690a6055ff
A attacker sending a lot of bogus fragmented packets to the target (with different IPv4 identification field - ip_id), may be able to put the target machine into mbuf starvation state. By setting a upper limit on the number of reassembly queues we prevent this situation. This upper limit is controlled by the new sysctl net.inet.ip.maxfragpackets which defaults to 200, as the IPv6 case, this should be sufficient for most systmes, but you might want to increase it if you have lots of TCP sessions. I'm working on making the default value dependent on nmbclusters. If you want old behaviour (no upper limit) set this sysctl to a negative value. If you don't want to accept any fragments (not recommended) set the sysctl to 0 (zero). Obtained from: NetBSD MFC after: 1 week |
||
|---|---|---|
| .. | ||
| libalias | ||
| accf_data.c | ||
| accf_http.c | ||
| fil.c | ||
| icmp6.h | ||
| icmp_var.h | ||
| if_atm.c | ||
| if_atm.h | ||
| if_ether.c | ||
| if_ether.h | ||
| if_fddi.h | ||
| igmp.c | ||
| igmp.h | ||
| igmp_var.h | ||
| in.c | ||
| in.h | ||
| in_cksum.c | ||
| in_gif.c | ||
| in_gif.h | ||
| in_hostcache.c | ||
| in_hostcache.h | ||
| in_pcb.c | ||
| in_pcb.h | ||
| in_proto.c | ||
| in_rmx.c | ||
| in_systm.h | ||
| in_var.h | ||
| ip.h | ||
| ip6.h | ||
| ip_auth.c | ||
| ip_auth.h | ||
| ip_compat.h | ||
| ip_divert.c | ||
| ip_dummynet.c | ||
| ip_dummynet.h | ||
| ip_ecn.c | ||
| ip_ecn.h | ||
| ip_encap.c | ||
| ip_encap.h | ||
| ip_fil.c | ||
| ip_fil.h | ||
| ip_flow.c | ||
| ip_flow.h | ||
| ip_frag.c | ||
| ip_frag.h | ||
| ip_ftp_pxy.c | ||
| ip_fw.c | ||
| ip_fw.h | ||
| ip_icmp.c | ||
| ip_icmp.h | ||
| ip_id.c | ||
| ip_input.c | ||
| ip_log.c | ||
| ip_mroute.c | ||
| ip_mroute.h | ||
| ip_nat.c | ||
| ip_nat.h | ||
| ip_output.c | ||
| ip_proxy.c | ||
| ip_proxy.h | ||
| ip_raudio_pxy.c | ||
| ip_rcmd_pxy.c | ||
| ip_state.c | ||
| ip_state.h | ||
| ip_var.h | ||
| ipl.h | ||
| ipprotosw.h | ||
| mlfk_ipl.c | ||
| raw_ip.c | ||
| tcp.h | ||
| tcp_debug.c | ||
| tcp_debug.h | ||
| tcp_fsm.h | ||
| tcp_input.c | ||
| tcp_output.c | ||
| tcp_reass.c | ||
| tcp_seq.h | ||
| tcp_subr.c | ||
| tcp_timer.c | ||
| tcp_timer.h | ||
| tcp_timewait.c | ||
| tcp_usrreq.c | ||
| tcp_var.h | ||
| tcpip.h | ||
| udp.h | ||
| udp_usrreq.c | ||
| udp_var.h | ||