give a default value to net.inet.ip.maxfragpackets, to protect us from

"lots of fragmented packets" DoS attack.

the current default value is derived from ipv6 counterpart, which is
a magical value "200".  it should be enough for normal systems, not sure
if it is enough when you take hundreds of thousands of tcp connections on
your system.  if you have proposal for a better value with concrete reasons,
let me know.
This commit is contained in:
itojun 2001-04-16 17:03:33 +00:00
parent 88c05e77fe
commit 8799a9c64b

View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_input.c,v 1.132 2001/04/13 23:30:22 thorpej Exp $ */
/* $NetBSD: ip_input.c,v 1.133 2001/04/16 17:03:33 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -212,7 +212,7 @@ struct pfil_head inet_pfil_hook;
struct ipqhead ipq;
int ipq_locked;
int ip_nfragpackets = 0;
int ip_maxfragpackets = -1;
int ip_maxfragpackets = 200;
static __inline int ipq_lock_try __P((void));
static __inline void ipq_unlock __P((void));