Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netinet Add support for rate-limiting RSTs sent in respo...
details: https://anonhg.NetBSD.org/src/rev/c53244b5a2f7
branches: trunk
changeset: 482581:c53244b5a2f7
user: thorpej <thorpej%NetBSD.org@localhost>
date: Tue Feb 15 19:54:11 2000 +0000
description:
Add support for rate-limiting RSTs sent in response to no socket for
an incoming packet. Default minimum interval is 10ms. The interval
is changeable via the "net.inet.tcp.rstratelimit" sysctl variable.
diffstat:
sys/netinet/in_proto.c | 4 +++-
sys/netinet/tcp_input.c | 24 +++++++++++++++++++-----
sys/netinet/tcp_usrreq.c | 23 ++++++++++++++++++++++-
sys/netinet/tcp_var.h | 9 +++++++--
4 files changed, 51 insertions(+), 9 deletions(-)
diffs (171 lines):
diff -r 35d597dad614 -r c53244b5a2f7 sys/netinet/in_proto.c
--- a/sys/netinet/in_proto.c Tue Feb 15 19:29:54 2000 +0000
+++ b/sys/netinet/in_proto.c Tue Feb 15 19:54:11 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_proto.c,v 1.36 2000/02/15 04:03:49 thorpej Exp $ */
+/* $NetBSD: in_proto.c,v 1.37 2000/02/15 19:54:11 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -276,4 +276,6 @@
struct syn_cache_head tcp_syn_cache[TCP_SYN_HASH_SIZE];
int tcp_syn_cache_interval = 1; /* runs timer twice a second */
+struct timeval tcp_rst_ratelim = { 0, 10000 }; /* 10000usec = 10msec */
+
struct timeval icmperrratelim = { 0, 1000 }; /* 1000usec = 1msec */
diff -r 35d597dad614 -r c53244b5a2f7 sys/netinet/tcp_input.c
--- a/sys/netinet/tcp_input.c Tue Feb 15 19:29:54 2000 +0000
+++ b/sys/netinet/tcp_input.c Tue Feb 15 19:54:11 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_input.c,v 1.103 2000/02/12 17:19:34 thorpej Exp $ */
+/* $NetBSD: tcp_input.c,v 1.104 2000/02/15 19:54:12 thorpej Exp $ */
/*
%%% portions-copyright-nrl-95
@@ -190,6 +190,8 @@
int tcprexmtthresh = 3;
int tcp_log_refused;
+struct timeval tcp_rst_ratelim_last;
+
#define TCP_PAWS_IDLE (24 * 24 * 60 * 60 * PR_SLOWHZ)
/* for modulo comparisons of timestamps */
@@ -856,7 +858,7 @@
src, ntohs(th->th_sport));
}
TCP_FIELDS_TO_HOST(th);
- goto dropwithreset;
+ goto dropwithreset_ratelim;
}
#ifdef IPSEC
if (inp && ipsec4_in_reject(m, inp)) {
@@ -895,7 +897,7 @@
if (in6p == NULL) {
++tcpstat.tcps_noport;
TCP_FIELDS_TO_HOST(th);
- goto dropwithreset;
+ goto dropwithreset_ratelim;
}
#ifdef IPSEC
if (ipsec6_in_reject(m, in6p)) {
@@ -928,7 +930,7 @@
#endif
if (tp == 0) {
TCP_FIELDS_TO_HOST(th);
- goto dropwithreset;
+ goto dropwithreset_ratelim;
}
if (tp->t_state == TCPS_CLOSED)
goto drop;
@@ -2113,11 +2115,23 @@
m_freem(tcp_saveti);
return;
+dropwithreset_ratelim:
+ /*
+ * We may want to rate-limit RSTs in certain situations,
+ * particularly if we are sending an RST in response to
+ * an attempt to connect to or otherwise communicate with
+ * a port for which we have no socket.
+ */
+ if (ratecheck(&tcp_rst_ratelim_last, &tcp_rst_ratelim) == 0) {
+ /* XXX stat */
+ goto drop;
+ }
+ /* ...fall into dropwithreset... */
+
dropwithreset:
/*
* Generate a RST, dropping incoming segment.
* Make ACK acceptable to originator of segment.
- * Don't bother to respond if destination was broadcast/multicast.
*/
if (tiflags & TH_RST)
goto drop;
diff -r 35d597dad614 -r c53244b5a2f7 sys/netinet/tcp_usrreq.c
--- a/sys/netinet/tcp_usrreq.c Tue Feb 15 19:29:54 2000 +0000
+++ b/sys/netinet/tcp_usrreq.c Tue Feb 15 19:54:11 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_usrreq.c,v 1.47 2000/02/04 14:34:22 itojun Exp $ */
+/* $NetBSD: tcp_usrreq.c,v 1.48 2000/02/15 19:54:12 thorpej Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -896,10 +896,31 @@
void *newp;
size_t newlen;
{
+
/* All sysctl names at this level are terminal. */
if (namelen != 1)
return (ENOTDIR);
+ /*
+ * The sysctl specifies usec-between-RST, so we must
+ * convert from/to a timeval.
+ */
+ if (name[0] == TCPCTL_RSTRATELIMIT) {
+ int rate_usec, error, s;
+
+ rate_usec = (tcp_rst_ratelim.tv_sec * 1000000) +
+ tcp_rst_ratelim.tv_usec;
+ error = sysctl_int(oldp, oldlenp, newp, newlen, &rate_usec);
+ if (error)
+ return (error);
+ s = splsoftnet();
+ tcp_rst_ratelim.tv_sec = rate_usec / 1000000;
+ tcp_rst_ratelim.tv_usec = rate_usec % 1000000;
+ splx(s);
+
+ return (0);
+ }
+
if (name[0] < sizeof(tcp_ctlvars)/sizeof(tcp_ctlvars[0])
&& tcp_ctlvars[name[0]].valid) {
if (tcp_ctlvars[name[0]].rdonly)
diff -r 35d597dad614 -r c53244b5a2f7 sys/netinet/tcp_var.h
--- a/sys/netinet/tcp_var.h Tue Feb 15 19:29:54 2000 +0000
+++ b/sys/netinet/tcp_var.h Tue Feb 15 19:54:11 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tcp_var.h,v 1.71 1999/12/13 15:17:21 itojun Exp $ */
+/* $NetBSD: tcp_var.h,v 1.72 2000/02/15 19:54:12 thorpej Exp $ */
/*
%%% portions-copyright-nrl-98
@@ -534,7 +534,8 @@
#define TCPCTL_SLOWHZ 20 /* PR_SLOWHZ (read-only) */
#define TCPCTL_NEWRENO 21 /* NewReno Congestion Control */
#define TCPCTL_LOG_REFUSED 22 /* Log refused connections */
-#define TCPCTL_MAXID 23
+#define TCPCTL_RSTRATELIMIT 23 /* RST rate limit */
+#define TCPCTL_MAXID 24
#define TCPCTL_NAMES { \
{ 0, 0 }, \
@@ -560,6 +561,7 @@
{ "slowhz", CTLTYPE_INT }, \
{ "newreno", CTLTYPE_INT }, \
{ "log_refused",CTLTYPE_INT }, \
+ { "rstratelimit", CTLTYPE_INT }, \
}
#ifdef _KERNEL
@@ -586,6 +588,8 @@
extern int tcp_syn_cache_interval; /* compressed state timer */
extern int tcp_log_refused; /* log refused connections */
+extern struct timeval tcp_rst_ratelim;
+
extern int tcp_syn_cache_size;
extern struct syn_cache_head tcp_syn_cache[];
extern u_long syn_cache_count;
@@ -614,6 +618,7 @@
{ 1, 1, 0, PR_SLOWHZ }, \
{ 1, 0, &tcp_do_newreno }, \
{ 1, 0, &tcp_log_refused }, \
+ { 1, 1, 0, 0 } \
}
int tcp_attach __P((struct socket *));
Home |
Main Index |
Thread Index |
Old Index