summaryrefslogtreecommitdiffstats
path: root/sys/netinet/tcp_input.c
Commit message (Collapse)AuthorAgeFilesLines
...
* Use SEQ_* macros for comparing sequence space numbers.jlemon1999-12-141-2/+2
| | | | Reviewed by: truckman
* According to RFC 793, a reset should be honored if the sequence numberjlemon1999-12-111-7/+6
| | | | | | | is within the receive window. Follow this behavior, instead of only allowing resets at last_ack_sent. Pointed out by: jayanth@yahoo-inc.com
* udp IPv6 support, IPv6/IPv4 tunneling support in kernel,shin1999-12-071-4/+5
| | | | | | | | | | packet divert at kernel for IPv6/IPv4 translater daemon This includes queue related patch submitted by jburkhol@home.com. Submitted by: queue related patch from jburkhol@home.com Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
* Implement RLIMIT_SBSIZE in the kernel. This is a per-uid sockbuf totalgreen1999-10-091-2/+2
| | | | usage limit.
* Fix some more disordering, as well as the description string for thedes1999-09-141-6/+6
| | | | | net.inet.tcp.drop_synfin sysctl, which for some mysterious reason said "Drop TCP packets with FIN+ACK set" (instead of "...with SYN+FIN set")
* Add the net.inet.tcp.restrict_rst and net.inet.tcp.drop_synfin sysctldes1999-09-121-0/+29
| | | | | variables, conditional on the TCP_RESTRICT_RST and TCP_DROP_SYNFIN kernel options, respectively. See the comments in LINT for details.
* Restructure TCP timeout handling:jlemon1999-08-301-58/+114
| | | | | | | | | | - eliminate the fast/slow timeout lists for TCP and instead use a callout entry for each timer. - increase the TCP timer granularity to HZ - implement "bad retransmit" recovery, as presented in "On Estimating End-to-End Network Path Properties", by Allman and Paxson. Submitted by: jlemon, wollmann
* Remove extra indenting of `break' statements introducted in rev 1.89,obrien1999-08-291-9/+13
| | | | | | plus wrap some long lines from that revision. While here, wrap some other long lines.
* $Id$ -> $FreeBSD$peter1999-08-281-1/+1
|
* Fix breakage if blackhole=1 and tiflags & TH_SYN, pluscsgr1999-08-191-7/+12
| | | | | | style(9) fixes Submitted by: Jonathon Lemon
* Slight tweak to tcp.blackhole to add optional behaviour tocsgr1999-08-181-9/+26
| | | | | | | | | drop any segment arriving at a closed port. tcp.blackhole=1 - only drop SYN without RST tcp.blackhole=2 - drop everything without RST tcp.blackhole=0 - always send RST - default behaviour This confuses nmap -sF or -sX or -sN quite badly.
* Add net.inet.tcp.blackhole and net.inet.udp.blackholecsgr1999-08-171-2/+9
| | | | | | | | | | | sysctl knobs. With these knobs on, refused connection attempts are dropped without sending a RST, or Port unreachable in the UDP case. In the TCP case, sending of RST is inhibited iff the incoming segment was a SYN. Docs and rc.conf settings to follow.
* fix comment re: RST received in TIME_WAIT to match the code.jmb1999-07-181-3/+3
|
* Add sufficient braces to keep egcs happy about potentially ambiguouspeter1999-05-061-2/+3
| | | | if/else nesting.
* Add sysctl descriptions to many SYSCTL_XXXsbillf1999-05-031-5/+6
| | | | | | | PR: kern/11197 Submitted by: Adrian Chadd <adrian@FreeBSD.org> Reviewed by: billf(spelling/style/minor nits) Looked at by: bde(style)
* Use snd_nxt, not rcv_nxt, when calculating the ISS during TIME_WAIT.fenner1999-02-061-2/+2
| | | | | | | | This was missed in the 4.4-Lite2 merge. Noticed by: Mohan Parthasarathy <Mohan.Parthasarathy@eng.Sun.COM> and jayanth@loc201.tandem.com (vijayaraghavan_jayanth) on the tcp-impl mailing list.
* Fix warnings in preparation for adding -Wall -Wcast-qual to thedillon1999-01-271-2/+2
| | | | kernel compile
* Reviewed by: freebsd-currentdillon1998-12-031-2/+8
| | | | | | | | | | | | | | Add ICMP_BANDLIM option and 'net.inet.icmp.icmplim' sysctl. If option is specified in kernel config, icmplim defaults to 100 pps. Setting it to 0 will disable the feature. This feature limits ICMP error responses for packets sent to bad tcp or udp ports, which does a lot to help the machine handle network D.O.S. attacks. The kernel will report packet rates that exceed the limit at a rate of one kernel printf per second. There is one issue in regards to the 'tail end' of an attack... the kernel will not output the last report until some unrelated and valid icmp error packet is return at some point after the attack is over. This is a minor reporting issue only.
* Fix RST validation.wollman1998-09-111-42/+112
| | | | | PR: 7892 Submitted by: Don.Lewis@tsc.tdk.com
* Re-implement tcp and ip fragment reassembly to not store pointers in thedfr1998-08-241-38/+49
| | | | | | ip header which can't work on alpha since pointers are too big. Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
* Support for IPFW based transparent forwarding.julian1998-07-061-1/+29
| | | | | | | | | | | | | | Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
* Let the sowwakeup macro decide when to call sowakeup rather than havepeter1998-05-311-5/+3
| | | | | | tcp "know" about it. A pending upcall would be missed, eg: used by NFS. Obtained from: NetBSD
* Grumble...It seems I'm suffering from some mental disease. Do it correct now.guido1998-05-181-2/+2
|
* Add some parenthesis for clarity and fix a bugguido1998-05-181-2/+2
| | | | Pointed out by: Garrett Wollmand
* Refuse accellerated opens on listening sockets that have not setguido1998-05-041-2/+4
| | | | | | | | the TCP_NOPUSH socket option. This disables TAO for those services that do not know about T/TCP. Reviewed by: Garrett Wollman Submitted by: Peter Wemm
* At the request of Garrett, changed sysctl:dg1998-04-241-2/+2
| | | | net.inet.tcp.delack_enabled -> net.inet.tcp.delayed_ack
* Seventy-odd "its" / "it's" typos in comments fixed as per kern/6108.des1998-04-171-2/+2
|
* Remove the last traces of TUBA.phk1998-04-061-7/+1
| | | | Inspired by: PR kern/3317
* Remove the check for SYN in SYN_RECEIVED state; it breaks simultaneousfenner1998-03-201-10/+4
| | | | | | | | | connect. This check was added as part of the defense against the "land" attack, to prevent attacks which guess the ISS from going into ESTABLISHED. The "src == dst" check will still prevent the single-homed case of the "land" attack, and guessing ISS's should be hard anyway. Submitted by: David Borman <dab@bsdi.com>
* Changes to support the addition of a new sysctl variable:dg1998-02-261-18/+16
| | | | | | net.inet.tcp.delack_enabled Which defaults to 1 and can be set to 0 to disable TCP delayed-ack processing (i.e. all acks are immediate).
* Improved connection establishment performance by doing local port lookups viadg1998-01-271-27/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a hashed port list. In the new scheme, in_pcblookup() goes away and is replaced by a new routine, in_pcblookup_local() for doing the local port check. Note that this implementation is space inefficient in that the PCB struct is now too large to fit into 128 bytes. I might deal with this in the future by using the new zone allocator, but I wanted these changes to be extensively tested in their current form first. Also: 1) Fixed off-by-one errors in the port lookup loops in in_pcbbind(). 2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash() to do the initialial hash insertion. 3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability. 4) Added a new routine, in_pcbremlists() to remove the PCB from the various hash lists. 5) Added/deleted comments where appropriate. 6) Removed unnecessary splnet() locking. In general, the PCB functions should be called at splnet()...there are unfortunately a few exceptions, however. 7) Reorganized a few structs for better cache line behavior. 8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in the future, however. These changes have been tested on wcarchive for more than a month. In tests done here, connection establishment overhead is reduced by more than 50 times, thus getting rid of one of the major networking scalability problems. Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult. WARNING: Anything that knows about inpcb and tcpcb structs will have to be recompiled; at the very least, this includes netstat(1).
* A more complete fix for the "land" attack, removing the "quick fix" fromfenner1998-01-211-20/+25
| | | | | | | | | | | | | | | | | | | | | | | rev 1.66. This fix contains both belt and suspenders. Belt: ignore packets where src == dst and srcport == dstport in TCPS_LISTEN. These packets can only legitimately occur when connecting a socket to itself, which doesn't go through TCPS_LISTEN (it goes CLOSED->SYN_SENT->SYN_RCVD-> ESTABLISHED). This prevents the "standard" "land" attack, although doesn't prevent the multi-homed variation. Suspenders: send a RST in response to a SYN/ACK in SYN_RECEIVED state. The only packets we should get in SYN_RECEIVED are 1. A retransmitted SYN, or 2. An ack of our SYN/ACK. The "land" attack depends on us accepting our own SYN/ACK as an ACK; in SYN_RECEIVED state; this should prevent all "land" attacks. We also move up the sequence number check for the ACK in SYN_RECEIVED. This neither helps nor hurts with respect to the "land" attack, but puts more of the validation checking in one spot. PR: kern/5103
* Don't use ANSI string concatenation to misformat a string.bde1997-12-191-5/+5
|
* Add Matt Dillon's quick fix hack for the self-connect DoS.wollman1997-11-201-1/+14
| | | | PR: 5103
* Remove a bunch of variables which were unused both in GENERIC and LINT.phk1997-11-071-2/+1
| | | | Found by: -Wunused
* Removed unused #includes.bde1997-10-281-3/+1
|
* Killed the SYN_RECEIVED addition from rev 1.52. It results in legitimatedg1997-10-021-6/+1
| | | | | | RST's being ignored, keeping a connection around until it times out, and thus has the opposite effect of what was intended (which is to make the system more robust to DoS attacks).
* Don't consider a SYN/ACK with CC but no CCECHO a proper T/TCPfenner1997-09-301-9/+11
| | | | | | handshake. Reviewed by: Rich Stevens <rstevens@kohala.com>
* Make TCPDEBUG a new-style option.joerg1997-09-161-1/+3
|
* Fix all areas of the system (or at least all those in LINT) to avoid storingwollman1997-08-161-8/+7
| | | | | | | | socket addresses in mbufs. (Socket buffers are the one exception.) A number of kernel APIs needed to get fixed in order to make this happen. Also, fix three protocol families which kept PCBs in mbufs to not malloc them instead. Delete some old compatibility cruft while we're at it, and add some new routines in the in_cksum family.
* Fix a bug (apparently very old) that can cause a TCP connection tojdp1997-07-011-2/+2
| | | | | | | | | | | | | | | | | | | | | | be dropped when it has an unusual traffic pattern. For full details as well as a test case that demonstrates the failure, see the referenced PR. Under certain circumstances involving the persist state, it is possible for the receive side's tp->rcv_nxt to advance beyond its tp->rcv_adv. This causes (tp->rcv_adv - tp->rcv_nxt) to become negative. However, in the code affected by this fix, that difference was interpreted as an unsigned number by max(). Since it was negative, it was taken as a huge unsigned number. The effect was to cause the receiver to believe that its receive window had negative size, thereby rejecting all received segments including ACKs. As the test case shows, this led to fruitless retransmissions and eventually to a dropped connection. Even connections using the loopback interface could be dropped. The fix substitutes the signed imax() for the unsigned max() function. PR: closes kern/3998 Reviewed by: davidg, fenner, wollman
* The long-awaited mega-massive-network-code- cleanup. Part I.wollman1997-04-271-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | This commit includes the following changes: 1) Old-style (pr_usrreq()) protocols are no longer supported, the compatibility glue for them is deleted, and the kernel will panic on boot if any are compiled in. 2) Certain protocol entry points are modified to take a process structure, so they they can easily tell whether or not it is possible to sleep, and also to access credentials. 3) SS_PRIV is no more, and with it goes the SO_PRIVSTATE setsockopt() call. Protocols should use the process pointer they are now passed. 4) The PF_LOCAL and PF_ROUTE families have been updated to use the new style, as has the `raw' skeleton family. 5) PF_LOCAL sockets now obey the process's umask when creating a socket in the filesystem. As a result, LINT is now broken. I'm hoping that some enterprising hacker with a bit more time will either make the broken bits work (should be easy for netipx) or dike them out.
* Back out part 1 of the MCFH that changed $Id$ to $FreeBSD$. We are notpeter1997-02-221-1/+1
| | | | ready for it yet.
* Make the long-awaited change from $Id$ to $FreeBSD$jkh1997-01-141-1/+1
| | | | | | | | This will make a number of things easier in the future, as well as (finally!) avoiding the Id-smashing problem which has plagued developers for so long. Boy, I'm glad we're not using sup anymore. This update would have been insane otherwise.
* Re-enable the TCP SYN-attack protection code. I was the one who didn'tfenner1996-11-101-3/+1
| | | | | | understand the socket state flag. 2.2 candidate.
* Fix two bugs I accidently put into the syn code at the last minutepst1996-10-111-5/+9
| | | | | | | | | | (yes I had tested the hell out of this). I've also temporarily disabled the code so that it behaves as it previously did (tail drop's the syns) pending discussion with fenner about some socket state flags that I don't fully understand. Submitted by: fenner
* Improved in_pcblookuphash() to support wildcarding, and changed relaventdg1996-10-071-12/+2
| | | | | | | | | | callers of it to take advantage of this. This reduces new connection request overhead in the face of a large number of PCBs in the system. Thanks to David Filo <filo@yahoo.com> for suggesting this and providing a sample implementation (which wasn't used, but showed that it could be done). Reviewed by: wollman
* Increase robustness of FreeBSD against high-rate connection attemptpst1996-10-071-13/+23
| | | | | | | denial of service attacks. Reviewed by: bde,wollman,olah Inspired by: vjs@sgi.com
* I don't understand, I committed this fix (move a counter and fixed a typo)pst1996-09-211-4/+3
| | | | | | this evening. I think I'm going insane.
* Syntax error: so_incom -> so_incompache1996-09-211-2/+2
|
OpenPOWER on IntegriCloud