aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/icmp_var.h1
-rw-r--r--sys/netinet/ip_icmp.c2
-rw-r--r--sys/netinet/tcp_input.c7
-rw-r--r--sys/netinet/tcp_stacks/bbr.c4
-rw-r--r--sys/netinet/tcp_stacks/rack.c4
-rw-r--r--sys/netinet/tcp_subr.c8
6 files changed, 16 insertions, 10 deletions
diff --git a/sys/netinet/icmp_var.h b/sys/netinet/icmp_var.h
index d6b75e482e35..b39479565bd6 100644
--- a/sys/netinet/icmp_var.h
+++ b/sys/netinet/icmp_var.h
@@ -100,7 +100,6 @@ void kmod_icmpstat_inc(int statnum);
SYSCTL_DECL(_net_inet_icmp);
extern int badport_bandlim(int);
-#define BANDLIM_UNLIMITED -1
#define BANDLIM_ICMP_UNREACH 0
#define BANDLIM_ICMP_ECHO 1
#define BANDLIM_ICMP_TSTAMP 2
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 71b75d18efd0..543b846fbba5 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1181,7 +1181,7 @@ badport_bandlim(int which)
{
int64_t pps;
- if (V_icmplim == 0 || which == BANDLIM_UNLIMITED)
+ if (V_icmplim == 0)
return (0);
KASSERT(which >= 0 && which < BANDLIM_MAX,
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index d58cc69b7625..d392cbe09950 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -1134,7 +1134,7 @@ tfo_socket_result:
V_tcp_sc_rst_sock_fail ?
"sending RST" : "try again");
if (V_tcp_sc_rst_sock_fail) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
} else
goto dropunlock;
@@ -1568,7 +1568,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
*/
if ((tp->t_state == TCPS_SYN_SENT) && (thflags & TH_ACK) &&
(SEQ_LEQ(th->th_ack, tp->iss) || SEQ_GT(th->th_ack, tp->snd_max))) {
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
goto dropwithreset;
}
@@ -2218,7 +2218,6 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
SEQ_LT(th->th_seq, tp->last_ack_sent + tp->rcv_wnd)) {
tcp_log_end_status(tp, TCP_EI_STATUS_RST_IN_FRONT);
tp = tcp_drop(tp, ECONNRESET);
- rstreason = BANDLIM_UNLIMITED;
} else {
tcp_ecn_input_syn_sent(tp, thflags, iptos);
tcp_send_challenge_ack(tp, th, m);
@@ -2347,7 +2346,7 @@ tcp_do_segment(struct tcpcb *tp, struct mbuf *m, struct tcphdr *th,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
TCPSTAT_INC(tcps_rcvafterclose);
- rstreason = BANDLIM_UNLIMITED;
+ rstreason = BANDLIM_TCP_RST;
goto dropwithreset;
}
diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c
index ce4e9f30020c..f2960ab9c636 100644
--- a/sys/netinet/tcp_stacks/bbr.c
+++ b/sys/netinet/tcp_stacks/bbr.c
@@ -7863,7 +7863,7 @@ nothing_left:
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
BBR_STAT_INC(bbr_dropped_af_data);
return (1);
}
@@ -9405,7 +9405,7 @@ close_now:
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c
index d6bbfeb886d9..2dfcad84ad99 100644
--- a/sys/netinet/tcp_stacks/rack.c
+++ b/sys/netinet/tcp_stacks/rack.c
@@ -12038,7 +12038,7 @@ rack_process_ack(struct mbuf *m, struct tcphdr *th, struct socket *so,
/* tcp_close will kill the inp pre-log the Reset */
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, tlen);
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, tlen);
return (1);
}
}
@@ -13518,7 +13518,7 @@ rack_check_data_after_close(struct mbuf *m,
tcp_log_end_status(tp, TCP_EI_STATUS_SERVER_RST);
tp = tcp_close(tp);
KMOD_TCPSTAT_INC(tcps_rcvafterclose);
- ctf_do_dropwithreset(m, tp, th, BANDLIM_UNLIMITED, (*tlen));
+ ctf_do_dropwithreset(m, tp, th, BANDLIM_TCP_RST, (*tlen));
return (1);
}
if (sbavail(&so->so_snd) == 0)
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 26e7e53d540c..1fce7c591639 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -82,6 +82,7 @@
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <netinet/ip_var.h>
+#include <netinet/icmp_var.h>
#ifdef INET6
#include <netinet/icmp6.h>
#include <netinet/ip6.h>
@@ -2156,6 +2157,13 @@ tcp_send_challenge_ack(struct tcpcb *tp, struct tcphdr *th, struct mbuf *m)
sbintime_t now;
bool send_challenge_ack;
+ /*
+ * The sending of a challenge ACK could be triggered by a blind attacker
+ * to detect an existing TCP connection. To mitigate that, increment
+ * also the global counter which would be incremented if the attacker
+ * would have guessed wrongly.
+ */
+ (void)badport_bandlim(BANDLIM_TCP_RST);
if (V_tcp_ack_war_time_window == 0 || V_tcp_ack_war_cnt == 0) {
/* ACK war protection is disabled. */
send_challenge_ack = true;
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-11 22:02:29 +0000