| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
when replying to ICMP Address Mask Request packets.
|
| |
|
|
|
|
|
|
|
|
|
| |
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.
Experimental. The usage and rule format for the feature may still be
subject to change.
|
|
|
|
|
|
| |
after FIN_WAIT_2 processing.
Helped with debugging: Doug Barton
|
|
|
|
| |
initial congestion window.
|
| |
|
| |
|
|
|
|
| |
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
| |
structures, reuse the oldest one. Also move the expiry timer from
a per-structure callout to the tcp slow timer.
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
| |
ifdefs scattered around the place - its dead Jim!
The SMB stuff had stolen AF_NS, make it official.
|
|
|
|
|
|
|
|
|
|
| |
drain routines are done by swi_net, which allows for better queue control
at some future point. Packets may also be directly dispatched to a netisr
instead of queued, this may be of interest at some installations, but
currently defaults to off.
Reviewed by: hsu, silby, jayanth, sam
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
|
| |
that matches snd_max, then do not respond with an ack, just drop the
segment. This fixes a problem where a simultaneous close results in
an ack loop between two time-wait states.
Test case supplied by: Tim Robbins <tjr@FreeBSD.ORG>
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
| |
Detect this case and drop the lock accordingly.
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
| |
when maxfragpackets is dropped to 0.
Noticed by: bmah
|
|
|
|
|
|
|
|
|
|
| |
tcpcb is NULL, but also its connected inpcb, since we now allow
elements of a TCP connection to hang around after other state, such
as the socket, has been recycled.
Tested by: dcs
Obtained from: TrustedBSD Project
Sponsored by: DARPA, Network Associates Laboratories
|
| |
|
|
|
|
|
|
| |
dropped ip fragments precisely.
Reviewed by: silby
|
| |
|
|
|
|
|
| |
Submitted by: Scott Renfro <scott@renfro.org>
MFC after: 1 day
|
|
|
|
| |
a race condition with the TCP timer routines.
|
|
|
|
| |
TIME-WAIT control block.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Security improvements:
- Increase the size of each syncookie secret from 32 to 128 bits
in order to make brute force attacks on the secrets much more
difficult.
- Always return the lowest order dword from the MD5 hash; this
allows us to expose 2 more bits of the cookie and makes ACK
floods which seek to guess the cookie value more difficult.
Performance improvements:
- Increase the lifetime of each syncookie from 4 seconds to 16
seconds. This increases the usefulness of syncookies during
an attack.
- From Yahoo!: Reduce the number of calls to MD5Update; this
results in a ~17% increase in cookie generation time here.
Reviewed by: hsu, jayanth, jlemon, nectar
MFC After: 15 seconds
|
|
|
|
| |
Pointy hat provided by: sam
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
packets coming out of a GIF tunnel are re-processed by ipfw, et. al.
By default they are not reprocessed. With the option they are.
This reverts 1.214. Prior to that change packets were not re-processed.
After they were which caused problems because packets do not have
distinguishing characteristics (like a special network if) that allows
them to be filtered specially.
This is really a stopgap measure designed for immediate MFC so that
4.8 has consistent handling to what was in 4.7.
PR: 48159
Reviewed by: Guido van Rooij <guido@gvr.org>
MFC after: 1 day
|
|
|
|
|
|
|
|
| |
tcp_input(). This unbreaks delack handling, while still preserving
correct T/TCP behavior
Tested by: maxim
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
|
|
|
| |
and enable it by default, with a limit of 16.
At the same time, tweak maxfragpackets downward so that in the worst
possible case, IP reassembly can use only 1/2 of all mbuf clusters.
MFC after: 3 days
Reviewed by: hsu
Liked by: bmah
|
|
|
|
|
|
| |
+ m = m_gethdr(M_DONTWAIT, MT_HEADER);
'nuff said.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OSes has probably caused more problems than it ever solved. Allow the
user to retire the old behavior by specifying their own privileged
range with,
net.inet.ip.portrange.reservedhigh default = IPPORT_RESERVED - 1
net.inet.ip.portrange.reservedlo default = 0
Now you can run that webserver without ever needing root at all. Or
just imagine, an ftpd that can really drop privileges, rather than
just set the euid, and still do PORT data transfers from 20/tcp.
Two edge cases to note,
# sysctl net.inet.ip.portrange.reservedhigh=0
Opens all ports to everyone, and,
# sysctl net.inet.ip.portrange.reservedhigh=65535
Locks all network activity to root only (which could actually have
been achieved before with ipfw(8), but is somewhat more
complicated).
For those who stick to the old religion that 0-1023 belong to root and
root alone, don't touch the knobs (or even lock them by raising
securelevel(8)), and nothing changes.
|
|
|
|
| |
Submitted by: Lars Eggert <larse@ISI.EDU>
|
|
|
|
|
| |
Caught by: phk
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
| |
control block. Allow the socket and tcpcb structures to be freed
earlier than inpcb. Update code to understand an inp w/o a socket.
Reviewed by: hsu, silby, jayanth
Sponsored by: DARPA, NAI Labs
|
|
|
|
|
|
|
|
| |
routine does not require a tcpcb to operate. Since we no longer keep
template mbufs around, move pseudo checksum out of this routine, and
merge it with the length update.
Sponsored by: DARPA, NAI Labs
|
| |
|
|
|
|
|
|
|
|
| |
- delay acks for T/TCP regardless of delack setting
- fix bug where a single pass through tcp_input might not delay acks
- use callout_active() instead of callout_pending()
Sponsored by: DARPA, NAI Labs
|
|
|
|
| |
Approved by: trb
|
|
|
|
|
|
|
|
|
|
|
|
| |
cr_uid.
Note: we do not have socheckuid() in RELENG_4, ip_fw2.c uses its
own macro for a similar purpose that is why ipfw2 in RELENG_4 processes
uid rules correctly. I will MFC the diff for code consistency.
Reported by: Oleg Baranov <ol@csa.ru>
Reviewed by: luigi
MFC after: 1 month
|
|
|
|
| |
to avoid acquiring SMP locks during expensive copyout process.
|
|
|
|
| |
need to check for it at runtime.
|
|
|
|
| |
which modify the connection list, namely, tcp_notify().
|
|
|
|
| |
exclusive TCP protocol lock.
|
| |
|
| |
|
|
|
|
|
|
| |
ethernet packet sent.
Prompted by: Jeffrey Hsu <hsu@FreeBSD.org>
|
|
|
|
|
| |
Submitted by: "Diomidis Spinellis" <dds@aueb.gr>
PR: kern/46116
|
|
|
|
|
|
|
| |
just when set to 2.
PR: kern/43348
MFC after: 5 days
|
|
|
|
|
| |
Submitted by: maxim
MFC with: The previous two revisions
|
|
|
|
|
|
|
| |
ipsec4_process_packet; they happen when a packet is dropped because
an SA acquire is initiated
Submitted by: Doug Ambrisko <ambrisko@verniernetworks.com>
|
|
|
|
|
|
| |
you still don't want to use the two together, but it's ok to have
them in the same kernel (the problem that initiated this bandaid
has long since been fixed)
|