diff options
| author | Eric Dumazet <edumazet@google.com> | 2017-10-27 10:47:26 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-10-28 06:24:38 -0400 |
| commit | b530b68148301d73775cd27cc136ce4dd5738ae8 (patch) | |
| tree | 17b24c9b241619498bcae2ff8049653ae4ea46ed /net/ipv4/tcp_input.c | |
| parent | 9184d8bb448a3d2c2d9f90f1e2f5de625292e769 (diff) | |
tcp: Namespace-ify sysctl_tcp_challenge_ack_limit
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_input.c')
| -rw-r--r-- | net/ipv4/tcp_input.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ce481325115f..928048a4e2c5 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c | |||
| @@ -79,9 +79,6 @@ | |||
| 79 | #include <linux/unaligned/access_ok.h> | 79 | #include <linux/unaligned/access_ok.h> |
| 80 | #include <linux/static_key.h> | 80 | #include <linux/static_key.h> |
| 81 | 81 | ||
| 82 | /* rfc5961 challenge ack rate limiting */ | ||
| 83 | int sysctl_tcp_challenge_ack_limit = 1000; | ||
| 84 | |||
| 85 | int sysctl_tcp_max_orphans __read_mostly = NR_FILE; | 82 | int sysctl_tcp_max_orphans __read_mostly = NR_FILE; |
| 86 | int sysctl_tcp_min_rtt_wlen __read_mostly = 300; | 83 | int sysctl_tcp_min_rtt_wlen __read_mostly = 300; |
| 87 | int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2; | 84 | int sysctl_tcp_invalid_ratelimit __read_mostly = HZ/2; |
| @@ -3443,10 +3440,11 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) | |||
| 3443 | static u32 challenge_timestamp; | 3440 | static u32 challenge_timestamp; |
| 3444 | static unsigned int challenge_count; | 3441 | static unsigned int challenge_count; |
| 3445 | struct tcp_sock *tp = tcp_sk(sk); | 3442 | struct tcp_sock *tp = tcp_sk(sk); |
| 3443 | struct net *net = sock_net(sk); | ||
| 3446 | u32 count, now; | 3444 | u32 count, now; |
| 3447 | 3445 | ||
| 3448 | /* First check our per-socket dupack rate limit. */ | 3446 | /* First check our per-socket dupack rate limit. */ |
| 3449 | if (__tcp_oow_rate_limited(sock_net(sk), | 3447 | if (__tcp_oow_rate_limited(net, |
| 3450 | LINUX_MIB_TCPACKSKIPPEDCHALLENGE, | 3448 | LINUX_MIB_TCPACKSKIPPEDCHALLENGE, |
| 3451 | &tp->last_oow_ack_time)) | 3449 | &tp->last_oow_ack_time)) |
| 3452 | return; | 3450 | return; |
| @@ -3454,16 +3452,16 @@ static void tcp_send_challenge_ack(struct sock *sk, const struct sk_buff *skb) | |||
| 3454 | /* Then check host-wide RFC 5961 rate limit. */ | 3452 | /* Then check host-wide RFC 5961 rate limit. */ |
| 3455 | now = jiffies / HZ; | 3453 | now = jiffies / HZ; |
| 3456 | if (now != challenge_timestamp) { | 3454 | if (now != challenge_timestamp) { |
| 3457 | u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1; | 3455 | u32 ack_limit = net->ipv4.sysctl_tcp_challenge_ack_limit; |
| 3456 | u32 half = (ack_limit + 1) >> 1; | ||
| 3458 | 3457 | ||
| 3459 | challenge_timestamp = now; | 3458 | challenge_timestamp = now; |
| 3460 | WRITE_ONCE(challenge_count, half + | 3459 | WRITE_ONCE(challenge_count, half + prandom_u32_max(ack_limit)); |
| 3461 | prandom_u32_max(sysctl_tcp_challenge_ack_limit)); | ||
| 3462 | } | 3460 | } |
| 3463 | count = READ_ONCE(challenge_count); | 3461 | count = READ_ONCE(challenge_count); |
| 3464 | if (count > 0) { | 3462 | if (count > 0) { |
| 3465 | WRITE_ONCE(challenge_count, count - 1); | 3463 | WRITE_ONCE(challenge_count, count - 1); |
| 3466 | NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK); | 3464 | NET_INC_STATS(net, LINUX_MIB_TCPCHALLENGEACK); |
| 3467 | tcp_send_ack(sk); | 3465 | tcp_send_ack(sk); |
| 3468 | } | 3466 | } |
| 3469 | } | 3467 | } |