summaryrefslogtreecommitdiffstats
path: root/sys/netinet/tcp_syncache.c
Commit message (Collapse)AuthorAgeFilesLines
* Properly document that syncache timer processing requires anhsu2003-02-121-3/+3
| | | | exclusive TCP protocol lock.
* Fix a bug with syncookies; previously, the syncache's MSS size was notsilby2003-01-291-2/+2
| | | | | | | | initialized until after a syncookie was generated. As a result, all connections resulting from a returned cookie would end up using a MSS of ~512 bytes. Now larger packets will be used where possible. MFC after: 5 days
* Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.alfred2003-01-211-2/+2
| | | | Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
* Validate inp before de-referencing it.hsu2003-01-051-1/+1
| | | | Submitted by: pb
* Remove forgotten INP_UNLOCK(inp) in my previous commit.pb2002-12-221-1/+0
| | | | Reported by: hsu
* In syncache_timer(), don't attempt to lock the inpcb structurepb2002-12-211-2/+0
| | | | | | | | | associated with the syncache entry: in case tcp_close() has been called on the corresponding listening socket, the lock has been destroyed as a side effect of in_pcbdetach(), causing a panic when we attempt to lock on it. Reviewed by: hsu
* Eliminate a goto.hsu2002-12-201-39/+36
| | | | Fix some line breaks.
* Expand scope of TCP protocol lock to cover syncache data structures.hsu2002-12-201-2/+3
|
* Fix instances of macros with improperly parenthasized arguments.alfred2002-11-091-8/+8
| | | | Verified by: md5
* Tie new "Fast IPsec" code into the build. This involves the usualsam2002-10-161-1/+9
| | | | | | | | | | | | configuration stuff as well as conditional code in the IPv4 and IPv6 areas. Everything is conditional on FAST_IPSEC which is mutually exclusive with IPSEC (KAME IPsec implmentation). As noted previously, don't use FAST_IPSEC with INET6 at the moment. Reviewed by: KAME, rwatson Approved by: silence Supported by: Vernier Networks
* Replace aux mbufs with packet tags:sam2002-10-161-10/+4
| | | | | | | | | | | | | | | | | | | o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version Reviewed by: julian, luigi (silent), -arch, -net, darren Approved by: julian, silence from everyone else Obtained from: openbsd (mostly) MFC after: 1 month
* Handle PMTU discovery in syn-ack packets slightly differently;silby2002-08-051-8/+6
| | | | | | | rely on syncache flags instead of directly accessing the route entry. MFC after: 3 days
* Introduce support for Mandatory Access Control and extensiblerwatson2002-07-311-0/+8
| | | | | | | | | | | | | | | | | | kernel access control. Instrument the TCP socket code for packet generation and delivery: label outgoing mbufs with the label of the socket, and check socket and mbuf labels before permitting delivery to a socket. Assign labels to newly accepted connections when the syncache/cookie code has done its business. Also set peer labels as convenient. Currently, MAC policies cannot influence the PCB matching algorithm, so cannot implement polyinstantiation. Note that there is at least one case where a PCB is not available due to the TCP packet not being associated with any socket, so we don't label in that case, but need to handle it in a special manner. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* One possible code path for syncache_respond() is:jlemon2002-06-281-1/+7
| | | | | | | | | | syncache_respond(A), ip_output(), ip_input(), tcp_input(), syncache_badack(B) Which winds up deleting a different entry from the syncache. Handle this by not utilizing the next entry in the timer chain until after syncache_respond() completes. The case of A == B should not be possible. Problem found by: Don Bowman <don@sandvine.com>
* Re-commit w/fix:silby2002-06-141-2/+16
| | | | | | | | | | | Ensure that the syn cache's syn-ack packets contain the same ip_tos, ip_ttl, and DF bits as all other tcp packets. PR: 39141 MFC after: 2 weeks This time, make sure that ipv4 specific code (aka all of the above) is only run in the ipv4 case.
* Back out ip_tos/ip_ttl/DF "fix", it just panic'd my box. :)silby2002-06-141-18/+0
| | | | Pointy-hat to: silby
* Ensure that the syn cache's syn-ack packets contain the samesilby2002-06-141-0/+18
| | | | | | | ip_tos, ip_ttl, and DF bits as all other tcp packets. PR: 39141 MFC after: 2 weeks
* Every array elt is initialized in the following loop, so removehsu2002-06-101-1/+1
| | | | unnecessary M_ZERO.
* Lock up inpcb.hsu2002-06-101-0/+5
| | | | Submitted by: Jennifer Yang <yangjihui@yahoo.com>
* Modify the arguments to syncache_socket() to include the mbuf (m) thatrwatson2002-05-141-4/+6
| | | | | | | | | | | | results in the syncache entry being turned into a socket. While it's not used in the main tree, this is required in the MAC tree so that labels can be propagated from the mbuf to the socket. This is also useful if you're doing things like transparent IP connection hijacking and you want to use the syncache/cookie mechanism, but we won't go there. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs
* Switch vm_zone.h with uma.h. Change over to uma interfaces.jeff2002-03-201-8/+9
|
* This is the first part of the new kernel memory allocator. This replacesjeff2002-03-191-1/+1
| | | | | | malloc(9) and vm_zone with a slab like allocator. Reviewed by: arch@
* NAI DBA updaterwatson2002-03-141-1/+1
|
* - Set inc_isipv6 in tcp6_usr_connect().ume2002-02-281-0/+1
| | | | | | | - When making a pcb from a sync cache, do not forget to copy inc_isipv6. Obtained from: KAME MFC After: 1 week
* When expanding a syncache entry into a socket, inherit the socket optionsjlemon2002-02-201-1/+1
| | | | | from the current listen socket instead of the cached (and possibly stale) TCB pointer.
* When a duplicate SYN arrives which matches an entry in the syncache,jlemon2002-02-121-0/+5
| | | | | | update our lazy reference to the inpcb structure, as it may have changed. Found by: dima
* Pre-KSE/M3 commit.julian2002-02-071-2/+2
| | | | | | | | | | this is a low-functionality change that changes the kernel to access the main thread of a process via the linked list of threads rather than assuming that it is embedded in the process. It IS still embeded there but remove all teh code that assumes that in preparation for the next commit which will actually move it out. Reviewed by: peter@freebsd.org, gallatin@cs.duke.edu, benno rice,
* The ENDPTS_EQ macro was comparing the one of the fports to itself. Fix.jlemon2002-01-221-1/+1
| | | | Submitted by: emy@boostworks.com
* If syncookies are disabled (net.inet.tcp.syncookies) then use the fasterjlemon2001-12-211-1/+4
| | | | | | arc4random() routine to generate ISNs instead of creating them with MD5(). Suggested by: silby
* When storing an int value in a void *, use intptr_t as the cast typejlemon2001-12-191-2/+2
| | | | (instead of int) to keep the 64 bit platforms happy.
* Extend the SYN DoS defense by adding syncookies to the syncache.jlemon2001-12-191-14/+193
| | | | | | | | | | | | All TCP ISNs that are sent out are valid cookies, which allows entries in the syncache to be dropped and still have the ACK accepted later. As all entries pass through the syncache, there is no sudden switchover from cache -> cookies when the cache is full; instead, syncache entries simply have a reduced lifetime. More details may be found in the "Resisting DoS attacks with a SYN cache" paper in the Usenix BSDCon 2002 conference proceedings. Sponsored by: DARPA, NAI Labs
* Undo one of my last minute changes; move sc_iss up earlier so itjlemon2001-12-131-1/+1
| | | | is initialized in case we take the T/TCP path.
* Fix a bug with transmitter restart after receiving a 0 window. Thedillon2001-12-021-1/+1
| | | | | | | | | | | | | receiver was not sending an immediate ack with delayed acks turned on when the input buffer is drained, preventing the transmitter from restarting immediately. Propogate the TCP_NODELAY option to accept()ed sockets. (Helps tbench and is a good idea anyway). Some cleanup. Identify additonal issues in comments. MFC after: 1 day
* Clear a new syncache entry first, followed by filling in values. Thistanimura2001-11-271-4/+4
| | | | fixes route breakage due to uncleared gabage on my box.
* Fixed a buffer overrun. In my kernel configuration, tcp_syncache happensbde2001-11-231-1/+1
| | | | | | to be followed by nfsnodehashtbl, so bzeroing callouts beyond the end of tcp_syncache soon caused a null pointer panic when nfsnodehashtbl was accessed.
* Introduce a syncache, which enables FreeBSD to withstand a SYN floodjlemon2001-11-221-0/+1161
DoS in an improved fashion over the existing code. Reviewed by: silby (in a previous iteration) Sponsored by: DARPA, NAI Labs
OpenPOWER on IntegriCloud