pf: syncookie support

Import OpenBSD's syncookie support for pf. This feature help pf resist TCP SYN floods by only creating states once the remote host completes the TCP handshake rather than when the initial SYN packet is received. This is accomplished by using the initial sequence numbers to encode a cookie (hence the name) in the SYN+ACK response and verifying this on receipt of the client ACK. Reviewed by: kbowling Obtained from: OpenBSD MFC after: 1 week Sponsored by: Modirum MDPay Differential Revision: https://reviews.freebsd.org/D31138
2021-05-20 11:54:41 +02:00 · 2021-05-20 11:54:41 +02:00 · 5260d10c98
parent b89c5a3e88
commit 5260d10c98
1 changed files with 2 additions and 0 deletions
--- a/newlib/libc/sys/rtems/include/netinet/tcp.h
+++ b/newlib/libc/sys/rtems/include/netinet/tcp.h
@ -105,6 +105,8 @@ struct tcphdr {
 #define	TCPOPT_FAST_OPEN	34
 #define	   TCPOLEN_FAST_OPEN_EMPTY	2

+#define	MAX_TCPOPTLEN		40	/* Absolute maximum TCP options len */
+
 /* Miscellaneous constants */
 #define	MAX_SACK_BLKS	6	/* Max # SACK blocks stored at receiver side */
 #define	TCP_MAX_SACK	4	/* MAX # SACKs sent in any segment */