itojun
63de4c2cb9
nuke the following sysctl variables. "ppsratelimit" should work better.
...
need to recompile sbin/sysctl after updating /usr/include.
net.inet.tcp.rstratelimit
net.inet.icmp.errratelimit
net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun
7abf4641c6
forgot to call tcp6_quench(). sync with kame.
2000-07-28 02:39:45 +00:00
itojun
928dfa5233
do not disable icmp error rate limitation for local address.
...
local address can be abused too. pps rate limitation should work fine for
moderate amount of icmp errors.
2000-07-27 11:36:14 +00:00
itojun
dd9f2f7f1d
implement net.inet.tcp.rstppslimit to limit TCP RSTs by packet-per-second
...
basis. default: 100pps
set default value for net.inet.tcp.rstratelimit to 0 (disabled),
NOTE: it does not work right for smaller-than-1/hz interval. maybe we should
nuke it, or make it impossible to set smaller-than-1/hz value.
2000-07-27 11:34:06 +00:00
itojun
a18c2d780f
be proactive about unspecified IPv6 source address. pcb layer uses
...
unspecified address (::) to mean "unbounded" or "unconnected",
and can be confused by packets from outside.
use of :: as source is not documented well in IPv6 specification.
not sure if it presents a real threat. the worst case scenario is a DoS
against TCP listening socket:
- outsider transmit TCP SYN with :: as IPv6 source
- receiving side creates TCP control block with:
local address = my addres
remote address = :: (meaning "unconnected")
state = SYN_RCVD
note that SYN ACK will not be sent due to ip6_output() filter.
this stays until it timeouts.
- the TCP control block prevents listening TCP control block from
being contacted (DoS).
udp6/raw6 socket may have similar problem, but as they are connectionless,
it may too much to filter it out.
2000-07-27 06:18:13 +00:00
sommerfeld
73b6d9485c
Drop packet, increment udps_badlen if the udp header length field
...
reports a size smaller than the udp header; defends against bogosity
detected by Assar Westerlund.
This patch and the previous ip_icmp.c change were the joint work of
assar, itojun, and myself.
2000-07-24 03:46:57 +00:00
sommerfeld
a0c29e06a3
Improve robustness of icmp_error():
...
- allow it to work when icmpreturndatabytes is sufficiently large that the
icmp error message doesn't fit in a header mbuf.
- defend against mbuf chains shorter than their contained ip->ip_len.
2000-07-24 03:32:31 +00:00
itojun
ca777cb72c
add an DIAGNOSTIC case for MCLBYTES assumption
2000-07-23 05:00:01 +00:00
itojun
f5211e847a
remove m_pulldown statistics code. it is highly experimental and belong
...
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun
ab492849bc
implement net.inet.icmp.errppslimit.
...
make default value for net.inet.icmp.erratelimit to 0, as < 10ms value
does not do the right thing.
2000-07-10 09:31:29 +00:00
itojun
8a661b9beb
be more cautious about tcp option length field. drop bogus ones earlier.
...
not sure if there is a real threat or not, but it seems that there's
possibility for overrun/underrun (like non-NOP option with optlen > cnt).
2000-07-09 12:49:08 +00:00
itojun
ec67eee51f
sync with kame.
...
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
itojun
210a3e2f80
remove unnecessary #include <netkey/key_debug.h>. from kame.
2000-07-06 12:51:39 +00:00
itojun
0a1e211454
- do not use bitfield for router renumbering header.
...
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation. TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
thorpej
70140a566d
Some slight cleanup.
2000-07-06 04:34:26 +00:00
thorpej
9c86b65a92
Fix an omission in the gre cloning changes.
2000-07-05 22:45:25 +00:00
thorpej
6a900bc9ff
Fix some zero-vs-NULL confusion.
2000-07-05 21:45:14 +00:00
thorpej
f77f419c50
Make that note that we really should be checking the viftable
...
in ip_mroute.c for duplicate tunnel entries, too. Well, what
really needs to happen is that the mrouting code needs to be
changed to work w/ `gif' tunnels... but...
2000-07-05 21:32:51 +00:00
thorpej
4348603862
RFCs 1853, 2003, 2401 -- copy the DF bit.
2000-07-05 21:01:38 +00:00
thorpej
e5c397199f
Use LIST_HEAD_INITIALIZER(), for correctness sake.
2000-07-05 18:45:26 +00:00
christos
f142d4254d
added a linted comment about non-portable bitfields. Unfortunately it cannot
...
be fixed portably.
2000-07-05 02:45:03 +00:00
itojun
f0d7296dc1
typo in previous
2000-07-02 21:25:41 +00:00
itojun
e29fba4ba7
do not touch struct ip6stat on non-INET6 compilation.
...
From: Paul Goyette <paul@whooppee.com>
2000-07-02 21:05:41 +00:00
itojun
8ff902fca1
repair kernel faithd(8) support. there were two mistakes:
...
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
sommerfeld
8f2d5e3219
Don't rate-limit ICMP errors from packets we send to ourselves.
...
The dns resolver depends on reliably receiving errors to allow it to
quickly detect a dead local nameserver.
2000-07-01 21:46:40 +00:00
thorpej
c8875e6066
Pass the correct destination address for the route-to-gateway case.
...
From Zdenek Salvet, kern/10483.
2000-06-30 19:43:53 +00:00
itojun
23f6a4f4e8
remove old mbuf assumption (ip header and tcp header are on the same mbuf).
...
this is for m_pulldown use. (sync with kame)
2000-06-30 16:44:33 +00:00
mrg
cf594a3f4d
<vm/vm.h> -> <uvm/uvm_extern.h>
2000-06-28 03:01:16 +00:00
mrg
5ec6fd267b
remove include of <vm/vm.h>
2000-06-28 02:59:32 +00:00
kleink
d2787dad27
XNS5.2: define sa_family_t and use it where specified by the standard.
2000-06-26 15:48:19 +00:00
mrg
2f159a1bac
remove/move more mach vm header files:
...
<vm/pglist.h> -> <uvm/uvm_pglist.h>
<vm/vm_inherit.h> -> <uvm/uvm_inherit.h>
<vm/vm_kern.h> -> into <uvm/uvm_extern.h>
<vm/vm_object.h> -> nothing
<vm/vm_pager.h> -> into <uvm/uvm_pager.h>
also includes a bunch of <vm/vm_page.h> include removals (due to redudancy
with <vm/vm.h>), and a scattering of other similar headers.
2000-06-26 14:20:25 +00:00
matt
e21a3d997c
Don't copy M_EXT mbufs unless in "dhcp" mode. Do a mtod after the pullup
...
to make sure the ip pointer is still valid.
2000-06-16 20:21:26 +00:00
itojun
07098cd363
better conformance to draft-ietf-ipngwg-icmp-name-lookups-05.
...
the old code was chimera of 03 and 05 draft.
-n by default, since IPv6 reverse lookup takes too much time.
use -H to enable reverse name lookup.
2000-06-12 16:21:02 +00:00
veego
ecbf42696a
Remove a duplicated check for the NetBSD callout (I think it is a mistake
...
from a previous conflict resolve which doesn't cause harm).
2000-06-12 10:41:36 +00:00
veego
886013b9e7
Ups, forgot to resolve one place.
2000-06-12 10:29:36 +00:00
veego
d6dd29c882
Resolve conflicts.
2000-06-12 10:28:20 +00:00
darrenr
bae005d1db
add icmpreturndatabytes kernel variable (default 8) which specifies the
...
number of extra data bytes to return in ICMP error messages. This is
also available via sysctl as net.icmp.returndatabytes and is limited to
[8,512].
2000-06-10 12:39:19 +00:00
itojun
8987054176
pass struct proc * down to udp6_output and in6_pcbbind.
2000-06-05 06:38:22 +00:00
veego
c02ef5cc85
Resolve conflicts.
2000-05-23 06:07:42 +00:00
itojun
5de72de121
disallow negative numbers for ratelimit interval (tcp, icmp, icmp6).
2000-05-22 12:08:43 +00:00
veego
b0c4d85748
Add a missing ; at the end of a line.
2000-05-21 18:47:00 +00:00
veego
4c4ad1d1a5
Resolve conflicts.
2000-05-21 18:45:53 +00:00
jhawk
ca31d672e2
Install "show arptab" (db_show_arptab) in the ddb command tree.
...
Move prototype from netinet/if_inarp.h to ddb/db_interface.h.
Change function to have standard ddb parameters (though they're
ignored).
2000-05-20 03:08:41 +00:00
veego
8db28cd918
Resolve conflicts and fix a compile error in ip_ftp_pxy.c.
2000-05-11 19:46:05 +00:00
itojun
8a0fabf8cf
add missing boundary checks to ip options processing.
...
correct timestamp option validation (len and ptr upper/lower bound
based on RFC791).
fill "pointer" field for parameter problem in timestamp option processing.
2000-05-10 03:31:30 +00:00
itojun
b3c4ed6cf7
correct more out-of-bounds memory access, if cnt == 1 and optlen > 1.
2000-05-10 01:19:44 +00:00
itojun
4a12628c71
correct out-of-bound access when hlen == 1 and opt > 1.
...
reviewed by darren, darren committed to freebsd fil.c (1.12 -> 1.13)
so it should be correct enough.
2000-05-10 00:08:03 +00:00
sommerfeld
90f481ef3f
Handle large offsets with very small options correctly.
2000-05-06 16:35:14 +00:00
mycroft
176e840713
GC in_interfaces.
2000-05-06 02:41:32 +00:00
matt
650107086a
remove superfluous test (snd_una is always > iss since th_ack must > iss
...
(first test at start of case) and th_ack is assigned to snd_una).
2000-05-05 15:05:29 +00:00