d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2b1a209a17
freebsd-dev/sys/netinet
History
Jesper Skriver 2b1a209a17 Prevent denial of service using bogus fragmented IPv4 packets. 
A attacker sending a lot of bogus fragmented packets to the target
(with different IPv4 identification field - ip_id), may be able
to put the target machine into mbuf starvation state.

By setting a upper limit on the number of reassembly queues we
prevent this situation.

This upper limit is controlled by the new sysctl
net.inet.ip.maxfragpackets which defaults to NMBCLUSTERS/4

If you want old behaviour (no upper limit) set this sysctl
to a negative value.

If you don't want to accept any fragments (not recommended)
set the sysctl to 0 (zero)

Obtained from:	NetBSD (partially)
MFC after:	1 week
2001-05-31 21:57:29 +00:00
..
libalias Add an integer field to keep protocol-specific flags with links. 2001-05-30 14:24:35 +00:00
accf_data.c Remove headers not needed. 2000-10-07 23:15:17 +00:00
accf_http.c Fix incorrect logic wouldn't disconnect incomming connections that had been 2001-01-03 19:50:23 +00:00
fil.c fix conflicts 2001-02-04 14:26:56 +00:00
icmp6.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
icmp_var.h Clean up RST ratelimiting. Previously, ratelimiting occured before tests 2001-02-11 07:39:51 +00:00
if_atm.c
if_atm.h Add $FreeBSD$ 2000-05-01 20:32:07 +00:00
if_ether.c Add a missing m_pullup() before a mtod() in in_arpinput(). 2001-03-27 12:34:58 +00:00
if_ether.h
if_fddi.h
igmp_var.h
igmp.c Add #include <machine/in_cksum.h>, in order to pick up the checksum 2000-05-06 18:19:58 +00:00
igmp.h
in_cksum.c
in_gif.c Another round of the <sys/queue.h> FOREACH transmogriffer. 2001-02-04 16:08:18 +00:00
in_gif.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
in_hostcache.c Convert more malloc+bzero to malloc+M_ZERO. 2000-12-08 21:51:06 +00:00
in_hostcache.h
in_pcb.c Fix a style(9) nit. 2001-03-16 19:36:23 +00:00
in_pcb.h Remove in_pcbnotify and use in_pcblookup_hash to find the cb directly. 2001-02-26 21:19:47 +00:00
in_proto.c Make netstat(1) to be aware of divert(4) sockets. 2000-08-03 14:09:52 +00:00
in_rmx.c In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in_systm.h
in_var.h In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in.c In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
in.h IPv4 address is not unsigned int. This change introduces in_addr_t. 2001-03-23 18:59:31 +00:00
ip6.h remove m_pulldown statistics, which is highly experimental and does not 2000-07-12 16:39:13 +00:00
ip_auth.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_auth.h fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
ip_compat.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_divert.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_dummynet.c Sync with the bridge/dummynet/ipfw code already tested in stable. 2001-02-10 00:10:18 +00:00
ip_dummynet.h MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately) 2001-02-02 00:18:00 +00:00
ip_ecn.c sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_ecn.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_encap.c Mechanical change to use <sys/queue.h> macro API instead of 2001-02-04 13:13:25 +00:00
ip_encap.h sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
ip_fil.c While I'm here, get rid of (now useless) MCLISREFERENCED and use MEXT_IS_REF 2000-11-11 23:05:59 +00:00
ip_fil.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_flow.c Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
ip_flow.h Back out the previous change to the queue(3) interface. 2000-05-26 02:09:24 +00:00
ip_frag.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_frag.h fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_ftp_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_fw.c pipe/queue are the only consumers of flow_id, so only set it in those cases 2001-04-06 06:52:25 +00:00
ip_fw.h Introduce a new feature in IPFW: Check of the source or destination 2001-02-13 14:12:37 +00:00
ip_icmp.c MFC candidate. 2001-03-28 14:13:19 +00:00
ip_icmp.h
ip_input.c Prevent denial of service using bogus fragmented IPv4 packets. 2001-05-31 21:57:29 +00:00
ip_log.c resolve conflicts 2000-08-13 04:31:06 +00:00
ip_mroute.c Fix typo: seperate -> separate. 2001-02-06 11:21:58 +00:00
ip_mroute.h
ip_nat.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_nat.h fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_output.c RFC768 (UDP) requires that "if the computed checksum is zero, it 2001-03-13 17:07:06 +00:00
ip_proxy.c fix conflicts 2000-05-24 04:21:35 +00:00
ip_proxy.h fix conflicts 2001-02-04 14:26:56 +00:00
ip_raudio_pxy.c Fix conflicts creted by import. 2000-10-29 07:53:05 +00:00
ip_rcmd_pxy.c fix conflicts 2001-02-04 14:26:56 +00:00
ip_state.c fix security hole created by fragment cache 2001-04-06 15:52:28 +00:00
ip_state.h fix conflicts from rcsids 2000-10-26 12:33:42 +00:00
ip_var.h Invalidate cached forwarding route (ipforward_rt) whenever a new route 2001-03-19 09:16:16 +00:00
ip.h
ipl.h fix conflicts 2001-02-04 14:26:56 +00:00
ipprotosw.h activate pfil_hooks and covert ipfilter to use it 2000-07-31 13:11:42 +00:00
mlfk_ipl.c Send the remains (such as I have located) of "block major numbers" to 2001-03-26 12:41:29 +00:00
raw_ip.c In in_ifadown(), differentiate between whether the interface goes 2001-05-11 14:37:34 +00:00
tcp_debug.c sync with kame tree as of july00. tons of bug fixes/improvements. 2000-07-04 16:35:15 +00:00
tcp_debug.h
tcp_fsm.h
tcp_input.c Inline TCP_REASS() in the single location where it's used, 2001-05-29 19:54:45 +00:00
tcp_output.c Undo part of the tangle of having sys/lock.h and sys/mutex.h included in 2001-05-01 08:13:21 +00:00
tcp_reass.c Inline TCP_REASS() in the single location where it's used, 2001-05-29 19:54:45 +00:00
tcp_seq.h Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_subr.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_timer.c Disable rfc1323 and rfc1644 TCP extensions if we havn't got 2001-05-31 19:24:49 +00:00
tcp_timer.h
tcp_timewait.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_usrreq.c Say goodbye to TCP_COMPAT_42 2001-04-20 11:58:56 +00:00
tcp_var.h Randomize the TCP initial sequence numbers more thoroughly. 2001-04-17 18:08:01 +00:00
tcp.h o Minor style(9)ism to make consistent with -STABLE 2001-01-09 18:26:17 +00:00
tcpip.h Remove struct full_tcpiphdr{}. 2001-02-26 20:10:16 +00:00
udp_usrreq.c Count and show incoming UDP datagrams with no checksum. 2001-03-13 13:26:06 +00:00
udp_var.h remove unused data structure definition, and corresponding macro into*() 2001-02-18 07:10:03 +00:00
udp.h