mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-05 00:20:32 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net
History
Hannes Frederic Sowa a26552afe8 tcp: don't allow syn packets without timestamps to pass tcp_tw_recycle logic 
tcp_tw_recycle heavily relies on tcp timestamps to build a per-host
ordering of incoming connections and teardowns without the need to
hold state on a specific quadruple for TCP_TIMEWAIT_LEN, but only for
the last measured RTO. To do so, we keep the last seen timestamp in a
per-host indexed data structure and verify if the incoming timestamp
in a connection request is strictly greater than the saved one during
last connection teardown. Thus we can verify later on that no old data
packets will be accepted by the new connection.

During moving a socket to time-wait state we already verify if timestamps
where seen on a connection. Only if that was the case we let the
time-wait socket expire after the RTO, otherwise normal TCP_TIMEWAIT_LEN
will be used. But we don't verify this on incoming SYN packets. If a
connection teardown was less than TCP_PAWS_MSL seconds in the past we
cannot guarantee to not accept data packets from an old connection if
no timestamps are present. We should drop this SYN packet. This patch
closes this loophole.

Please note, this patch does not make tcp_tw_recycle in any way more
usable but only adds another safety check:
Sporadic drops of SYN packets because of reordering in the network or
in the socket backlog queues can happen. Users behing NAT trying to
connect to a tcp_tw_recycle enabled server can get caught in blackholes
and their connection requests may regullary get dropped because hosts
behind an address translator don't have synchronized tcp timestamp clocks.
tcp_tw_recycle cannot work if peers don't have tcp timestamps enabled.

In general, use of tcp_tw_recycle is disadvised.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-14 14:38:54 -07:00
..
9p
bluetooth Bluetooth: Rename pairable mgmt setting to bondable 2014-07-30 19:28:41 +02:00
caif
irda
iucv
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-07-22 00:44:59 -07:00
netns netfilter: kill remnants of ulog targets 2014-07-25 14:55:44 +02:00
nfc NFC: digital: Add 'tg_listen_md' and 'tg_get_rf_tech' driver hooks 2014-07-23 01:17:31 +02:00
phonet
sctp sctp: Fixup v4mapped behaviour to comply with Sock API 2014-07-31 21:49:06 -07:00
tc_act
6lowpan.h 6lowpan: remove unused function 2014-07-30 19:28:41 +02:00
act_api.h
addrconf.h net: ipv6: Introduce ip6_sk_dst_hoplimit. 2014-04-30 13:31:26 -04:00
af_ieee802154.h ieee802154: add dgram sockopts for security control 2014-05-16 17:23:41 -04:00
af_rxrpc.h
af_unix.h
af_vsock.h vsock: Make transport the proto owner 2014-05-05 13:13:50 -04:00
ah.h
arp.h
atmclip.h
ax25.h
ax88796.h
busy_poll.h
cfg80211-wext.h
cfg80211.h cfg80211: remove channel_switch combination check 2014-06-25 18:06:20 +02:00
checksum.h net: Allow csum_add to be provided in arch 2014-05-05 15:26:29 -04:00
cipso_ipv4.h
cls_cgroup.h
codel.h
compat.h
datalink.h
dcbevent.h
dcbnl.h Update setapp/getapp prototypes in dcbnl_rtnl_ops to return int instead of u8 2014-07-17 16:02:29 -07:00
dn.h
dn_dev.h
dn_fib.h
dn_neigh.h
dn_nsp.h
dn_route.h
dsa.h net: dsa: add ds_to_priv 2014-04-30 13:31:25 -04:00
dsfield.h
dst.h
dst_ops.h
esp.h
ethoc.h
fib_rules.h
firewire.h
flow.h
flow_keys.h flow_dissector: Abstract out hash computation 2014-07-07 21:14:20 -07:00
flowcache.h
garp.h
gen_stats.h
genetlink.h
gre.h gre: Call gso_make_checksum 2014-06-04 22:46:38 -07:00
gro_cells.h
icmp.h
ieee80211_radiotap.h
ieee802154.h ieee802154: add definitions for link-layer security and header functions 2014-05-15 15:51:42 -04:00
ieee802154_netdev.h ieee802154, mac802154: implement devkey record option 2014-05-16 17:23:42 -04:00
if_inet6.h ipv6: addrconf: implement address generation modes 2014-07-11 15:05:45 -07:00
inet6_connection_sock.h
inet6_hashtables.h
inet_common.h
inet_connection_sock.h tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-08-14 14:38:54 -07:00
inet_ecn.h tunnel: fix RFC number in comment for INET_ECN_decapsulate() 2014-05-07 15:30:52 -04:00
inet_frag.h inet: frags: use kmem_cache for inet_frag_queue 2014-08-02 15:31:31 -07:00
inet_hashtables.h net: Use a more standard macro for INET_ADDR_COOKIE 2014-05-14 16:07:23 -04:00
inet_sock.h net: remove inet6_reqsk_alloc 2014-06-27 15:53:35 -07:00
inet_timewait_sock.h inet: move ipv6only in sock_common 2014-07-01 23:46:21 -07:00
inetpeer.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-06-03 23:32:12 -07:00
ip.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-07-30 13:25:49 -07:00
ip6_checksum.h udp: Generic functions to set checksum 2014-06-04 22:46:38 -07:00
ip6_fib.h
ip6_route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-05-24 00:32:30 -04:00
ip6_tunnel.h
ip_fib.h
ip_tunnels.h ip_tunnel(ipv4): fix tunnels with "local any remote $remote_ip" 2014-07-30 15:18:58 -07:00
ip_vs.h
ipcomp.h
ipconfig.h
ipv6.h inet: frag: don't account number of fragment queues 2014-07-27 22:34:36 -07:00
ipx.h
iw_handler.h
lapb.h
lib80211.h
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
mac80211.h mac80211: add support for Rx reordering offloading 2014-07-21 17:42:07 +02:00
mac802154.h mac802154: at86rf230: add hw flags and merge ops 2014-07-07 21:29:24 -07:00
mip6.h
mld.h
mrp.h
ndisc.h
neighbour.h neigh: sysctl - simplify address calculation of gc_* variables 2014-07-14 14:32:51 -07:00
net_namespace.h
net_ratelimit.h
netdma.h
netevent.h
netlabel.h netlabel: fix the netlbl_catmap_setlong() dummy function 2014-08-07 20:55:21 -04:00
netlink.h netlink: Fix shadow warning on jiffies 2014-07-28 17:20:43 -07:00
netprio_cgroup.h
netrom.h
nexthop.h
nl802154.h
p8022.h
ping.h
pkt_cls.h
pkt_sched.h net_sched: drr: warn when qdisc is not work conserving 2014-06-11 15:50:59 -07:00
protocol.h net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
psnap.h
raw.h
rawv6.h
red.h
regulatory.h
request_sock.h
rose.h
route.h
rtnetlink.h net: rtnetlink - make create_link take name_assign_type 2014-07-15 16:13:07 -07:00
sch_generic.h flow_keys: Record IP layer protocol in skb_flow_dissect() 2014-06-23 14:32:19 -07:00
scm.h
secure_seq.h inetpeer: get rid of ip_id_count 2014-06-02 11:00:41 -07:00
slhc_vj.h
snmp.h net: clean up snmp stats code 2014-05-07 16:06:05 -04:00
sock.h tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-08-14 14:38:54 -07:00
Space.h
stp.h
tcp.h tcp: don't allow syn packets without timestamps to pass tcp_tw_recycle logic 2014-08-14 14:38:54 -07:00
tcp_memcontrol.h
tcp_states.h
timewait_sock.h
transp_v6.h
tso.h net: Add a software TSO helper API 2014-05-22 14:57:15 -04:00
udp.h udp: Add function to make source port for UDP tunnels 2014-07-07 21:14:21 -07:00
udp_tunnel.h udp: Add udp_sock_create for UDP tunnels to open listener socket 2014-07-14 16:12:15 -07:00
udplite.h
vsock_addr.h
vxlan.h vxlan: Call udp_flow_src_port 2014-07-07 21:14:21 -07:00
wext.h
wimax.h wimax: Spelling s/than/that/, wording s/destinatary/recipient/ 2014-05-05 15:37:55 +02:00
wpan-phy.h
x25.h
x25device.h
xfrm.h