Date: Tue, 7 Jun 2011 18:55:31 GMT From: Catalin Nicutar <cnicutar@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 194411 for review Message-ID: <201106071855.p57ItVON052429@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@194411?ac=10 Change 194411 by cnicutar@cnicutar_cronos on 2011/06/07 18:54:45 Add sysctls for TCP UTO Affected files ... .. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 edit .. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 edit Differences ... ==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 (text+ko) ==== @@ -103,6 +103,15 @@ /* + * The timeout ranges for TCP UTO have security implications; in particular, + * long timeouts might allow for denial-of-service attacks. + */ +#define TCP_UTOMIN 100 /* Minimum acceptable timeout */ +#define TCP_UTODEF 300 /* Default advertised timeout */ +#define TCP_UTOMAX 600 /* Maximum advertised timeout */ + + +/* * Default maximum segment size for TCP. * With an IP MTU of 576, this is 536, * but 512 is probably more convenient. ==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 (text+ko) ==== @@ -168,6 +168,29 @@ return (sysctl_msec_to_ticks(oidp, arg1, arg2, req)); } +SYSCTL_NODE(_net_inet_tcp, OID_AUTO, uto, CTLFLAG_RW, 0, "TCP UTO"); + +VNET_DEFINE(int, uto_enable) = 1; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, enable, CTLFLAG_RW, + &VNET_NAME(uto_enable), 0, + "Enable TCP UTO for all connections"); + +VNET_DEFINE(int, uto_min_timeout) = TCP_UTOMIN; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, min_timeout, CTLFLAG_RW, + &VNET_NAME(uto_min_timeout), 0, + "Minimum accepted timeout for a connection"); + +VNET_DEFINE(int, uto_def_timeout) = TCP_UTODEF; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, def_timeout, CTLFLAG_RW, + &VNET_NAME(uto_def_timeout), 0, + "Default advertised timeout for all connections"); + +VNET_DEFINE(int, uto_max_timeout) = 600; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, max_timeout, CTLFLAG_RW, + &VNET_NAME(uto_max_timeout), 0, + "Maximum accepted timeout for a connection"); + + /* * Minimum MSS we accept and use. This prevents DoS attacks where * we are forced to a ridiculous low MSS like 20 and send hundreds
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106071855.p57ItVON052429>