
processing. Thanks for John Baldwin for catching this. Not
clearing the flag member of the rxbuf could result in a NULL
mbuf pointer being used.
MFC after: 2 days (this needs to get into 9.2!)
|
| |
|
|
|
|
|
|
|
|
|
| |
an executable by-name without forking or using externals.
In a performance benchmark of 10,000 runs on circa 2006 hardware, f_which
out-performed `which' with an average completion time of ~2.5 seconds versus
~56 seconds.
This should be handy for future use (not that I make it a habit to call
`which' in a loop 10,000 times).
|
| |
|
|
| |
Approved by: bapt (mentor)
|
| |
|
|
|
|
| |
This is based on r106058 in UFS.
MFC after: 1 month
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
isdir? ( fd -- bool )
freaddir ( fd -- ptr len TRUE | FALSE )
The 'isdir?' word returns `true' if the file descriptor is for a
directory and `false' otherwise.
The 'freaddir' word reads the next directory entry and if successful,
returns its name and 'true'. Otherwise 'false' is returned.
These words give the loader the ability to scan directories and read
files contained in them for 'rc.d'-like flexibility in handling which
modules to load and/or which tunables to set.
Obtained from: Juniper Networks, Inc.
|
| |
|
|
|
|
|
|
|
|
|
| |
kvm_uread() function, used for reading from /proc/pid/mem, was
removed too. But the function declaration remained in kvm.h
public header and the soname was not bumped.
Remove kvm_uread() from kvm.h and bump the soname.
Reported by: rmh
Discussed on: arch
|
| |
|
|
|
|
|
|
|
|
| |
Missing type change from r252435.
This fixes a "Stale NFS file handle" error.
Reported by: Claude Bisson
Tested by: Claude Bisson
Pointed hat: pfg
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
H/W not de-asserting the interrupt at all. On x86, and because of the
following conditions, this results in a hard hang with interrupts disabled:
1. The uart(4) driver uses a spin lock to protect against concurrent
access to the H/W. Spin locks disable and restore interrupts.
2. Restoring the interrupt on x86 always writes the flags register. Even
if we're restoring the interrupt from disabled to disabled.
3. The x86 CPU has a short window in which interrupts are enabled when the
flags register is written.
4. The uart(4) driver registers a fast interrupt by default.
To catch this case, we first try to clear any pending H/W interrupts and in
particular, before setting up the interrupt. This makes sure the interrupt
is masked on the PIC. The interrupt handler now has a limit set on the
number of iterations it'll go through to clear interrupt conditions. If the
limit is hit, the handler will return FILTER_SCHEDULE_THREAD. The attach
function will check for this return code and avoid setting up the interrupt
and foce polling in that case.
Obtained from: Juniper Networks, Inc.
|
| |
|
|
| |
potential race condition for static initialisers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
about mount and unmount events. This is used by Juniper to implement a more
optimal implementation of NetBSD's veriexec.
This change differs from r253224 in the following way:
o The vfs_mounted handler is called before mountcheckdirs() and with
newdp locked. vp is unlocked.
o The event handlers are declared in <sys/eventhandler.h> and not in
<sys/mount.h>. The <sys/mount.h> header is used in user land code
that pretends to be kernel code and as such creates a very convoluted
environment. It's hard to untangle.
Submitted by: stevek@juniper.net
Discussed with: pjd@
Obtained from: Juniper Networks, Inc.
|
| |
|
|
|
|
| |
violations.
Update related comments and style.
|
| | |
|
| |
|
|
|
|
|
|
| |
don't declare a variable. The size before/after this change of the structs
doesn't change with gcc/clang.
Noticed by: several
Suggested by: Gary Jennejohn <gljennjohn@googlemail.com>
|
| | |
|
| |
|
|
|
|
|
| |
journal id.
Requested by: Andreas Longwitz <longwitz@incore.de>
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
| |
reuse as the pv chink page in reclaim_pv_chunk(). Having non-NULL
m->object is wrong for page not owned by an object and confuses both
vm_page_free_toq() and vm_page_remove() when the page is freed later.
Reported and tested by: pho
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
|
| |
|
|
|
| |
Reviewed by: rpaulo
Approved by: sbruno (mentor)
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
| |
Reviewed by: imp
|
| |
|
|
|
|
| |
dhclient(8) or alias addresses are added.
Tested by: dcx dcy <dcbsdx@hotmail.com>
|
| |
|
|
|
|
|
|
|
| |
structure copying in random_ident_hardware(). This change will also help
further modularization of random(4) subsystem.
Submitted by: arthurmesh@gmail.com
Reviewed by: obrien
Obtained from: Juniper Networks
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
VMware up to at least ESXi 5.1. Actually, using INTx in that case instead
may still result in interrupt storms, with MSI being the only working
option in some configurations. So introduce a PCI_QUIRK_DISABLE_MSIX quirk
which only blacklists MSI-X but not also MSI and use it for the VMware
PCI-PCI-bridges. Note that, currently, we still assume that if MSI doesn't
work, MSI-X won't work either - but that's part of the internal logic and
not guaranteed as part of the API contract. While at it, add and employ
a pci_has_quirk() helper.
Reported and tested by: Paul Bucher
- Use NULL instead of 0 for pointers.
Submitted by: jhb (mostly)
Approved by: jhb
MFC after: 3 days
|
| |
|
|
| |
MFC after: 1 month
|
| |
|
|
| |
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
if it exists to determine if use_shadow is true (ON) or false (OFF).
The purpose of determining the value of use_shadow is to know how many lines
to subtract from the maximum height value in assuring that the backtitle is
not obscured.
The detriment of obscuring the backtitle is that it provides information
that is not easily obtained elsewhere. That is the command-line shortcut
used to access the current menu. As you navigate from one dialog to the
next, invariably transparently corssing module boundaries, the backtitle
represents the command-line argument used to get there. Obscuring this
information with a widget that is too-tall and/or too-wide would see that
data go unnoticed (leaving few other ways to get that information in the
same helpful context).
So despite the fact that this change reduces the standard maximum height for
all widgets, there is a trap-door to prevent this calculation. If you want
to utilize the full screen height on the terminal (remember, this adjustment
is not made for Xdialog(1)) you can set $NO_BACKTITLE to 1 (or any non-NULL
value for that matter) and this calculation will be skipped. You will be
able to draw a widget that partially obscures the backtitle if-necessary.
MFC after: 1 day
|
| |
|
|
|
|
|
|
|
|
| |
access it.
While here, also fix the identify usage message to show the -v and -x
parameters.
Sponsored by: Intel
MFC after: 3 days
|
| |
|
|
|
| |
Sponsored by: Intel
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
| |
are processed as admin commands, not I/O commands.
As part of this change, pull out the code for parsing a namespace node
string into a separate function, since it is used for both identify and
logpage commands.
Sponsored by: Intel
MFC after: 3 days
|
| |
|
|
|
|
|
| |
if not already defined elsewhere.
Requested by: attilio
MFC after: 3 days
|
| |
|
|
| |
MFC after: 3 days
|
| |
|
|
|
|
|
| |
in 9.2 release.
Sponsored by: Intel
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
| |
firmware download. This correctly prints an error and exits for
an incorrect firmware image name before prompting the user to
confirm the download.
Sponsored by: Intel
MFC after: 3 days
|
