diff options
| author | Florian Westphal <fw@strlen.de> | 2016-12-01 05:32:06 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-12-02 12:49:59 -0500 |
| commit | 95a22caee396cef0bb2ca8fafdd82966a49367bb (patch) | |
| tree | ba58ca9c85a73dc887096d8123d199b3d28a705c /net/ipv4/tcp_ipv4.c | |
| parent | 7df5358d4707c6f0a26266d3a4dd97fd353947e2 (diff) | |
tcp: randomize tcp timestamp offsets for each connection
jiffies based timestamps allow for easy inference of number of devices
behind NAT translators and also makes tracking of hosts simpler.
commit ceaa1fef65a7c2e ("tcp: adding a per-socket timestamp offset")
added the main infrastructure that is needed for per-connection ts
randomization, in particular writing/reading the on-wire tcp header
format takes the offset into account so rest of stack can use normal
tcp_time_stamp (jiffies).
So only two items are left:
- add a tsoffset for request sockets
- extend the tcp isn generator to also return another 32bit number
in addition to the ISN.
Re-use of ISN generator also means timestamps are still monotonically
increasing for same connection quadruple, i.e. PAWS will still work.
Includes fixes from Eric Dumazet.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_ipv4.c')
| -rw-r--r-- | net/ipv4/tcp_ipv4.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 5555eb86e549..b50f05905ced 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
| @@ -95,12 +95,12 @@ static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key, | |||
| 95 | struct inet_hashinfo tcp_hashinfo; | 95 | struct inet_hashinfo tcp_hashinfo; |
| 96 | EXPORT_SYMBOL(tcp_hashinfo); | 96 | EXPORT_SYMBOL(tcp_hashinfo); |
| 97 | 97 | ||
| 98 | static __u32 tcp_v4_init_sequence(const struct sk_buff *skb) | 98 | static u32 tcp_v4_init_sequence(const struct sk_buff *skb, u32 *tsoff) |
| 99 | { | 99 | { |
| 100 | return secure_tcp_sequence_number(ip_hdr(skb)->daddr, | 100 | return secure_tcp_sequence_number(ip_hdr(skb)->daddr, |
| 101 | ip_hdr(skb)->saddr, | 101 | ip_hdr(skb)->saddr, |
| 102 | tcp_hdr(skb)->dest, | 102 | tcp_hdr(skb)->dest, |
| 103 | tcp_hdr(skb)->source); | 103 | tcp_hdr(skb)->source, tsoff); |
| 104 | } | 104 | } |
| 105 | 105 | ||
| 106 | int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) | 106 | int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp) |
| @@ -237,7 +237,8 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len) | |||
| 237 | tp->write_seq = secure_tcp_sequence_number(inet->inet_saddr, | 237 | tp->write_seq = secure_tcp_sequence_number(inet->inet_saddr, |
| 238 | inet->inet_daddr, | 238 | inet->inet_daddr, |
| 239 | inet->inet_sport, | 239 | inet->inet_sport, |
| 240 | usin->sin_port); | 240 | usin->sin_port, |
| 241 | &tp->tsoffset); | ||
| 241 | 242 | ||
| 242 | inet->inet_id = tp->write_seq ^ jiffies; | 243 | inet->inet_id = tp->write_seq ^ jiffies; |
| 243 | 244 | ||
| @@ -824,7 +825,7 @@ static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, | |||
| 824 | tcp_v4_send_ack(sk, skb, seq, | 825 | tcp_v4_send_ack(sk, skb, seq, |
| 825 | tcp_rsk(req)->rcv_nxt, | 826 | tcp_rsk(req)->rcv_nxt, |
| 826 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, | 827 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, |
| 827 | tcp_time_stamp, | 828 | tcp_time_stamp + tcp_rsk(req)->ts_off, |
| 828 | req->ts_recent, | 829 | req->ts_recent, |
| 829 | 0, | 830 | 0, |
| 830 | tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr, | 831 | tcp_md5_do_lookup(sk, (union tcp_md5_addr *)&ip_hdr(skb)->daddr, |