mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-15 14:56:13 +01:00
77af2b2c85
These kind of drops come for free in the sense that they do not use the filter TCAM or any other resource that wouldn't normally be used during rx. Frames dropped by the hardware get counted in the MAC's rx stats but are not delivered to the driver. hw.cxgbe.attack_filter Set to 1 to enable the "attack filter". Default is 0. The attack filter will drop an incoming frame if any of these conditions is true: src ip/ip6 == dst ip/ip6; tcp and src/dst ip is not unicast; src/dst ip is loopback (127.x.y.z); src ip6 is not unicast; src/dst ip6 is loopback (::1/128) or unspecified (::/128); tcp and src/dst ip6 is mcast (ff00::/8). hw.cxgbe.drop_ip_fragments Set to 1 to drop all incoming IP fragments. Default is 0. Note that this drops valid frames. hw.cxgbe.drop_pkts_with_l2_errors Set to 1 to drop incoming frames with Layer 2 length or checksum errors. Default is 1. hw.cxgbe.drop_pkts_with_l3_errors Set to 1 to drop incoming frames with IP version, length, or checksum errors. Default is 0. hw.cxgbe.drop_pkts_with_l4_errors Set to 1 to drop incoming frames with Layer 4 length, checksum, or other errors. Default is 0. MFC after: 2 weeks Sponsored by: Chelsio Communications |
||
|---|---|---|
| .. | ||
| colldef | ||
| ctypedef | ||
| dict | ||
| doc | ||
| dtrace | ||
| examples | ||
| i18n | ||
| keys | ||
| man | ||
| misc | ||
| mk | ||
| monetdef | ||
| msgdef | ||
| numericdef | ||
| security | ||
| sendmail | ||
| skel | ||
| snmp | ||
| syscons | ||
| tabset | ||
| termcap | ||
| tests | ||
| timedef | ||
| vt | ||
| zoneinfo | ||
| Makefile | ||
| Makefile.inc | ||