diff options
author | William Allen Simpson <william.allen.simpson@gmail.com> | 2009-12-02 13:17:05 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2009-12-03 01:07:25 -0500 |
commit | 435cf559f02ea3a3159eb316f97dc88bdebe9432 (patch) | |
tree | 0b2a7e9110c46b193176b0a59fe5689eae7c18f3 /include/net/tcp.h | |
parent | 519855c508b9a17878c0977a3cdefc09b59b30df (diff) |
TCPCT part 1d: define TCP cookie option, extend existing struct's
Data structures are carefully composed to require minimal additions.
For example, the struct tcp_options_received cookie_plus variable fits
between existing 16-bit and 8-bit variables, requiring no additional
space (taking alignment into consideration). There are no additions to
tcp_request_sock, and only 1 pointer in tcp_sock.
This is a significantly revised implementation of an earlier (year-old)
patch that no longer applies cleanly, with permission of the original
author (Adam Langley):
http://thread.gmane.org/gmane.linux.network/102586
The principle difference is using a TCP option to carry the cookie nonce,
instead of a user configured offset in the data. This is more flexible and
less subject to user configuration error. Such a cookie option has been
suggested for many years, and is also useful without SYN data, allowing
several related concepts to use the same extension option.
"Re: SYN floods (was: does history repeat itself?)", September 9, 1996.
http://www.merit.net/mail.archives/nanog/1996-09/msg00235.html
"Re: what a new TCP header might look like", May 12, 1998.
ftp://ftp.isi.edu/end2end/end2end-interest-1998.mail
These functions will also be used in subsequent patches that implement
additional features.
Requires:
TCPCT part 1a: add request_values parameter for sending SYNACK
TCPCT part 1b: generate Responder Cookie secret
TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS
Signed-off-by: William.Allen.Simpson@gmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net/tcp.h')
-rw-r--r-- | include/net/tcp.h | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/include/net/tcp.h b/include/net/tcp.h index 738b65f01e26..f9abd9becabd 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h | |||
@@ -30,6 +30,7 @@ | |||
30 | #include <linux/dmaengine.h> | 30 | #include <linux/dmaengine.h> |
31 | #include <linux/crypto.h> | 31 | #include <linux/crypto.h> |
32 | #include <linux/cryptohash.h> | 32 | #include <linux/cryptohash.h> |
33 | #include <linux/kref.h> | ||
33 | 34 | ||
34 | #include <net/inet_connection_sock.h> | 35 | #include <net/inet_connection_sock.h> |
35 | #include <net/inet_timewait_sock.h> | 36 | #include <net/inet_timewait_sock.h> |
@@ -164,6 +165,7 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo); | |||
164 | #define TCPOPT_SACK 5 /* SACK Block */ | 165 | #define TCPOPT_SACK 5 /* SACK Block */ |
165 | #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */ | 166 | #define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */ |
166 | #define TCPOPT_MD5SIG 19 /* MD5 Signature (RFC2385) */ | 167 | #define TCPOPT_MD5SIG 19 /* MD5 Signature (RFC2385) */ |
168 | #define TCPOPT_COOKIE 253 /* Cookie extension (experimental) */ | ||
167 | 169 | ||
168 | /* | 170 | /* |
169 | * TCP option lengths | 171 | * TCP option lengths |
@@ -174,6 +176,10 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo); | |||
174 | #define TCPOLEN_SACK_PERM 2 | 176 | #define TCPOLEN_SACK_PERM 2 |
175 | #define TCPOLEN_TIMESTAMP 10 | 177 | #define TCPOLEN_TIMESTAMP 10 |
176 | #define TCPOLEN_MD5SIG 18 | 178 | #define TCPOLEN_MD5SIG 18 |
179 | #define TCPOLEN_COOKIE_BASE 2 /* Cookie-less header extension */ | ||
180 | #define TCPOLEN_COOKIE_PAIR 3 /* Cookie pair header extension */ | ||
181 | #define TCPOLEN_COOKIE_MIN (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MIN) | ||
182 | #define TCPOLEN_COOKIE_MAX (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MAX) | ||
177 | 183 | ||
178 | /* But this is what stacks really send out. */ | 184 | /* But this is what stacks really send out. */ |
179 | #define TCPOLEN_TSTAMP_ALIGNED 12 | 185 | #define TCPOLEN_TSTAMP_ALIGNED 12 |
@@ -1482,6 +1488,83 @@ struct tcp_request_sock_ops { | |||
1482 | 1488 | ||
1483 | extern int tcp_cookie_generator(u32 *bakery); | 1489 | extern int tcp_cookie_generator(u32 *bakery); |
1484 | 1490 | ||
1491 | /** | ||
1492 | * struct tcp_cookie_values - each socket needs extra space for the | ||
1493 | * cookies, together with (optional) space for any SYN data. | ||
1494 | * | ||
1495 | * A tcp_sock contains a pointer to the current value, and this is | ||
1496 | * cloned to the tcp_timewait_sock. | ||
1497 | * | ||
1498 | * @cookie_pair: variable data from the option exchange. | ||
1499 | * | ||
1500 | * @cookie_desired: user specified tcpct_cookie_desired. Zero | ||
1501 | * indicates default (sysctl_tcp_cookie_size). | ||
1502 | * After cookie sent, remembers size of cookie. | ||
1503 | * Range 0, TCP_COOKIE_MIN to TCP_COOKIE_MAX. | ||
1504 | * | ||
1505 | * @s_data_desired: user specified tcpct_s_data_desired. When the | ||
1506 | * constant payload is specified (@s_data_constant), | ||
1507 | * holds its length instead. | ||
1508 | * Range 0 to TCP_MSS_DESIRED. | ||
1509 | * | ||
1510 | * @s_data_payload: constant data that is to be included in the | ||
1511 | * payload of SYN or SYNACK segments when the | ||
1512 | * cookie option is present. | ||
1513 | */ | ||
1514 | struct tcp_cookie_values { | ||
1515 | struct kref kref; | ||
1516 | u8 cookie_pair[TCP_COOKIE_PAIR_SIZE]; | ||
1517 | u8 cookie_pair_size; | ||
1518 | u8 cookie_desired; | ||
1519 | u16 s_data_desired:11, | ||
1520 | s_data_constant:1, | ||
1521 | s_data_in:1, | ||
1522 | s_data_out:1, | ||
1523 | s_data_unused:2; | ||
1524 | u8 s_data_payload[0]; | ||
1525 | }; | ||
1526 | |||
1527 | static inline void tcp_cookie_values_release(struct kref *kref) | ||
1528 | { | ||
1529 | kfree(container_of(kref, struct tcp_cookie_values, kref)); | ||
1530 | } | ||
1531 | |||
1532 | /* The length of constant payload data. Note that s_data_desired is | ||
1533 | * overloaded, depending on s_data_constant: either the length of constant | ||
1534 | * data (returned here) or the limit on variable data. | ||
1535 | */ | ||
1536 | static inline int tcp_s_data_size(const struct tcp_sock *tp) | ||
1537 | { | ||
1538 | return (tp->cookie_values != NULL && tp->cookie_values->s_data_constant) | ||
1539 | ? tp->cookie_values->s_data_desired | ||
1540 | : 0; | ||
1541 | } | ||
1542 | |||
1543 | /** | ||
1544 | * struct tcp_extend_values - tcp_ipv?.c to tcp_output.c workspace. | ||
1545 | * | ||
1546 | * As tcp_request_sock has already been extended in other places, the | ||
1547 | * only remaining method is to pass stack values along as function | ||
1548 | * parameters. These parameters are not needed after sending SYNACK. | ||
1549 | * | ||
1550 | * @cookie_bakery: cryptographic secret and message workspace. | ||
1551 | * | ||
1552 | * @cookie_plus: bytes in authenticator/cookie option, copied from | ||
1553 | * struct tcp_options_received (above). | ||
1554 | */ | ||
1555 | struct tcp_extend_values { | ||
1556 | struct request_values rv; | ||
1557 | u32 cookie_bakery[COOKIE_WORKSPACE_WORDS]; | ||
1558 | u8 cookie_plus:6, | ||
1559 | cookie_out_never:1, | ||
1560 | cookie_in_always:1; | ||
1561 | }; | ||
1562 | |||
1563 | static inline struct tcp_extend_values *tcp_xv(struct request_values *rvp) | ||
1564 | { | ||
1565 | return (struct tcp_extend_values *)rvp; | ||
1566 | } | ||
1567 | |||
1485 | extern void tcp_v4_init(void); | 1568 | extern void tcp_v4_init(void); |
1486 | extern void tcp_init(void); | 1569 | extern void tcp_init(void); |
1487 | 1570 | ||