HardenedBSD/sys/netinet
Warner Losh 173c0f9f5c Mitigate the stream.c attacks
o Drop all broadcast and multicast source addresses in tcp_input.
o Enable ICMP_BANDLIM in GENERIC.
o Change default to 200/s from 100/s.  This will still stop the attack, but
  is conservative enough to do this close to code freeze.

This is not the optimal patch for the problem, but is likely the least
intrusive patch that can be made for this.

Obtained from: Don Lewis and Matt Dillon.
Reviewed by: freebsd-security
2000-01-28 06:13:09 +00:00
..
libalias Replace beforeinstall target with new variables used by .mk system. 2000-01-14 07:57:47 +00:00
fil.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
icmp6.h
icmp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
if_atm.c
if_atm.h
if_ether.c
if_ether.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
if_fddi.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
igmp.c
igmp.h
in_cksum.c
in_gif.c
in_gif.h add forward declarations, and small cosmetic changes. 2000-01-15 05:20:40 +00:00
in_hostcache.c
in_hostcache.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_pcb.c
in_pcb.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_proto.c
in_rmx.c
in_systm.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
in.c Change struct sockaddr_storage member name, because following change 2000-01-13 14:52:53 +00:00
in.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip6.h
ip_auth.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_auth.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_compat.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_divert.c prevent kernel panic which happens when either of IPSEC and IPDIVERT 2000-01-08 12:53:48 +00:00
ip_dummynet.c Implement per-flow queueing. Using a single pipe config rule, 2000-01-08 11:24:46 +00:00
ip_dummynet.h Implement per-flow queueing. Using a single pipe config rule, 2000-01-08 11:24:46 +00:00
ip_ecn.c
ip_ecn.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_fil.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_fil.h Apply patches in rev 1.2 and 1.9 that I forgot 2000-01-14 19:48:42 +00:00
ip_flow.c
ip_flow.h
ip_frag.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_frag.h
ip_ftp_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_fw.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
ip_fw.h Add ipfw hooks for the new dummynet features. 2000-01-08 11:31:43 +00:00
ip_icmp.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
ip_icmp.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_input.c Move the *intrq variables into net/intrq.c and unconditionally 2000-01-24 20:39:02 +00:00
ip_log.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_mroute.c
ip_mroute.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip_nat.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_nat.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_output.c MGETHDR() does not initialize m_pkthdr.rcvif, do it here. 2000-01-10 18:46:05 +00:00
ip_proxy.c
ip_proxy.h
ip_raudio_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_rcmd_pxy.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_state.c Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ip_state.h
ip_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
ip.h
ipl.h Bring over ipfilter kernel sources, including merging the local modifications. 2000-01-13 19:01:33 +00:00
ipprotosw.h
mlfk_ipl.c
raw_ip.c
tcp_debug.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_debug.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_fsm.h
tcp_input.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
tcp_output.c Fixed the problem that IPsec connection hangs when bigger data is sent. 2000-01-15 14:56:38 +00:00
tcp_reass.c Mitigate the stream.c attacks 2000-01-28 06:13:09 +00:00
tcp_seq.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
tcp_subr.c Fix the bug that IPv4 ttl is not initialized when AF_INET6 socket is used 2000-01-25 01:05:18 +00:00
tcp_timer.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_timer.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
tcp_timewait.c Fix the bug that IPv4 ttl is not initialized when AF_INET6 socket is used 2000-01-25 01:05:18 +00:00
tcp_usrreq.c tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp_var.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcp.h tcp updates to support IPv6. 2000-01-09 19:17:30 +00:00
tcpip.h
udp_usrreq.c
udp_var.h Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL" 1999-12-29 04:46:21 +00:00
udp.h