tcp_syncache.c (124851) | tcp_syncache.c (125680) |
---|---|
1/*- 2 * Copyright (c) 2001 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by Jonathan Lemon 6 * and NAI Labs, the Security Research Division of Network Associates, Inc. 7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8 * DARPA CHATS research program. --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * | 1/*- 2 * Copyright (c) 2001 Networks Associates Technology, Inc. 3 * All rights reserved. 4 * 5 * This software was developed for the FreeBSD Project by Jonathan Lemon 6 * and NAI Labs, the Security Research Division of Network Associates, Inc. 7 * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8 * DARPA CHATS research program. --- 17 unchanged lines hidden (view full) --- 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * |
34 * $FreeBSD: head/sys/netinet/tcp_syncache.c 124851 2004-01-23 01:39:12Z andre $ | 34 * $FreeBSD: head/sys/netinet/tcp_syncache.c 125680 2004-02-11 04:26:04Z bms $ |
35 */ 36 | 35 */ 36 |
37#include "opt_inet.h" |
|
37#include "opt_inet6.h" 38#include "opt_ipsec.h" 39#include "opt_mac.h" 40#include "opt_tcpdebug.h" 41 42#include <sys/param.h> 43#include <sys/systm.h> 44#include <sys/kernel.h> --- 645 unchanged lines hidden (view full) --- 690 * Initialization of the tcpcb for transaction; 691 * set SND.WND = SEG.WND, 692 * initialize CCsend and CCrecv. 693 */ 694 tp->t_flags |= TF_REQ_CC|TF_RCVD_CC; 695 tp->cc_send = sc->sc_cc_send; 696 tp->cc_recv = sc->sc_cc_recv; 697 } | 38#include "opt_inet6.h" 39#include "opt_ipsec.h" 40#include "opt_mac.h" 41#include "opt_tcpdebug.h" 42 43#include <sys/param.h> 44#include <sys/systm.h> 45#include <sys/kernel.h> --- 645 unchanged lines hidden (view full) --- 691 * Initialization of the tcpcb for transaction; 692 * set SND.WND = SEG.WND, 693 * initialize CCsend and CCrecv. 694 */ 695 tp->t_flags |= TF_REQ_CC|TF_RCVD_CC; 696 tp->cc_send = sc->sc_cc_send; 697 tp->cc_recv = sc->sc_cc_recv; 698 } |
699#ifdef TCP_SIGNATURE 700 if (sc->sc_flags & SCF_SIGNATURE) 701 tp->t_flags |= TF_SIGNATURE; 702#endif /* TCP_SIGNATURE */ |
|
698 699 /* 700 * Set up MSS and get cached values from tcp_hostcache. 701 * This might overwrite some of the defaults we just set. 702 */ 703 tcp_mss(tp, sc->sc_peer_mss); 704 705 /* --- 259 unchanged lines hidden (view full) --- 965 if (to->to_flags & (TOF_CC|TOF_CCNEW)) { 966 sc->sc_cc_recv = to->to_cc; 967 sc->sc_cc_send = CC_INC(tcp_ccgen); 968 sc->sc_flags |= SCF_CC; 969 } 970 } 971 if (tp->t_flags & TF_NOOPT) 972 sc->sc_flags = SCF_NOOPT; | 703 704 /* 705 * Set up MSS and get cached values from tcp_hostcache. 706 * This might overwrite some of the defaults we just set. 707 */ 708 tcp_mss(tp, sc->sc_peer_mss); 709 710 /* --- 259 unchanged lines hidden (view full) --- 970 if (to->to_flags & (TOF_CC|TOF_CCNEW)) { 971 sc->sc_cc_recv = to->to_cc; 972 sc->sc_cc_send = CC_INC(tcp_ccgen); 973 sc->sc_flags |= SCF_CC; 974 } 975 } 976 if (tp->t_flags & TF_NOOPT) 977 sc->sc_flags = SCF_NOOPT; |
978#ifdef TCP_SIGNATURE 979 /* 980 * If listening socket requested TCP digests, and received SYN 981 * contains the option, flag this in the syncache so that 982 * syncache_respond() will do the right thing with the SYN+ACK. 983 * XXX Currently we always record the option by default and will 984 * attempt to use it in syncache_respond(). 985 */ 986 if (to->to_flags & TOF_SIGNATURE) 987 sc->sc_flags = SCF_SIGNATURE; 988#endif /* TCP_SIGNATURE */ |
|
973 974 /* 975 * XXX 976 * We have the option here of not doing TAO (even if the segment 977 * qualifies) and instead fall back to a normal 3WHS via the syncache. 978 * This allows us to apply synflood protection to TAO-qualifying SYNs 979 * also. However, there should be a hueristic to determine when to 980 * do this, and is not present at the moment. --- 97 unchanged lines hidden (view full) --- 1078 /* Compute the size of the TCP options. */ 1079 if (sc->sc_flags & SCF_NOOPT) { 1080 optlen = 0; 1081 } else { 1082 optlen = TCPOLEN_MAXSEG + 1083 ((sc->sc_flags & SCF_WINSCALE) ? 4 : 0) + 1084 ((sc->sc_flags & SCF_TIMESTAMP) ? TCPOLEN_TSTAMP_APPA : 0) + 1085 ((sc->sc_flags & SCF_CC) ? TCPOLEN_CC_APPA * 2 : 0); | 989 990 /* 991 * XXX 992 * We have the option here of not doing TAO (even if the segment 993 * qualifies) and instead fall back to a normal 3WHS via the syncache. 994 * This allows us to apply synflood protection to TAO-qualifying SYNs 995 * also. However, there should be a hueristic to determine when to 996 * do this, and is not present at the moment. --- 97 unchanged lines hidden (view full) --- 1094 /* Compute the size of the TCP options. */ 1095 if (sc->sc_flags & SCF_NOOPT) { 1096 optlen = 0; 1097 } else { 1098 optlen = TCPOLEN_MAXSEG + 1099 ((sc->sc_flags & SCF_WINSCALE) ? 4 : 0) + 1100 ((sc->sc_flags & SCF_TIMESTAMP) ? TCPOLEN_TSTAMP_APPA : 0) + 1101 ((sc->sc_flags & SCF_CC) ? TCPOLEN_CC_APPA * 2 : 0); |
1102#ifdef TCP_SIGNATURE 1103 optlen += ((sc->sc_flags & SCF_SIGNATURE) ? 1104 (TCPOLEN_SIGNATURE + 2) : 0); 1105#endif /* TCP_SIGNATURE */ |
|
1086 } 1087 tlen = hlen + sizeof(struct tcphdr) + optlen; 1088 1089 /* 1090 * XXX 1091 * assume that the entire packet will fit in a header mbuf 1092 */ 1093 KASSERT(max_linkhdr + tlen <= MHLEN, ("syncache: mbuf too small")); --- 101 unchanged lines hidden (view full) --- 1195 u_int32_t *lp = (u_int32_t *)(optp); 1196 1197 *lp++ = htonl(TCPOPT_CC_HDR(TCPOPT_CC)); 1198 *lp++ = htonl(sc->sc_cc_send); 1199 *lp++ = htonl(TCPOPT_CC_HDR(TCPOPT_CCECHO)); 1200 *lp = htonl(sc->sc_cc_recv); 1201 optp += TCPOLEN_CC_APPA * 2; 1202 } | 1106 } 1107 tlen = hlen + sizeof(struct tcphdr) + optlen; 1108 1109 /* 1110 * XXX 1111 * assume that the entire packet will fit in a header mbuf 1112 */ 1113 KASSERT(max_linkhdr + tlen <= MHLEN, ("syncache: mbuf too small")); --- 101 unchanged lines hidden (view full) --- 1215 u_int32_t *lp = (u_int32_t *)(optp); 1216 1217 *lp++ = htonl(TCPOPT_CC_HDR(TCPOPT_CC)); 1218 *lp++ = htonl(sc->sc_cc_send); 1219 *lp++ = htonl(TCPOPT_CC_HDR(TCPOPT_CCECHO)); 1220 *lp = htonl(sc->sc_cc_recv); 1221 optp += TCPOLEN_CC_APPA * 2; 1222 } |
1223 1224#ifdef TCP_SIGNATURE 1225 /* 1226 * Handle TCP-MD5 passive opener response. 1227 */ 1228 if (sc->sc_flags & SCF_SIGNATURE) { 1229 u_int8_t *bp = optp; 1230 int i; 1231 1232 *bp++ = TCPOPT_SIGNATURE; 1233 *bp++ = TCPOLEN_SIGNATURE; 1234 for (i = 0; i < TCP_SIGLEN; i++) 1235 *bp++ = 0; 1236 tcpsignature_compute(m, sizeof(struct ip), 0, optlen, 1237 optp + 2, IPSEC_DIR_OUTBOUND); 1238 *bp++ = TCPOPT_NOP; 1239 *bp++ = TCPOPT_EOL; 1240 optp += TCPOLEN_SIGNATURE + 2; 1241 } 1242#endif /* TCP_SIGNATURE */ |
|
1203 } 1204 1205#ifdef INET6 1206 if (sc->sc_inc.inc_isipv6) { 1207 th->th_sum = 0; 1208 th->th_sum = in6_cksum(m, IPPROTO_TCP, hlen, tlen - hlen); 1209 ip6->ip6_hlim = in6_selecthlim(NULL, NULL); 1210 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, inp); --- 201 unchanged lines hidden --- | 1243 } 1244 1245#ifdef INET6 1246 if (sc->sc_inc.inc_isipv6) { 1247 th->th_sum = 0; 1248 th->th_sum = in6_cksum(m, IPPROTO_TCP, hlen, tlen - hlen); 1249 ip6->ip6_hlim = in6_selecthlim(NULL, NULL); 1250 error = ip6_output(m, NULL, NULL, 0, NULL, NULL, inp); --- 201 unchanged lines hidden --- |