diff options
| author | Florian Westphal <fw@strlen.de> | 2016-12-01 05:32:06 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-12-02 12:49:59 -0500 |
| commit | 95a22caee396cef0bb2ca8fafdd82966a49367bb (patch) | |
| tree | ba58ca9c85a73dc887096d8123d199b3d28a705c /net/ipv6/tcp_ipv6.c | |
| parent | 7df5358d4707c6f0a26266d3a4dd97fd353947e2 (diff) | |
tcp: randomize tcp timestamp offsets for each connection
jiffies based timestamps allow for easy inference of number of devices
behind NAT translators and also makes tracking of hosts simpler.
commit ceaa1fef65a7c2e ("tcp: adding a per-socket timestamp offset")
added the main infrastructure that is needed for per-connection ts
randomization, in particular writing/reading the on-wire tcp header
format takes the offset into account so rest of stack can use normal
tcp_time_stamp (jiffies).
So only two items are left:
- add a tsoffset for request sockets
- extend the tcp isn generator to also return another 32bit number
in addition to the ISN.
Re-use of ISN generator also means timestamps are still monotonically
increasing for same connection quadruple, i.e. PAWS will still work.
Includes fixes from Eric Dumazet.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 28ec0a2e7b72..a2185a214abc 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -101,12 +101,12 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) | |||
| 101 | } | 101 | } |
| 102 | } | 102 | } |
| 103 | 103 | ||
| 104 | static __u32 tcp_v6_init_sequence(const struct sk_buff *skb) | 104 | static u32 tcp_v6_init_sequence(const struct sk_buff *skb, u32 *tsoff) |
| 105 | { | 105 | { |
| 106 | return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32, | 106 | return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32, |
| 107 | ipv6_hdr(skb)->saddr.s6_addr32, | 107 | ipv6_hdr(skb)->saddr.s6_addr32, |
| 108 | tcp_hdr(skb)->dest, | 108 | tcp_hdr(skb)->dest, |
| 109 | tcp_hdr(skb)->source); | 109 | tcp_hdr(skb)->source, tsoff); |
| 110 | } | 110 | } |
| 111 | 111 | ||
| 112 | static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, | 112 | static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, |
| @@ -283,7 +283,8 @@ static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr, | |||
| 283 | tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32, | 283 | tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32, |
| 284 | sk->sk_v6_daddr.s6_addr32, | 284 | sk->sk_v6_daddr.s6_addr32, |
| 285 | inet->inet_sport, | 285 | inet->inet_sport, |
| 286 | inet->inet_dport); | 286 | inet->inet_dport, |
| 287 | &tp->tsoffset); | ||
| 287 | 288 | ||
| 288 | err = tcp_connect(sk); | 289 | err = tcp_connect(sk); |
| 289 | if (err) | 290 | if (err) |
| @@ -956,7 +957,8 @@ static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb, | |||
| 956 | tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt, | 957 | tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt, |
| 957 | tcp_rsk(req)->rcv_nxt, | 958 | tcp_rsk(req)->rcv_nxt, |
| 958 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, | 959 | req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale, |
| 959 | tcp_time_stamp, req->ts_recent, sk->sk_bound_dev_if, | 960 | tcp_time_stamp + tcp_rsk(req)->ts_off, |
| 961 | req->ts_recent, sk->sk_bound_dev_if, | ||
| 960 | tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), | 962 | tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), |
| 961 | 0, 0); | 963 | 0, 0); |
| 962 | } | 964 | } |