After a bit more thinking ...
On 10 Jan, Don Lewis wrote:
> and then after the dropafterack label add the code:
>
> + if (thflags & TH_SYN) {
> + if (tp->t_state == TCPS_ESTABLISHED &&
> + tcp_insecure_syn == 0) {
> + if (badport_bandlim(BANDLIM_SYN_ESTABLISHED) < 0)
> + goto drop;
> + tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt,
> + tp->snd_una, TH_ACK);
> [snip]
>
> I don't think this fix would be complete from the response rate limiting
> point of view because this chunk of code in the block that trims to the
> left window edge tosses the TH_SYN flag.
>
> todrop = tp->rcv_nxt - th->th_seq;
> if (todrop > 0) {
> if (thflags & TH_SYN) {
> thflags &= ~TH_SYN;
> th->th_seq++;
> if (th->th_urp > 1)
> th->th_urp--;
> else
> thflags &= ~TH_URG;
> todrop--;
> }
>
> and this block of code doesn't jump to dropafterack, even in the case
> where the entire segment is to the left of the window. Something else
> would have to be done to implement rate limiting for this half of the
> sequence space.
I think this problem could be solved by a minor addition to the above
block of code. If the SYN flag is set and the sequence number of the
segment doesn't match the initial received sequence number of the
connection, then we know this is not a duplicate SYN.
todrop = tp->rcv_nxt - th->th_seq;
if (todrop > 0) {
if (thflags & TH_SYN) {
+ if (th->th_seq != tp->irs)
+ goto dropafterack;
thflags &= ~TH_SYN;
th->th_seq++;
if (th->th_urp > 1)
th->th_urp--;
else
thflags &= ~TH_URG;
todrop--;
}
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
