[IPV4]: Safer reassembly

Another spin of Herbert Xu's "safer ip reassembly" patch for 2.6.16. (The original patch is here: http://marc.theaimsgroup.com/?l=linux-netdev&m=112281936522415&w=2 and my only contribution is to have tested it.) This patch (optionally) does additional checks before accepting IP fragments, which can greatly reduce the possibility of reassembling fragments which originated from different IP datagrams. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Arthur Kepner <akepner@sgi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2005-12-14 02:14:27 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-01-03 16:10:31 -0500
commit: 89cee8b1cbb9dac40c92ef1968aea2b45f82fd18 (patch)
tree: 01049841b15a9c2f3f136710382c7e4c11c1b1e5 /Documentation/networking
parent: d5228a4f49db32d22a39c653281b527ef371129c (diff)
1 files changed, 23 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index ebc09a159f62..2b7cf19a06ad 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -46,6 +46,29 @@ ipfrag_secret_interval - INTEGER
        for the hash secret) for IP fragments.
        Default: 600
+ipfrag_max_dist - INTEGER
+        ipfrag_max_dist is a non-negative integer value which defines the 
+        maximum "disorder" which is allowed among fragments which share a 
+        common IP source address. Note that reordering of packets is 
+        not unusual, but if a large number of fragments arrive from a source 
+        IP address while a particular fragment queue remains incomplete, it 
+        probably indicates that one or more fragments belonging to that queue 
+        have been lost. When ipfrag_max_dist is positive, an additional check 
+        is done on fragments before they are added to a reassembly queue - if 
+        ipfrag_max_dist (or more) fragments have arrived from a particular IP 
+        address between additions to any IP fragment queue using that source 
+        address, it's presumed that one or more fragments in the queue are 
+        lost. The existing fragment queue will be dropped, and a new one 
+        started. An ipfrag_max_dist value of zero disables this check.
+        Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
+        result in unnecessarily dropping fragment queues when normal
+        reordering of packets occurs, which could lead to poor application 
+        performance. Using a very large value, e.g. 50000, increases the 
+        likelihood of incorrectly reassembling IP fragments that originate 
+        from different IP datagrams, which could result in data corruption.
+        Default: 64
 INET peer storage:
 inet_peer_threshold - INTEGER
author	Herbert Xu <herbert@gondor.apana.org.au>	2005-12-14 02:14:27 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-01-03 16:10:31 -0500
commit	89cee8b1cbb9dac40c92ef1968aea2b45f82fd18 (patch)
tree	01049841b15a9c2f3f136710382c7e4c11c1b1e5 /Documentation/networking
parent	d5228a4f49db32d22a39c653281b527ef371129c (diff)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index ebc09a159f62..2b7cf19a06ad 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt
@@ -46,6 +46,29 @@ ipfrag_secret_interval - INTEGER
46	for the hash secret) for IP fragments.	46	for the hash secret) for IP fragments.
47	Default: 600	47	Default: 600
48		48
		49	ipfrag_max_dist - INTEGER
		50	ipfrag_max_dist is a non-negative integer value which defines the
		51	maximum "disorder" which is allowed among fragments which share a
		52	common IP source address. Note that reordering of packets is
		53	not unusual, but if a large number of fragments arrive from a source
		54	IP address while a particular fragment queue remains incomplete, it
		55	probably indicates that one or more fragments belonging to that queue
		56	have been lost. When ipfrag_max_dist is positive, an additional check
		57	is done on fragments before they are added to a reassembly queue - if
		58	ipfrag_max_dist (or more) fragments have arrived from a particular IP
		59	address between additions to any IP fragment queue using that source
		60	address, it's presumed that one or more fragments in the queue are
		61	lost. The existing fragment queue will be dropped, and a new one
		62	started. An ipfrag_max_dist value of zero disables this check.
		63
		64	Using a very small value, e.g. 1 or 2, for ipfrag_max_dist can
		65	result in unnecessarily dropping fragment queues when normal
		66	reordering of packets occurs, which could lead to poor application
		67	performance. Using a very large value, e.g. 50000, increases the
		68	likelihood of incorrectly reassembling IP fragments that originate
		69	from different IP datagrams, which could result in data corruption.
		70	Default: 64
		71
49	INET peer storage:	72	INET peer storage:
50		73
51	inet_peer_threshold - INTEGER	74	inet_peer_threshold - INTEGER