d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8568b90f96
freebsd-skq/sys/netinet
History
jtl 5a5ca2cd22 Add a global limit on the number of IPv4 fragments. 
The IP reassembly fragment limit is based on the number of mbuf clusters,
which are a global resource. However, the limit is currently applied
on a per-VNET basis. Given enough VNETs (or given sufficient customization
of enough VNETs), it is possible that the sum of all the VNET limits
will exceed the number of mbuf clusters available in the system.

Given the fact that the fragment limit is intended (at least in part) to
regulate access to a global resource, the fragment limit should
be applied on a global basis.

VNET-specific limits can be adjusted by modifying the
net.inet.ip.maxfragpackets and net.inet.ip.maxfragsperpacket
sysctls.

To disable fragment reassembly globally, set net.inet.ip.maxfrags to 0.
To disable fragment reassembly for a particular VNET, set
net.inet.ip.maxfragpackets to 0.

Reviewed by:	jhb
Security:	FreeBSD-SA-18:10.ip
Security:	CVE-2018-6923
2018-08-14 17:19:49 +00:00
..
cc Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
khelp
libalias Remove a duplicate check. 2018-07-11 14:54:56 +00:00
netdump UDP: further performance improvements on tx 2018-05-23 21:02:14 +00:00
tcp_stacks Fix a small bug in rack where it will 2018-08-08 13:36:49 +00:00
accf_data.c
accf_dns.c
accf_http.c
icmp6.h
icmp_var.h
if_ether.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
if_ether.h
igmp_var.h Separate list manipulation locking from state change in multicast 2018-05-02 19:36:29 +00:00
igmp.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
igmp.h
in_cksum.c
in_debug.c CK: update consumers to use CK macros across the board 2018-05-24 23:21:23 +00:00
in_fib.c Switch RIB and RADIX_NODE_HEAD lock from rwlock(9) to rmlock(9). 2018-06-16 08:26:23 +00:00
in_fib.h
in_gif.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
in_jail.c Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
in_kdtrace.c Add a dtrace provider for UDP-Lite. 2018-07-31 22:56:03 +00:00
in_kdtrace.h Add a dtrace provider for UDP-Lite. 2018-07-31 22:56:03 +00:00
in_mcast.c [ppc] Fix kernel panic when using BOOTP_NFSROOT 2018-08-09 14:04:51 +00:00
in_pcb.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
in_pcb.h Now that after r335979 the kernel addresses in API structures are 2018-08-04 00:03:21 +00:00
in_pcbgroup.c Fix PCBGROUPS build post CK conversion of pcbinfo 2018-06-13 23:19:54 +00:00
in_prot.c Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
in_proto.c Remove empty encap_init() function. 2018-05-29 12:32:08 +00:00
in_rmx.c
in_rss.c
in_rss.h
in_systm.h
in_var.h UDP: further performance improvements on tx 2018-05-23 21:02:14 +00:00
in.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
in.h
ip6.h carp: Set DSCP value CS7 2018-07-01 08:37:07 +00:00
ip_carp.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_carp.h
ip_divert.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_divert.h
ip_dummynet.h
ip_ecn.c
ip_ecn.h
ip_encap.c epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
ip_encap.h Rework IP encapsulation handling code. 2018-06-05 20:51:01 +00:00
ip_fastfwd.c netpfil: Introduce PFIL_FWD flag 2018-03-23 16:56:44 +00:00
ip_fw.h Add "record-state", "set-limit" and "defer-action" rule options to ipfw. 2018-07-09 11:35:18 +00:00
ip_gre.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_icmp.c icmp_quotelen was accidentially changes in r336676, undo this. 2018-07-24 16:45:01 +00:00
ip_icmp.h
ip_id.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_input.c Restore ability to send ICMP and ICMPv6 redirects. 2018-08-14 07:54:14 +00:00
ip_mroute.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_mroute.h
ip_options.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
ip_options.h
ip_output.c Fix a potential use after free in getsockopt() access to inp_options 2018-07-22 20:02:14 +00:00
ip_reass.c Add a global limit on the number of IPv4 fragments. 2018-08-14 17:19:49 +00:00
ip_var.h ip(6)_freemoptions: defer imo destruction to epoch callback task 2018-05-20 00:22:28 +00:00
ip.h carp: Set DSCP value CS7 2018-07-01 08:37:07 +00:00
pim_var.h Rework IP encapsulation handling code. 2018-06-05 20:51:01 +00:00
pim.h
raw_ip.c Removed pointless NULL check 2018-07-10 08:05:32 +00:00
sctp_asconf.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_asconf.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_auth.c Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_auth.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_bsd_addr.c Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_bsd_addr.h Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_cc_functions.c Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_constants.h Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_crc32.c Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_crc32.h
sctp_dtrace_declare.h
sctp_dtrace_define.h
sctp_header.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_indata.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_indata.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_input.c Remove a set but not used warning showing up in usrsctp. 2018-08-14 08:32:33 +00:00
sctp_input.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_lock_bsd.h
sctp_os_bsd.h Move most of the contents of opt_compat.h to opt_global.h. 2018-04-06 17:35:35 +00:00
sctp_os.h
sctp_output.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_output.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_pcb.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_pcb.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_peeloff.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_peeloff.h
sctp_ss_functions.c Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_structs.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_syscalls.c netinet silence warnings 2018-05-19 05:56:21 +00:00
sctp_sysctl.c Revert https://svnweb.freebsd.org/changeset/base/336503 2018-07-19 20:11:14 +00:00
sctp_sysctl.h
sctp_timer.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_timer.h
sctp_uio.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp_usrreq.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctp_var.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctp.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
sctputil.c Use the stacb instead of the asoc in state macros. 2018-08-13 13:58:45 +00:00
sctputil.h Whitespace changes due to changes in ident. 2018-07-19 20:16:33 +00:00
siftr.c Create a new macro for static DPCPU data. 2018-07-05 17:13:37 +00:00
tcp_debug.c
tcp_debug.h
tcp_fastopen.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
tcp_fastopen.h Greatly reduce the number of #ifdefs supporting the TCP_RFC7413 kernel option. 2018-02-26 03:03:41 +00:00
tcp_fsm.h Revert r334843, and partially revert r335180. 2018-06-23 06:53:53 +00:00
tcp_hostcache.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
tcp_hostcache.h
tcp_hpts.c Remove unneeded ipsec-related includes. 2018-08-10 07:24:01 +00:00
tcp_hpts.h epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_input.c Fix some TCP fast open issues. 2018-07-30 20:35:50 +00:00
tcp_log_buf.c Clean up some debugging code left in tcp_log_buf.c from r331347. 2018-04-10 15:51:37 +00:00
tcp_log_buf.h This commit brings in a new refactored TCP stack called Rack. 2018-06-07 18:18:13 +00:00
tcp_lro.c Update tcp_lro with tested bugfixes from Netflix and LLNW: 2018-03-09 00:08:43 +00:00
tcp_lro.h
tcp_offload.c Revert r334843, and partially revert r335180. 2018-06-23 06:53:53 +00:00
tcp_offload.h Add a hook to allow the toedev handling an offloaded connection to 2018-04-03 01:08:54 +00:00
tcp_output.c Fix some TCP fast open issues. 2018-07-30 20:35:50 +00:00
tcp_pcap.c
tcp_pcap.h
tcp_reass.c Address concerns about CPU usage while doing TCP reassembly. 2018-08-06 17:36:57 +00:00
tcp_sack.c
tcp_seq.h r330675 introduced an extra window check in the LRO code to ensure it 2018-04-03 13:54:38 +00:00
tcp_subr.c Use the new VNET_DEFINE_STATIC macro when we are defining static VNET 2018-07-24 16:35:52 +00:00
tcp_syncache.c Add missing send/recv dtrace probes for TCP. 2018-07-30 20:13:38 +00:00
tcp_syncache.h When retransmitting TCP SYN-ACK segments with the TCP timestamp option 2018-06-15 12:28:43 +00:00
tcp_timer.c epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_timer.h epoch(9): allow preemptible epochs to compose 2018-07-04 02:47:16 +00:00
tcp_timewait.c Send consistent SEG.WIN when using timewait codepath for TCP. 2018-07-30 21:13:42 +00:00
tcp_usrreq.c Fix INET only builds. 2018-07-31 06:27:05 +00:00
tcp_var.h Make struct xinpcb and friends word-size independent. 2018-07-05 13:13:48 +00:00
tcp.h This commit brings in a new refactored TCP stack called Rack. 2018-06-07 18:18:13 +00:00
tcpip.h
toecore.c Add a hook to allow the toedev handling an offloaded connection to 2018-04-03 01:08:54 +00:00
toecore.h Add a hook to allow the toedev handling an offloaded connection to 2018-04-03 01:08:54 +00:00
udp_usrreq.c Add a dtrace provider for UDP-Lite. 2018-07-31 22:56:03 +00:00
udp_var.h
udp.h
udplite.h Add a dtrace provider for UDP-Lite. 2018-07-31 22:56:03 +00:00