Differential D31138

pf: syncookie support
ClosedPublic
Actions

Authored by kp on Jul 11 2021, 8:18 AM.

Tags

None

Referenced Files

	F107191914: D31138.diff
	Sat, Jan 11, 10:46 AM

	Unknown Object (File)
	Thu, Jan 9, 12:52 AM

	Unknown Object (File)
	Fri, Dec 27, 3:17 PM

	Unknown Object (File)
	Dec 8 2024, 8:22 PM

	Unknown Object (File)
	Dec 4 2024, 1:55 PM

	Unknown Object (File)
	Nov 26 2024, 10:25 AM

	Unknown Object (File)
	Nov 26 2024, 1:10 AM

	Unknown Object (File)
	Nov 23 2024, 4:06 AM

Subscribers

Details

Reviewers

Group Reviewers

network
transport

Commits

rGc3d03672e119: pf: syncookie support
rGba7edb52211a: pf: syncookie support
rG8e1864ed0712: pf: syncookie support

Summary

Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when the initial SYN packet is received.

This is accomplished by using the initial sequence numbers to encode a
cookie (hence the name) in the SYN+ACK response and verifying this on
receipt of the client ACK.

Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Modirum MDPay

Diff Detail

Repository

rS FreeBSD src repository - subversion

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 40434
Build 37323: arc lint + arc unit

Event Timeline

kp created this revision.Jul 11 2021, 8:18 AM

Herald added a reviewer: transport. · View Herald TranscriptJul 11 2021, 8:18 AM

Herald added subscribers: melifaro, farrokhi, ae, imp. · View Herald Transcript

kp requested review of this revision.Jul 11 2021, 8:18 AM

Harbormaster completed remote builds in B40434: Diff 92067.Jul 11 2021, 8:18 AM

kp added a child revision: D31139: pf: syncookie ioctl interface.Jul 11 2021, 8:18 AM

kp added a parent revision: D31137: pf: factor out pf_synproxy().Jul 11 2021, 8:18 AM

kbowling accepted this revision.Jul 18 2021, 6:39 AM

This revision is now accepted and ready to land.Jul 18 2021, 6:39 AM

Closed by commit rG8e1864ed0712: pf: syncookie support (authored by kp). · Explain WhyJul 20 2021, 8:37 AM

This revision was automatically updated to reflect the committed changes.

kp added a commit: rG8e1864ed0712: pf: syncookie support.

kp added a commit: rGba7edb52211a: pf: syncookie support.Jul 27 2021, 11:47 AM

kp added a commit: rGc3d03672e119: pf: syncookie support.

Revision Contents
Changeset List

Path

Size

sys/

modules/

pf/

2 lines

net/

34 lines

netinet/

2 lines

netpfil/

pf/

3 lines

129 lines

3 lines

1 line

pf_syncookies.c

350 lines

Diff 92067

sys/modules/pf/Makefile

Loading...

sys/net/pfvar.h

Loading...

sys/netinet/tcp.h

Loading...

sys/netpfil/pf/pf.h

Loading...

sys/netpfil/pf/pf.c

Loading...

sys/netpfil/pf/pf_ioctl.c

Loading...

sys/netpfil/pf/pf_mtag.h

Loading...

sys/netpfil/pf/pf_syncookies.c

Loading...