CVSROOT: /cvs
Module name: src
Changes by: m...@cvs.openbsd.org 2025/08/02 22:11:57
Modified files:
sys/netinet6 : ip6_input.c nd6.c
Log message:
Deny negative values for `ip6_neighborgcthresh'.
Negative `ip6_neighborgcthres' allows unlimited count of ND6 entries,
meanwhile positive value starts nd6_rtrequest() purging less recently
used ones.
ok bluhm
>From bluhm:
This sysctl was implemented as response to a security issue. Any
box on the internet could create ND entries by pinging non-existing
directly attached IPv6 addresses. Then the ndp table of a router
fills up unlimited. There is no reason to disable this security
feature. If someone runs into the limit, we better increase the
5 * 2048 upper bound.
