On Mon, Apr 21, 2014 at 09:39:55PM -0300, Fernando Gont wrote:
> Hi, Loganaden,
>
> NetBSD really had these? I seem to recall that OpenBSD was the only BSD
> variant with these (sensible) knobs.
>
> Thanks,
> Fernando
>
They copied it from OpenBSD in 2012:
kernel: Add sysctls to avoid ipv6 DoS attacks (from OpenBSD):
net.inet6.ip6.neighborgcthresh = 2048
net.inet6.ip6.maxifprefixes = 16
net.inet6.ip6.maxifdefrouters = 16
net.inet6.ip6.maxdynroutes = 4096
[christos 20120622]
>
>
>
> On 04/19/2014 08:04 AM, Loganaden Velvindron wrote:
> > Hi All,
> >
> > I'm taking a short break from playing with pf statistics.
> >
> > There were 4 sysctls added from KAME, but the man pages weren't updated
> > accordingly.
> >
> > (Adapted from the NetBSD man page changes)
> >
> > Feedback welcomed.
> >
> >
> > Index: lib/libc/gen/sysctl.3
> > ===================================================================
> > RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
> > retrieving revision 1.228
> > diff -u -p -u -p -r1.228 sysctl.3
> > --- lib/libc/gen/sysctl.3 21 Jan 2014 03:15:45 -0000 1.228
> > +++ lib/libc/gen/sysctl.3 19 Apr 2014 10:58:30 -0000
> > @@ -1676,11 +1676,15 @@ The currently defined protocols and name
> > .It ip6 Ta hdrnestlimit Ta integer Ta yes
> > .It ip6 Ta hlim Ta integer Ta yes
> > .It ip6 Ta log_interval Ta integer Ta yes
> > +.It ip6 Ta maxdynroutes Ta integer Ta yes
> > .It ip6 Ta maxfragpackets Ta integer Ta yes
> > .It ip6 Ta maxfrags Ta integer Ta yes
> > +.It ip6 Ta maxifprefixes Ta integer Ta yes
> > +.It ip6 Ta maxifdefrouters Ta integer Ta yes
> > .It ip6 Ta mforwarding Ta integer Ta yes
> > .It ip6 Ta multicast_mtudisc Ta integer Ta yes
> > .It ip6 Ta multipath Ta integer Ta yes
> > +.It ip6 Ta neighborgcthresh Ta integer Ta yes
> > .It ip6 Ta redirect Ta integer Ta yes
> > .It ip6 Ta rr_prune Ta integer Ta yes
> > .It ip6 Ta use_deprecated Ta integer Ta yes
> > @@ -1834,6 +1838,11 @@ IPv6 packet forwarding engine.
> > The value indicates the number of
> > seconds of interval which must elapse between log output.
> > .Pp
> > +.It Li ip6.maxdynroutes
> > +Maximum number of routes created by redirect.
> > +Set it to negative to disable.
> > +The default value is 4096.
> > +.Pp
> > .It Li ip6.maxfragpackets
> > The maximum number of fragmented packets the node will accept.
> > 0 means that the node will not accept any fragmented packets.
> > @@ -1846,6 +1855,17 @@ The maximum number of fragments the node
> > \-1 means that the node will accept as many fragments as it receives.
> > The flag is provided basically for avoiding possible DoS attacks.
> > .Pp
> > +.It Li ip6.maxifprefixes
> > +Maximum number of prefixes created by route advertisements per interface.
> > +Set it to negative to disable.
> > +The default value is 16.
> > +.Pp
> > +.It Li ip6.maxifdefrouters 16
> > +Maximum number of default routers created by route advertisements per
> > +interface.
> > +Set it to negative to disable.
> > +The default value is 16.
> > +.Pp
> > .It Li ip6.mforwarding
> > If set to 1, then multicast forwarding is enabled for the host.
> > The default is 0.
> > @@ -1861,6 +1881,11 @@ If set to 0, the ICMPv6 Too Big message
> > This variable enables multipath routing for IPv6 addresses.
> > If set to 0, only the first route selected will be used for a given
> > destination regardless of how many routes exist in the routing table.
> > +.Pp
> > +.It Li ip6.neighborgcthresh
> > +Maximum number of entries in neighbor cache.
> > +Set to negative to disable.
> > +The default value is 2048.
> > .Pp
> > .It Li ip6.redirect
> > Returns 1 when ICMPv6 redirects may be sent by the node.
> > Index: sbin/sysctl/sysctl.8
> > ===================================================================
> > RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
> > retrieving revision 1.173
> > diff -u -p -u -p -r1.173 sysctl.8
> > --- sbin/sysctl/sysctl.8 28 Oct 2013 21:02:35 -0000 1.173
> > +++ sbin/sysctl/sysctl.8 19 Apr 2014 10:58:30 -0000
> > @@ -301,10 +301,14 @@ and a few require a kernel compiled with
> > .It net.inet6.ip6.use_deprecated Ta integer Ta yes
> > .It net.inet6.ip6.rr_prune Ta integer Ta yes
> > .It net.inet6.ip6.v6only Ta integer Ta no
> > +.It net.inet6.ip6.maxdynroutes Ta integer Ta yes
> > .It net.inet6.ip6.maxfrags Ta integer Ta yes
> > +.It net.inet6.ip6.maxifprefixes Ta integer Ta yes
> > +.It net.inet6.ip6.maxifdefrouters Ta integer Ta yes
> > .It net.inet6.ip6.mforwarding Ta integer Ta yes
> > .It net.inet6.ip6.multipath Ta integer Ta yes
> > .It net.inet6.ip6.multicast_mtudisc Ta integer Ta yes
> > +.It net.inet6.ip6.neighborgcthresh Ta integer Ta yes
> > .It net.inet6.icmp6.rediraccept Ta integer Ta yes
> > .It net.inet6.icmp6.redirtimeout Ta integer Ta yes
> > .It net.inet6.icmp6.nd6_prune Ta integer Ta yes
> >
> >
>
>
> --
> Fernando Gont
> e-mail: ferna...@gont.com.ar || fg...@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
>
>
>
