d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply TCP_EXPIRE_CONNECTED (86400 seconds) timeout only to established

Browse Source 
connections, after SYN packets were seen from both ends.  Before this,
it would get applied right after the first SYN packet was seen (either
from client or server).  With broken TCP connection attempts, when the
remote end does not respond with SYNACK nor with RST, this resulted in
having a useless (ie, no actual TCP connection associated with it) TCP
link with 86400 seconds TTL, wasting system memory.  With high rate of
such broken connection attempts (for example, remote end simply blocks
these connection attempts with ipfw(8) without sending RST back), this
could result in a denial-of-service.

PR:		bin/17963
This commit is contained in:
Ruslan Ermilov 2000-04-14 15:34:55 +00:00
parent 9ed5b61bdd
commit b5e819ec23
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=59237
2 changed files with 20 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
lib/libalias/alias_db.c
View File

@ -1544,22 +1544,19 @@ SetStateIn(struct alias_link *link, int state)
/* TCP input state */
switch (state) {
case ALIAS_TCP_STATE_DISCONNECTED:
if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED) {
if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_DEAD;
} else {
else
link->expire_time = TCP_EXPIRE_SINGLEDEAD;
}
link->data.tcp->state.in = state;
break;
case ALIAS_TCP_STATE_CONNECTED:
link->expire_time = TCP_EXPIRE_CONNECTED;
/*FALLTHROUGH*/
case ALIAS_TCP_STATE_NOT_CONNECTED:
link->data.tcp->state.in = state;
if (link->data.tcp->state.out == ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_CONNECTED;
break;
default:
abort();
}
link->data.tcp->state.in = state;
}
@ -1569,22 +1566,19 @@ SetStateOut(struct alias_link *link, int state)
/* TCP output state */
switch (state) {
case ALIAS_TCP_STATE_DISCONNECTED:
if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED) {
if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_DEAD;
} else {
else
link->expire_time = TCP_EXPIRE_SINGLEDEAD;
}
link->data.tcp->state.out = state;
break;
case ALIAS_TCP_STATE_CONNECTED:
link->expire_time = TCP_EXPIRE_CONNECTED;
/*FALLTHROUGH*/
case ALIAS_TCP_STATE_NOT_CONNECTED:
link->data.tcp->state.out = state;
if (link->data.tcp->state.in == ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_CONNECTED;
break;
default:
abort();
}
link->data.tcp->state.out = state;
}

26
sys/netinet/libalias/alias_db.c
View File

@ -1544,22 +1544,19 @@ SetStateIn(struct alias_link *link, int state)
/* TCP input state */
switch (state) {
case ALIAS_TCP_STATE_DISCONNECTED:
if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED) {
if (link->data.tcp->state.out != ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_DEAD;
} else {
else
link->expire_time = TCP_EXPIRE_SINGLEDEAD;
}
link->data.tcp->state.in = state;
break;
case ALIAS_TCP_STATE_CONNECTED:
link->expire_time = TCP_EXPIRE_CONNECTED;
/*FALLTHROUGH*/
case ALIAS_TCP_STATE_NOT_CONNECTED:
link->data.tcp->state.in = state;
if (link->data.tcp->state.out == ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_CONNECTED;
break;
default:
abort();
}
link->data.tcp->state.in = state;
}
@ -1569,22 +1566,19 @@ SetStateOut(struct alias_link *link, int state)
/* TCP output state */
switch (state) {
case ALIAS_TCP_STATE_DISCONNECTED:
if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED) {
if (link->data.tcp->state.in != ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_DEAD;
} else {
else
link->expire_time = TCP_EXPIRE_SINGLEDEAD;
}
link->data.tcp->state.out = state;
break;
case ALIAS_TCP_STATE_CONNECTED:
link->expire_time = TCP_EXPIRE_CONNECTED;
/*FALLTHROUGH*/
case ALIAS_TCP_STATE_NOT_CONNECTED:
link->data.tcp->state.out = state;
if (link->data.tcp->state.in == ALIAS_TCP_STATE_CONNECTED)
link->expire_time = TCP_EXPIRE_CONNECTED;
break;
default:
abort();
}
link->data.tcp->state.out = state;
}