Lines Matching +full:pd +full:- +full:disable

14  * DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
41  * exhaustion. Trigger for the synflood mode is the number of half-open
43  * We leave synflood mode when the number of half-open states - including
44  * in-flight syncookies - drops far enough again
167 	nvlpacked = nvlist_pack(nvl, &nv->len);
171 	if (nv->size == 0) {
173 	} else if (nv->size < nv->len) {
177 	error = copyout(nvlpacked, nv->data, nv->len);
199 	if (nv->len > pf_ioctl_maxcount)
202 	nvlpacked = malloc(nv->len, M_NVLIST, M_WAITOK);
203 	error = copyin(nv->data, nvlpacked, nv->len);
207 	nvl = nvlist_unpack(nvlpacked, nv->len, 0);
263 pf_synflood_check(struct pf_pdesc *pd)
265 	MPASS(pd->proto == IPPROTO_TCP);
268 	if (pd->pf_mtag && (pd->pf_mtag->flags & PF_MTAG_FLAG_SYNCOOKIE_RECREATED))
292 pf_syncookie_send(struct pf_pdesc *pd)
297 	mss = max(V_tcp_mssdflt, pf_get_mss(pd));
298 	iss = pf_syncookie_generate(pd, mss);
299 	pf_send_tcp(NULL, pd->af, pd->dst, pd->src, *pd->dport, *pd->sport,
300 	    iss, ntohl(pd->hdr.tcp.th_seq) + 1, TH_SYN|TH_ACK, 0, mss,
301 	    0, M_SKIP_FIREWALL | (pd->m->m_flags & M_LOOP), 0, 0,
302 	    pd->act.rtableid);
310 pf_syncookie_check(struct pf_pdesc *pd)
315 	MPASS(pd->proto == IPPROTO_TCP);
318 	seq = ntohl(pd->hdr.tcp.th_seq) - 1;
319 	ack = ntohl(pd->hdr.tcp.th_ack) - 1;
327 	hash = pf_syncookie_mac(pd, cookie, seq);
335 pf_syncookie_validate(struct pf_pdesc *pd)
340 	if (! pf_syncookie_check(pd))
343 	ack = ntohl(pd->hdr.tcp.th_ack) - 1;
347 	atomic_add_64(&V_pf_status.syncookies_inflight[cookie.flags.oddeven], -1);
360 	/* do we want to disable syncookies? */
426 pf_syncookie_mac(struct pf_pdesc *pd, union pf_syncookie cookie, uint32_t seq)
432 	MPASS(pd->proto == IPPROTO_TCP);
437 	switch (pd->af) {
439 		SipHash_Update(&ctx, pd->src, sizeof(pd->src->v4));
440 		SipHash_Update(&ctx, pd->dst, sizeof(pd->dst->v4));
443 		SipHash_Update(&ctx, pd->src, sizeof(pd->src->v6));
444 		SipHash_Update(&ctx, pd->dst, sizeof(pd->dst->v6));
450 	SipHash_Update(&ctx, pd->sport, sizeof(*pd->sport));
451 	SipHash_Update(&ctx, pd->dport, sizeof(*pd->dport));
460 pf_syncookie_generate(struct pf_pdesc *pd, uint16_t mss)
471 	for (i = nitems(pf_syncookie_msstab) - 1;
472 	    pf_syncookie_msstab[i] > mss && i > 0; i--)
477 	wscale = pf_get_wscale(pd);
478 	for (i = nitems(pf_syncookie_wstab) - 1;
479 	    pf_syncookie_wstab[i] > wscale && i > 0; i--)
485 	hash = pf_syncookie_mac(pd, cookie, ntohl(pd->hdr.tcp.th_seq));
500 pf_syncookie_recreate_syn(struct pf_pdesc *pd)
507 	seq = ntohl(pd->hdr.tcp.th_seq) - 1;
508 	ack = ntohl(pd->hdr.tcp.th_ack) - 1;
518 	return (pf_build_tcp(NULL, pd->af, pd->src, pd->dst, *pd->sport,
519 	    *pd->dport, seq, 0, TH_SYN, wscale, mss, pd->ttl,
520 	    (pd->m->m_flags & M_LOOP), 0, PF_MTAG_FLAG_SYNCOOKIE_RECREATED,
521 	    pd->act.rtableid));