tcp hostcache and ip fastforward for review
oppermann at pipeline.ch
Sun Nov 9 08:19:56 PST 2003
this patch contains three things (to be separated for committing):
- removes protocol cloning from routing table (IPv4+6)
- removes rtentry pointer from inpcb and in6pcb
- removes ip route cache in ip_input.c (locking much easier)
- removes most (tcp specific) metrics from rtentry metrics
- adds a hostcache table which carries the metrics for tcp
- works transparently for IPv4 and IPv6
- is designed for concurrent access in SMP environments
- significant reduction of routing table size (no cloning anymore)
- eases many routing table locking situations in ip/tcp code
- removes ip_flow forwarding code
- adds full direct process-to-completion IPv4 forwarding code
- handles ip fragmentation incl. hw support (ip_flow did not)
- supports ipfw and ipfilter (ip_flow did not)
- supports divert and ipfw fwd (ip_flow did not)
- drops anything it can't handle back to normal ip_input
tcp bug fixes and MSS DoS attack prevention
- fixes wrong goto in tcp_input.c which sends two RST packets
instead of one
- adds tcp_minmss sysctl which limits the lowest MSS we accept
during TCP setup and path MTU discovery
- adds tcp_minmssoverload which disconnects a TCP session if
it receives too many (1000) packets per second whose average
segement size is lower than tcp_minmss
- DoS attack 1: send very low MSS in syn to remote host,
request large data stream (file) and let other host produce
maaaany small packets which consumes a lot of CPU
- DoS attack 2: make MSS very low on local side of connection
and send maaaany small packet to remote host. For every packet
(eg. 2 bytes payload) a sowakeup is done to the listening
process. Consumes a lot of CPU there.
I'm looking for any comments, testing and bug reports (if any ;-).
Hajimu-san, I'm looking especially for comments on whether my changes
to IPv6 are correct wrt IPv6 concepts. (I hope they are).
Hopefully these things can make it into -CURRENT before 5.2 release.
Sam Leffler has indicated he is willing to commit it when there are
no objections to the implementation and the code. I am fully committed
to fix any bugs that might come up after it's in the tree.
I am running my machines with these changes for a couple of weeks now
without any problems. The attached patch obviously doesn't have that
much exposure because I've had to update it all the time to track
Sam's locking changes and UME's IPv6 updates.
The patch is here (relative to -CURRENT as of 2003-11-09):
I'm grateful for everyone who tries out the patch and reports their
success and/or other findings.
More information about the freebsd-net