HomeFreeBSD

pf: syncookie support

Description

pf: syncookie support

Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when the initial SYN packet is received.

This is accomplished by using the initial sequence numbers to encode a
cookie (hence the name) in the SYN+ACK response and verifying this on
receipt of the client ACK.

Reviewed by: kbowling
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31138

(cherry picked from commit 8e1864ed07121b479b95d7e3a5931a9e0ffd4713)

Details

Provenance
kpAuthored on May 20 2021, 9:54 AM
Reviewer
kbowling
Differential Revision
D31138: pf: syncookie support
Parents
rG0df576d98e15: pf: factor out pf_synproxy()
Branches
Unknown
Tags
Unknown