d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
173c0f9f5c
freebsd-nq/sys/netinet
History
Warner Losh 173c0f9f5c Mitigate the stream.c attacks 
o Drop all broadcast and multicast source addresses in tcp_input.
o Enable ICMP_BANDLIM in GENERIC.
o Change default to 200/s from 100/s.  This will still stop the attack, but
  is conservative enough to do this close to code freeze.

This is not the optimal patch for the problem, but is likely the least
intrusive patch that can be made for this.

Obtained from: Don Lewis and Matt Dillon.
Reviewed by: freebsd-security
2000-01-28 06:13:09 +00:00
..
libalias Replace beforeinstall target with new variables used by .mk system. 2000-01-14 07:57:47 +00:00
fil.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
icmp6.h KAME netinet6 basic part(no IPsec,no V6 Multicast Forwarding, no UDP/TCP 1999-11-22 02:45:11 +00:00
icmp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
if_atm.c udp IPv6 support, IPv6/IPv4 tunneling support in kernel, 1999-12-07 17:39:16 +00:00
if_atm.h Forward declare some structs so that this file is more self-sufficient. 1998-02-03 21:52:02 +00:00
if_ether.c Append missing newline to log() message for permanent ARP modification 1999-10-18 11:56:50 +00:00
if_ether.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
if_fddi.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
igmp.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_cksum.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_gif.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
in_gif.h add forward declarations, and small cosmetic changes. 2000-01-15 05:20:40 +00:00
in_hostcache.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_hostcache.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_pcb.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
in_pcb.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_proto.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
in_rmx.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
in_systm.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in.c Change struct sockaddr_storage member name, because following change 2000-01-13 14:52:53 +00:00
in.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip6.h KAME netinet6 basic part(no IPsec,no V6 Multicast Forwarding, no UDP/TCP 1999-11-22 02:45:11 +00:00
ip_auth.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_auth.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_compat.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_divert.c prevent kernel panic which happens when either of IPSEC and IPDIVERT 2000-01-08 12:53:48 +00:00
ip_dummynet.c Implement per-flow queueing. Using a single pipe config rule, 2000-01-08 11:24:46 +00:00
ip_dummynet.h Implement per-flow queueing. Using a single pipe config rule, 2000-01-08 11:24:46 +00:00
ip_ecn.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
ip_ecn.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_fil.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_fil.h Apply patches in rev 1.2 and 1.9 that I forgot 2000-01-14 19:48:42 +00:00
ip_flow.c $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
ip_flow.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
ip_frag.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_frag.h Add kernel parts of revived ipfilter (3.3.3.) 1999-11-23 21:44:59 +00:00
ip_ftp_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_fw.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
ip_fw.h Add ipfw hooks for the new dummynet features. 2000-01-08 11:31:43 +00:00
ip_icmp.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
ip_icmp.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_input.c Move the *intrq variables into net/intrq.c and unconditionally 2000-01-24 20:39:02 +00:00
ip_log.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_mroute.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
ip_mroute.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_nat.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_nat.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_output.c MGETHDR() does not initialize m_pkthdr.rcvif, do it here. 2000-01-10 18:46:05 +00:00
ip_proxy.c Add kernel parts of revived ipfilter (3.3.3.) 1999-11-23 21:44:59 +00:00
ip_proxy.h Add kernel parts of revived ipfilter (3.3.3.) 1999-11-23 21:44:59 +00:00
ip_raudio_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_rcmd_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_state.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_state.h Add kernel parts of revived ipfilter (3.3.3.) 1999-11-23 21:44:59 +00:00
ip_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip.h IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
ipl.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ipprotosw.h IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
mlfk_ipl.c The ipfilter module name wasn't exactly conventional.. 1999-12-20 15:49:38 +00:00
raw_ip.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
tcp_debug.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_debug.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_fsm.h Undo rev 1.10, which took out TH_FIN from the CLOSING state. This 1999-11-07 04:18:30 +00:00
tcp_input.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
tcp_output.c Fixed the problem that IPsec connection hangs when bigger data is sent. 2000-01-15 14:56:38 +00:00
tcp_reass.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
tcp_seq.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
tcp_subr.c Fix the bug that IPv4 ttl is not initialized when AF_INET6 socket is used 2000-01-25 01:05:18 +00:00
tcp_timer.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_timer.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
tcp_timewait.c Fix the bug that IPv4 ttl is not initialized when AF_INET6 socket is used 2000-01-25 01:05:18 +00:00
tcp_usrreq.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_var.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcpip.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00
udp_usrreq.c IPSEC support in the kernel. 1999-12-22 19:13:38 +00:00
udp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
udp.h $Id$ -> $FreeBSD$ 1999-08-28 01:08:13 +00:00