aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/networking/ip-sysctl.txt
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2005-12-14 02:14:27 -0500
committerDavid S. Miller <davem@sunset.davemloft.net>2006-01-03 16:10:31 -0500
commit89cee8b1cbb9dac40c92ef1968aea2b45f82fd18 (patch)
tree01049841b15a9c2f3f136710382c7e4c11c1b1e5 /Documentation/networking/ip-sysctl.txt
parentd5228a4f49db32d22a39c653281b527ef371129c (diff)
[IPV4]: Safer reassembly
Another spin of Herbert Xu's "safer ip reassembly" patch for 2.6.16. (The original patch is here: http://marc.theaimsgroup.com/?l=linux-netdev&m=112281936522415&w=2 and my only contribution is to have tested it.) This patch (optionally) does additional checks before accepting IP fragments, which can greatly reduce the possibility of reassembling fragments which originated from different IP datagrams. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arthur Kepner <akepner@sgi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'Documentation/networking/ip-sysctl.txt')
-rw-r--r--Documentation/networking/ip-sysctl.txt23
1 files changed, 23 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ebc09a159f62..2b7cf19a06ad 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -46,6 +46,29 @@ ipfrag_secret_interval - INTEGER
46 for the hash secret) for IP fragments. 46 for the hash secret) for IP fragments.
47 Default: 600 47 Default: 600
48 48
49ipfrag_max_dist - INTEGER
50 ipfrag_max_dist is a non-negative integer value which defines the
51 maximum "disorder" which is allowed among fragments which share a
52 common IP source address. Note that reordering of packets is
53 not unusual, but if a large number of fragments arrive from a source
54 IP address while a particular fragment queue remains incomplete, it
55 probably indicates that one or more fragments belonging to that queue
56 have been lost. When ipfrag_max_dist is positive, an additional check
57 is done on fragments before they are added to a reassembly queue - if
58 ipfrag_max_dist (or more) fragments have arrived from a particular IP
59 address between additions to any IP fragment queue using that source
60 address, it's presumed that one or more fragments in the queue are
61 lost. The existing fragment queue will be dropped, and a new one
62 started. An ipfrag_max_dist value of zero disables this check.
63
64 Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
65 result in unnecessarily dropping fragment queues when normal
66 reordering of packets occurs, which could lead to poor application
67 performance. Using a very large value, e.g. 50000, increases the
68 likelihood of incorrectly reassembling IP fragments that originate
69 from different IP datagrams, which could result in data corruption.
70 Default: 64
71
49INET peer storage: 72INET peer storage:
50 73
51inet_peer_threshold - INTEGER 74inet_peer_threshold - INTEGER