Module Name: src
Committed By: christos
Date: Sat Jun 23 03:13:42 UTC 2012
Modified Files:
src/share/man/man7: sysctl.7
Log Message:
4 new sysctls to avoid ipv6 DoS attacks from OpenBSD
To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/share/man/man7/sysctl.7
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man7/sysctl.7
diff -u src/share/man/man7/sysctl.7:1.72 src/share/man/man7/sysctl.7:1.73
--- src/share/man/man7/sysctl.7:1.72 Fri Jun 22 10:54:35 2012
+++ src/share/man/man7/sysctl.7 Fri Jun 22 23:13:41 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.7,v 1.72 2012/06/22 14:54:35 christos Exp $
+.\" $NetBSD: sysctl.7,v 1.73 2012/06/23 03:13:41 christos Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd June 20, 2012
+.Dd June 22, 2012
.Dt SYSCTL 7
.Os
.Sh NAME
@@ -1614,9 +1614,13 @@ The currently defined protocols and name
.It ip6 log_interval integer yes
.It ip6 lowportmax integer yes
.It ip6 lowportmin integer yes
+.It ip6 maxdynroutes integer yes
+.It ip6 maxifprefixes integer yes
+.It ip6 maxifdefrouters integer yes
.It ip6 maxflows integer yes
.It ip6 maxfragpackets integer yes
.It ip6 maxfrags integer yes
+.It ip6 neighborgcthresh integer yes
.It ip6 redirect integer yes
.It ip6 rr_prune integer yes
.It ip6 use_deprecated integer yes
@@ -1715,6 +1719,18 @@ The lowest port number to use for TCP an
This cannot be set to less than 0 or greater than 1024, and must
be smaller than
.Li ip6.lowportmax .
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
.It Li ip6.maxflows
IPv6 Fast Forwarding is enabled by default.
If set to 0, IPv6 Fast Forwarding is disabled.
@@ -1731,6 +1747,10 @@ The maximum number of fragments the node
0 means that the node will not accept any fragments.
\-1 means that the node will accept as many fragments as it receives.
The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache.
+Set to negative to disable.
+The default value is 2048.
.It Li ip6.redirect
If set to 1, ICMPv6 redirects may be sent by the node.
This option is ignored unless the node is routing IP packets,
