Module Name: src
Committed By: rmind
Date: Fri Jul 25 20:07:32 UTC 2014
Modified Files:
src/sys/net/npf: npf_state_tcp.c
Log Message:
npf_tcp_inwindow: enable strict RST check by default.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/sys/net/npf/npf_state_tcp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/npf/npf_state_tcp.c
diff -u src/sys/net/npf/npf_state_tcp.c:1.15 src/sys/net/npf/npf_state_tcp.c:1.16
--- src/sys/net/npf/npf_state_tcp.c:1.15 Sun Jul 20 00:37:41 2014
+++ src/sys/net/npf/npf_state_tcp.c Fri Jul 25 20:07:32 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $ */
+/* $NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $ */
/*-
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.15 2014/07/20 00:37:41 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_state_tcp.c,v 1.16 2014/07/25 20:07:32 rmind Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -89,7 +89,7 @@ static u_int npf_tcp_timeouts[] __read_m
[NPF_TCPS_TIME_WAIT] = 60 * 2 * 2,
};
-static bool npf_strict_order_rst __read_mostly = false;
+static bool npf_strict_order_rst __read_mostly = true;
#define NPF_TCP_MAXACKWIN 66000
@@ -395,7 +395,7 @@ npf_tcp_inwindow(npf_cache_t *npc, npf_s
seq = end;
}
- /* Strict in-order sequence for RST packets. */
+ /* Strict in-order sequence for RST packets (RFC 5961). */
if (npf_strict_order_rst && (fstate->nst_end - seq) > 1) {
return false;
}
