Date: Thu, 31 Jan 2008 01:39:24 +0100 (CET) From: Ingo Flaschberger <if@xip.at> To: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> Cc: freebsd-net@freebsd.org, "Bruce M. Simpson" <bms@FreeBSD.org> Subject: Re: tcp-md5 check for incomming connection Message-ID: <alpine.LFD.1.00.0801310106400.723@filebunker.xip.at> In-Reply-To: <20080130083105.S36482@maildrop.int.zabbadoz.net> References: <alpine.LFD.1.00.0801291905020.17757@filebunker.xip.at> <479FF09B.4050705@FreeBSD.org> <20080130083105.S36482@maildrop.int.zabbadoz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Bjoern, Bruce, Looking trough linux, netbsd and Bruce old patch (which works with minimal modification at my freebsd 6.2) I have 3 ideas how md5 could be integrated. 1) netbsd method: http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/tcp_input.c?rev=1.277&content-type=text/x-cvsweb-markup Look for TCP_SIGNATURE. The main-code part is handled in tcp_dooptions The have modified the return value of tcp_dooptions from void to int. If md5 fails, -1 is returned (ony md5 use this return feature) and in the tcp_input the return value of tcp_dooptions is checked and handled. -> for freebsd: change the retutn value of tcp_dooptions and add little logic to tcp_input function. 2) linux method: Look for CONFIG_TCP_MD5SIG in linux-2.6.24/net/ipv4/tcp_ipv4.c (sorry no weblink..) They check and block md5-packets early in tcp_v4_do_rcv. afinet.c -> tcp_v4_rcv -> tcp_v4_do_rcv -> for Freebsd: place some logic early in tcp_input function and call a new function to check md5. 3) Bruce extended method: http://lists.freebsd.org/pipermail/freebsd-net/2004-April/003761.html Use his code and add at severall places in tcp_input function similar checks. Options: *) enable disable it via sysctl *) count total, good and bad packets via sysctl Kind regards, Ingo Flaschberger anytwo(tm)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.LFD.1.00.0801310106400.723>