From owner-p4-projects@FreeBSD.ORG Tue Jun 7 18:55:32 2011 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1E9CD1065704; Tue, 7 Jun 2011 18:55:32 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6DB01065700 for ; Tue, 7 Jun 2011 18:55:31 +0000 (UTC) (envelope-from cnicutar@freebsd.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id 7B4368FC1C for ; Tue, 7 Jun 2011 18:55:31 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.4/8.14.4) with ESMTP id p57ItVR3052432 for ; Tue, 7 Jun 2011 18:55:31 GMT (envelope-from cnicutar@freebsd.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.4/8.14.4/Submit) id p57ItVON052429 for perforce@freebsd.org; Tue, 7 Jun 2011 18:55:31 GMT (envelope-from cnicutar@freebsd.org) Date: Tue, 7 Jun 2011 18:55:31 GMT Message-Id: <201106071855.p57ItVON052429@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to cnicutar@freebsd.org using -f From: Catalin Nicutar To: Perforce Change Reviews Precedence: bulk Cc: Subject: PERFORCE change 194411 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2011 18:55:32 -0000 http://p4web.freebsd.org/@@194411?ac=10 Change 194411 by cnicutar@cnicutar_cronos on 2011/06/07 18:54:45 Add sysctls for TCP UTO Affected files ... .. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 edit .. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 edit Differences ... ==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 (text+ko) ==== @@ -103,6 +103,15 @@ /* + * The timeout ranges for TCP UTO have security implications; in particular, + * long timeouts might allow for denial-of-service attacks. + */ +#define TCP_UTOMIN 100 /* Minimum acceptable timeout */ +#define TCP_UTODEF 300 /* Default advertised timeout */ +#define TCP_UTOMAX 600 /* Maximum advertised timeout */ + + +/* * Default maximum segment size for TCP. * With an IP MTU of 576, this is 536, * but 512 is probably more convenient. ==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 (text+ko) ==== @@ -168,6 +168,29 @@ return (sysctl_msec_to_ticks(oidp, arg1, arg2, req)); } +SYSCTL_NODE(_net_inet_tcp, OID_AUTO, uto, CTLFLAG_RW, 0, "TCP UTO"); + +VNET_DEFINE(int, uto_enable) = 1; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, enable, CTLFLAG_RW, + &VNET_NAME(uto_enable), 0, + "Enable TCP UTO for all connections"); + +VNET_DEFINE(int, uto_min_timeout) = TCP_UTOMIN; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, min_timeout, CTLFLAG_RW, + &VNET_NAME(uto_min_timeout), 0, + "Minimum accepted timeout for a connection"); + +VNET_DEFINE(int, uto_def_timeout) = TCP_UTODEF; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, def_timeout, CTLFLAG_RW, + &VNET_NAME(uto_def_timeout), 0, + "Default advertised timeout for all connections"); + +VNET_DEFINE(int, uto_max_timeout) = 600; +SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, max_timeout, CTLFLAG_RW, + &VNET_NAME(uto_max_timeout), 0, + "Maximum accepted timeout for a connection"); + + /* * Minimum MSS we accept and use. This prevents DoS attacks where * we are forced to a ridiculous low MSS like 20 and send hundreds