Allow to adjust tcp_syn_use_limit with sysctl net.inet.tcp.synuselimit.

This is convenient to test the feature and may be useful to defend
against syn flooding in a denial of service condition.  It is
consistent to the existing syn cache sysctls.  Move some declarations
to tcp_var.h to access the syn cache sets from tcp_sysctl().
OK mpi@

1 files changed, 18 insertions, 1 deletions

diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c
index 0ece5e179a4..1cb805eb715 100644
--- a/sys/netinet/tcp_usrreq.c
+++ b/sys/netinet/tcp_usrreq.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_usrreq.c,v 1.129 2016/03/23 15:50:36 vgross Exp $	*/
+/*	$OpenBSD: tcp_usrreq.c,v 1.130 2016/03/29 18:13:20 bluhm Exp $	*/
 /*	$NetBSD: tcp_usrreq.c,v 1.20 1996/02/13 23:44:16 christos Exp $	*/
 
 /*
@@ -933,6 +933,23 @@ tcp_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 		return (sysctl_struct(oldp, oldlenp, newp, newlen,
 		    &tcpstat, sizeof(tcpstat)));
 
+	case TCPCTL_SYN_USE_LIMIT:
+		error = sysctl_int(oldp, oldlenp, newp, newlen,
+		    &tcp_syn_use_limit);
+		if (error)
+			return (error);
+		if (newp != NULL) {
+			/*
+			 * Global tcp_syn_use_limit is used when reseeding a
+			 * new cache.  Also update the value in active cache.
+			 */
+			if (tcp_syn_cache[0].scs_use > tcp_syn_use_limit)
+				tcp_syn_cache[0].scs_use = tcp_syn_use_limit;
+			if (tcp_syn_cache[1].scs_use > tcp_syn_use_limit)
+				tcp_syn_cache[1].scs_use = tcp_syn_use_limit;
+		}
+		return (0);
+
 	default:
 		if (name[0] < TCPCTL_MAXID)
 			return (sysctl_int_arr(tcpctl_vars, name, namelen,