[newlib 55/65] pf: syncookie support
Sebastian Huber
sebastian.huber at embedded-brains.de
Thu Jul 7 11:59:02 UTC 2022
From: Kristof Provost <kp at FreeBSD.org>
Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when the initial SYN packet is received.
This is accomplished by using the initial sequence numbers to encode a
cookie (hence the name) in the SYN+ACK response and verifying this on
receipt of the client ACK.
Reviewed by: kbowling
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31138
---
newlib/libc/sys/rtems/include/netinet/tcp.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/newlib/libc/sys/rtems/include/netinet/tcp.h b/newlib/libc/sys/rtems/include/netinet/tcp.h
index 45bece9fa..a79dbeaad 100644
--- a/newlib/libc/sys/rtems/include/netinet/tcp.h
+++ b/newlib/libc/sys/rtems/include/netinet/tcp.h
@@ -105,6 +105,8 @@ struct tcphdr {
#define TCPOPT_FAST_OPEN 34
#define TCPOLEN_FAST_OPEN_EMPTY 2
+#define MAX_TCPOPTLEN 40 /* Absolute maximum TCP options len */
+
/* Miscellaneous constants */
#define MAX_SACK_BLKS 6 /* Max # SACK blocks stored at receiver side */
#define TCP_MAX_SACK 4 /* MAX # SACKs sent in any segment */
--
2.35.3
More information about the devel
mailing list