K 10
svn:author
V 6
jesper
K 8
svn:date
V 27
2001-06-16T23:48:11.000000Z
K 7
svn:log
V 925
MFC

src/sys/netinet/ip_input.c      rev 1.169 and 1.170
src/sys/netinet6/frag6.c        rev 1.7
src/sys/netinet6/in6_proto.c    rev 1.13

  Prevent denial of service using bogus fragmented IPv4 packets.

  A attacker sending a lot of bogus fragmented packets to the target
  (with different IPv4 identification field - ip_id), may be able
  to put the target machine into mbuf starvation state.

  By setting a upper limit on the number of reassembly queues we
  prevent this situation.

  This upper limit is controlled by the new sysctl
  net.inet.ip.maxfragpackets which defaults to nmbclusters/4

  If you want old behaviour (no upper limit) set this sysctl
  to a negative value.

  If you don't want to accept any fragments (not recommended)
  set the sysctl to 0 (zero)

  Change the default value of net.inet6.ip6.maxfragpackets from
  200 to nmbclusters/4 to match the IPv4 case.

Obtained from:	NetBSD (partially)

END