Paul Hoffman <phoffman@proper.com> writes:
> At 11:44 AM +0900 4/20/02, itojun@iijlab.net wrote:
> >  >How do I determine how large the queue is for fragmented IP packets
> >  >on my system? Is that number changeable?
> >
> >	sysctl MIB net.inet.ip.maxfragpackets is the maximum allowable
> >	reassembly queue size (counted by # of original packets, i guess).
> >	to get the current queue size, you need to use kmem to see
> >	variable "ip_nfragpackets" (sys/netinet/ip_input.c).
> 
> Thanks! If I wanted to make my system more resistant to DoS attacks,
> could I set this maximum higher in this file and rebuild the kernel?

I don't know that this would be a great idea. Fragmented packets are
very rare in "real life" -- if you are getting huge numbers of them,
they're almost certainly bogus and you shouldn't be trying to keep
them around.


--
Perry E. Metzger		perry@wasabisystems.com
--
NetBSD: The right OS for your embedded design. http://www.wasabisystems.com/