summaryrefslogtreecommitdiffstats
path: root/sys/netinet/tcp_input.c
Commit message (Collapse)AuthorAgeFilesLines
* KSE Milestone 2julian2001-09-121-2/+2
| | | | | | | | | | | | | | Note ALL MODULES MUST BE RECOMPILED make the kernel aware that there are smaller units of scheduling than the process. (but only allow one thread per process at this time). This is functionally equivalent to teh previousl -current except that there is a thread associated with each process. Sorry john! (your next MFC will be a doosie!) Reviewed by: peter@freebsd.org, dillon@freebsd.org X-MFC after: ha ha ha ha
* Patches from Keiichi SHIMA <keiichi@iij.ad.jp>julian2001-09-031-3/+3
| | | | | | to make ip use the standard protosw structure again. Obtained from: Well, KAME I guess.
* when newreno is turned on, if dupacks = 1 or dupacks = 2 andjayanth2001-08-291-0/+2
| | | | | | | | | new data is acknowledged, reset the dupacks to 0. The problem was spotted when a connection had its send buffer full because the congestion window was only 1 MSS and was not being incremented because dupacks was not reset to 0. Obtained from: Yahoo!
* Correct a typo in a comment: FIN_WAIT2 -> FIN_WAIT_2dd2001-08-231-1/+1
| | | | | PR: 29970 Submitted by: Joseph Mallett <jmallett@xMach.org>
* Much delayed but now present: RFC 1948 style sequence numberssilby2001-08-221-3/+2
| | | | | | | | | | In order to ensure security and functionality, RFC 1948 style initial sequence number generation has been implemented. Barring any major crypographic breakthroughs, this algorithm should be unbreakable. In addition, the problems with TIME_WAIT recycling which affect our currently used algorithm are not present. Reviewed by: jesper
* Temporary feature: Runtime tuneable tcp initial sequence numbersilby2001-07-081-2/+2
| | | | | | | | | | | | | | | | | | generation scheme. Users may now select between the currently used OpenBSD algorithm and the older random positive increment method. While the OpenBSD algorithm is more secure, it also breaks TIME_WAIT handling; this is causing trouble for an increasing number of folks. To switch between generation schemes, one sets the sysctl net.inet.tcp.tcp_seq_genscheme. 0 = random positive increments, 1 = the OpenBSD algorithm. 1 is still the default. Once a secure _and_ compatible algorithm is implemented, this sysctl will be removed. Reviewed by: jlemon Tested by: numerous subscribers of -net
* Add netstat(1) knob to reset net.inet.{ip|icmp|tcp|udp|igmp}.stats.ru2001-06-231-1/+1
| | | | | | For example, ``netstat -s -p ip -z'' will show and reset IP stats. PR: bin/17338
* Eliminate the allocation of a tcp template structure for eachsilby2001-06-231-6/+0
| | | | | | | | | | | | connection. The information contained in a tcptemp can be reconstructed from a tcpcb when needed. Previously, tcp templates required the allocation of one mbuf per connection. On large systems, this change should free up a large number of mbufs. Reviewed by: bmilekic, jlemon, ru MFC after: 2 weeks
* Sync with recent KAME.ume2001-06-111-30/+79
| | | | | | | | | | | | | | | | | | This work was based on kame-20010528-freebsd43-snap.tgz and some critical problem after the snap was out were fixed. There are many many changes since last KAME merge. TODO: - The definitions of SADB_* in sys/net/pfkeyv2.h are still different from RFC2407/IANA assignment because of binary compatibility issue. It should be fixed under 5-CURRENT. - ip6po_m member of struct ip6_pktopts is no longer used. But, it is still there because of binary compatibility issue. It should be removed under 5-CURRENT. Reviewed by: itojun Obtained from: KAME MFC after: 3 weeks
* Silby's take one on increasing FreeBSD's resistance to SYN floods:jesper2001-06-061-1/+14
| | | | | | | | | | | | | | | | | | | One way we can reduce the amount of traffic we send in response to a SYN flood is to eliminate the RST we send when removing a connection from the listen queue. Since we are being flooded, we can assume that the majority of connections in the queue are bogus. Our RST is unwanted by these hosts, just as our SYN-ACK was. Genuine connection attempts will result in hosts responding to our SYN-ACK with an ACK packet. We will automatically return a RST response to their ACK when it gets to us if the connection has been dropped, so the early RST doesn't serve the genuine class of connections much. In summary, we can reduce the number of packets we send by a factor of two without any loss in functionality by ensuring that RST packets are not sent when dropping a connection from the listen queue. Submitted by: Mike Silbersack <silby@silby.com> Reviewed by: jesper MFC after: 2 weeks
* Inline TCP_REASS() in the single location where it's used,jesper2001-05-291-33/+30
| | | | | | | | just as OpenBSD and NetBSD has done. No functional difference. MFC after: 2 weeks
* properly delay acks in half-closed TCP connectionsjesper2001-05-291-1/+1
| | | | | | PR: 24962 Submitted by: Tony Finch <dot@dotat.at> MFC after: 2 weeks
* Say goodbye to TCP_COMPAT_42jesper2001-04-201-9/+0
| | | | | Reviewed by: wollman Requested by: wollman
* Randomize the TCP initial sequence numbers more thoroughly.kris2001-04-171-2/+11
| | | | | Obtained from: OpenBSD Reviewed by: jesper, peter, -developers
* Axe TCP_RESTRICT_RST. It was never a particularly good idea except for a fewdes2001-03-191-12/+1
| | | | | | | very specific scenarios, and now that we have had net.inet.tcp.blackhole for quite some time there is really no reason to use it any more. (last of three commits)
* Do not delay a new ack if there already is a delayed ack pending on thejlemon2001-02-251-5/+11
| | | | | | connection, but send it immediately. Prior to this change, it was possible to delay a delayed-ack for multiple times, resulting in degraded TCP behavior in certain corner cases.
* Clean up RST ratelimiting. Previously, ratelimiting occured before testsbmilekic2001-02-111-33/+48
| | | | | | | | | | | were performed to determine if the received packet should be reset. This created erroneous ratelimiting and false alarms in some cases. The code has now been reorganized so that the checks for validity come before the call to badport_bandlim. Additionally, a few changes in the symbolic names of the bandlim types have been made, as well as a clarification of exactly which type each RST case falls under. Submitted by: Mike Silbersack <silby@silby.com>
* Correct a comment.wollman2001-01-241-1/+1
|
* Change the following:bmilekic2000-12-151-2/+8
| | | | | | | | | | | | | | | | 1. ICMP ECHO and TSTAMP replies are now rate limited. 2. RSTs generated due to packets sent to open and unopen ports are now limited by seperate counters. 3. Each rate limiting queue now has its own description, as follows: Limiting icmp unreach response from 439 to 200 packets per second Limiting closed port RST response from 283 to 200 packets per second Limiting open port RST response from 18724 to 200 packets per second Limiting icmp ping response from 211 to 200 packets per second Limiting icmp tstamp response from 394 to 200 packets per second Submitted by: Mike Silbersack <silby@silby.com>
* Convert more malloc+bzero to malloc+M_ZERO.dwmalone2000-12-081-2/+1
| | | | | Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
* tp->snd_recover is part of the New Reno recovery algorithm, and shouldjlemon2000-11-041-1/+6
| | | | | | | | | | | | | only be checked if the system is currently performing New Reno style fast recovery. However, this value was being checked regardless of the NR state, with the end result being that the congestion window was never opened. Change the logic to check t_dupack instead; the only code path that allows it to be nonzero at this point is NewReno, so if it is nonzero, we are in fast recovery mode and should not touch the congestion window. Tested by: phk
* When a connection is being dropped due to a listen queue overflow,jayanth2000-07-211-0/+8
| | | | | | | | | delete the cloned route that is associated with the connection. This does not exhaust the routing table memory when the system is under a SYN flood attack. The route entry is not deleted if there is any prior information cached in it. Reviewed by: Peter Wemm,asmodai
* be more cautious about tcp option length field. drop bogus ones earlier.itojun2000-07-091-1/+3
| | | | | not sure if there is a real threat or not, but it seems that there's possibility for overrun/underrun (like non-NOP option with optlen > cnt).
* sync with kame tree as of july00. tons of bug fixes/improvements.itojun2000-07-041-11/+7
| | | | | | | API changes: - additional IPv6 ioctls - IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8). (also syntax change)
* sysctl'ize ICMP_BANDLIM and ICMP_BANDLIM_SUPPRESS_OUTPUT.dan2000-05-221-4/+2
| | | | Suggested by: des/nbm
* snd_cwnd was updated twice in the tcp_newreno function.jayanth2000-05-181-1/+0
|
* Sigh, fix a rookie patch merge error.jayanth2000-05-171-3/+0
| | | | Also-missed-by: peter
* snd_una was being updated incorrectly, this resulted in the newrenojayanth2000-05-161-3/+8
| | | | | | | code retransmitting data from the wrong offset. As a footnote, the newreno code was partially derived from NetBSD and Tom Henderson <tomh@cs.berkeley.edu>
* Implement TCP NewReno, as documented in RFC 2582. This allowsjlemon2000-05-061-6/+73
| | | | | | | | better recovery for multiple packet losses in a single window. The algorithm can be toggled via the sysctl net.inet.tcp.newreno, which defaults to "on". Submitted by: Jayanth Vijayaraghavan <jayanth@yahoo-inc.com>
* ND6_HINT() should not be called unless the connection status issumikawa2000-04-171-1/+0
| | | | | | ESTABLISHED. Obtained from: KAME Project
* Support per socket based IPv4 mapped IPv6 addr enable/disable control.shin2000-04-011-1/+1
| | | | Submitted by: ume
* Add support for offloading IP/TCP/UDP checksums to NIC hardware whichjlemon2000-03-271-10/+22
| | | | supports them.
* IPv6 6to4 support.shin2000-03-111-1/+1
| | | | | | | | | | | | | | | | | | | | | Now most big problem of IPv6 is getting IPv6 address assignment. 6to4 solve the problem. 6to4 addr is defined like below, 2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID The most important point of the address format is that an IPv4 addr is embeded in it. So any user who has IPv4 addr can get IPv6 address block with 2byte subnet space. Also, the IPv4 addr is used for semi-automatic IPv6 over IPv4 tunneling. With 6to4, getting IPv6 addr become dramatically easy. The attached patch enable 6to4 extension, and confirmed to work, between "Richard Seaman, Jr." <dick@tar.com> and me. Approved by: jkh Reviewed by: itojun
* Mitigate the stream.c attacksimp2000-01-281-16/+32
| | | | | | | | | | | | | o Drop all broadcast and multicast source addresses in tcp_input. o Enable ICMP_BANDLIM in GENERIC. o Change default to 200/s from 100/s. This will still stop the attack, but is conservative enough to do this close to code freeze. This is not the optimal patch for the problem, but is likely the least intrusive patch that can be made for this. Obtained from: Don Lewis and Matt Dillon. Reviewed by: freebsd-security
* Avoid m_len and m_pkthdr.len inconsistency when changing m_lenshin2000-01-251-0/+2
| | | | | | | for an mbuf whose M_PKTHDR is set. PR: related to kern/15175 Reviewed by: archie
* Fixed the problem that IPsec connection hangs when bigger data is sent.shin2000-01-151-0/+4
| | | | | | | -opt_ipsec.h was missing on some tcp files (sorry for basic mistake) -made buildable as above fix -also added some missing IPv4 mapped IPv6 addr consideration into ipsec4_getpolicybysock
* add a comment for some possible? IPv4 option processing.shin2000-01-131-0/+1
|
* tcp updates to support IPv6.shin2000-01-091-271/+678
| | | | | | | also a small patch to sys/nfs/nfs_socket.c, as max_hdr size change. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* IPSEC support in the kernel.shin1999-12-221-2/+3
| | | | | | | | pr_input() routines prototype is also changed to support IPSEC and IPV6 chained protocol headers. Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* Use SEQ_* macros for comparing sequence space numbers.jlemon1999-12-141-2/+2
| | | | Reviewed by: truckman
* According to RFC 793, a reset should be honored if the sequence numberjlemon1999-12-111-7/+6
| | | | | | | is within the receive window. Follow this behavior, instead of only allowing resets at last_ack_sent. Pointed out by: jayanth@yahoo-inc.com
* udp IPv6 support, IPv6/IPv4 tunneling support in kernel,shin1999-12-071-4/+5
| | | | | | | | | | packet divert at kernel for IPv6/IPv4 translater daemon This includes queue related patch submitted by jburkhol@home.com. Submitted by: queue related patch from jburkhol@home.com Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* Implement RLIMIT_SBSIZE in the kernel. This is a per-uid sockbuf totalgreen1999-10-091-2/+2
| | | | usage limit.
* Fix some more disordering, as well as the description string for thedes1999-09-141-6/+6
| | | | | net.inet.tcp.drop_synfin sysctl, which for some mysterious reason said "Drop TCP packets with FIN+ACK set" (instead of "...with SYN+FIN set")
* Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctldes1999-09-121-0/+29
| | | | | variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel options, respectively. See the comments in LINT for details.
* Restructure TCP timeout handling:jlemon1999-08-301-58/+114
| | | | | | | | | | - eliminate the fast/slow timeout lists for TCP and instead use a callout entry for each timer. - increase the TCP timer granularity to HZ - implement "bad retransmit" recovery, as presented in "On Estimating End-to-End Network Path Properties", by Allman and Paxson. Submitted by: jlemon, wollmann
* Remove extra indenting of `break' statements introducted in rev 1.89,obrien1999-08-291-9/+13
| | | | | | plus wrap some long lines from that revision. While here, wrap some other long lines.
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Fix breakage if blackhole=1 and tiflags & TH_SYN, pluscsgr1999-08-191-7/+12
| | | | | | style(9) fixes Submitted by: Jonathon Lemon
* Slight tweak to tcp.blackhole to add optional behaviour tocsgr1999-08-181-9/+26
| | | | | | | | | drop any segment arriving at a closed port. tcp.blackhole=1 - only drop SYN without RST tcp.blackhole=2 - drop everything without RST tcp.blackhole=0 - always send RST - default behaviour This confuses nmap -sF or -sX or -sN quite badly.
OpenPOWER on IntegriCloud