PERFORCE change 194411 for review
Catalin Nicutar
cnicutar at FreeBSD.org
Tue Jun 7 18:55:32 UTC 2011
http://p4web.freebsd.org/@@194411?ac=10
Change 194411 by cnicutar at cnicutar_cronos on 2011/06/07 18:54:45
Add sysctls for TCP UTO
Affected files ...
.. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 edit
.. //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 edit
Differences ...
==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp.h#2 (text+ko) ====
@@ -103,6 +103,15 @@
/*
+ * The timeout ranges for TCP UTO have security implications; in particular,
+ * long timeouts might allow for denial-of-service attacks.
+ */
+#define TCP_UTOMIN 100 /* Minimum acceptable timeout */
+#define TCP_UTODEF 300 /* Default advertised timeout */
+#define TCP_UTOMAX 600 /* Maximum advertised timeout */
+
+
+/*
* Default maximum segment size for TCP.
* With an IP MTU of 576, this is 536,
* but 512 is probably more convenient.
==== //depot/projects/soc2011/cnicutar_tcputo_8/src/sys/netinet/tcp_subr.c#2 (text+ko) ====
@@ -168,6 +168,29 @@
return (sysctl_msec_to_ticks(oidp, arg1, arg2, req));
}
+SYSCTL_NODE(_net_inet_tcp, OID_AUTO, uto, CTLFLAG_RW, 0, "TCP UTO");
+
+VNET_DEFINE(int, uto_enable) = 1;
+SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, enable, CTLFLAG_RW,
+ &VNET_NAME(uto_enable), 0,
+ "Enable TCP UTO for all connections");
+
+VNET_DEFINE(int, uto_min_timeout) = TCP_UTOMIN;
+SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, min_timeout, CTLFLAG_RW,
+ &VNET_NAME(uto_min_timeout), 0,
+ "Minimum accepted timeout for a connection");
+
+VNET_DEFINE(int, uto_def_timeout) = TCP_UTODEF;
+SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, def_timeout, CTLFLAG_RW,
+ &VNET_NAME(uto_def_timeout), 0,
+ "Default advertised timeout for all connections");
+
+VNET_DEFINE(int, uto_max_timeout) = 600;
+SYSCTL_VNET_INT(_net_inet_tcp_uto, OID_AUTO, max_timeout, CTLFLAG_RW,
+ &VNET_NAME(uto_max_timeout), 0,
+ "Maximum accepted timeout for a connection");
+
+
/*
* Minimum MSS we accept and use. This prevents DoS attacks where
* we are forced to a ridiculous low MSS like 20 and send hundreds
More information about the p4-projects
mailing list