aboutsummaryrefslogtreecommitdiff
path: root/sys/netinet/tcp_syncache.h
diff options
context:
space:
mode:
authorGleb Smirnoff <glebius@FreeBSD.org>2021-03-19 07:22:36 +0000
committerGleb Smirnoff <glebius@FreeBSD.org>2021-04-15 22:26:48 +0000
commitcb8d7c44d6acd4f7f6be7f8b762315260f70d896 (patch)
tree0a84fa93f1703164c2c35ea49c672d1114125e1e /sys/netinet/tcp_syncache.h
parent34256484aff285f460a98c089b030228448fe19f (diff)
downloadsrc-cb8d7c44d6acd4f7f6be7f8b762315260f70d896.tar.gz
src-cb8d7c44d6acd4f7f6be7f8b762315260f70d896.zip
tcp_syncache: add net.inet.tcp.syncache.see_other sysctl
A security feature from c06f087ccb12 appeared to be a huge bottleneck under SYN flood. To mitigate that add a sysctl that would make syncache(4) globally visible, ignoring UID/GID, jail(2) and mac(4) checks. When turned on, we won't need to call crhold() on the listening socket credential for every incoming SYN packet. Reviewed by: bz
Diffstat (limited to 'sys/netinet/tcp_syncache.h')
-rw-r--r--sys/netinet/tcp_syncache.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/netinet/tcp_syncache.h b/sys/netinet/tcp_syncache.h
index c56dce55f1c1..03e34a89c112 100644
--- a/sys/netinet/tcp_syncache.h
+++ b/sys/netinet/tcp_syncache.h
@@ -134,6 +134,7 @@ struct tcp_syncache {
time_t pause_until;
uint8_t pause_backoff;
volatile bool paused;
+ bool see_other;
};
/* Internal use for the syncookie functions. */
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-25 05:23:15 +0000