diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-01-30 00:35:05 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-02-02 02:06:19 -0500 |
| commit | bdbbb8527b6f6a358dbcb70dac247034d665b8e4 (patch) | |
| tree | d3c764600d9d7a18956943fcb5c0de8f2e0a6c43 /include/net | |
| parent | 0d32ef8cef9aa8f375e128f78b77caceaa7e8da0 (diff) | |
ipv4: tcp: get rid of ugly unicast_sock
In commit be9f4a44e7d41 ("ipv4: tcp: remove per net tcp_sock")
I tried to address contention on a socket lock, but the solution
I chose was horrible :
commit 3a7c384ffd57e ("ipv4: tcp: unicast_sock should not land outside
of TCP stack") addressed a selinux regression.
commit 0980e56e506b ("ipv4: tcp: set unicast_sock uc_ttl to -1")
took care of another regression.
commit b5ec8eeac46 ("ipv4: fix ip_send_skb()") fixed another regression.
commit 811230cd85 ("tcp: ipv4: initialize unicast_sock sk_pacing_rate")
was another shot in the dark.
Really, just use a proper socket per cpu, and remove the skb_orphan()
call, to re-enable flow control.
This solves a serious problem with FQ packet scheduler when used in
hostile environments, as we do not want to allocate a flow structure
for every RST packet sent in response to a spoofed packet.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/ip.h | 2 | ||||
| -rw-r--r-- | include/net/netns/ipv4.h | 1 |
2 files changed, 2 insertions, 1 deletions
diff --git a/include/net/ip.h b/include/net/ip.h index f7cbd703d15d..09cf5aebb283 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
| @@ -181,7 +181,7 @@ static inline __u8 ip_reply_arg_flowi_flags(const struct ip_reply_arg *arg) | |||
| 181 | return (arg->flags & IP_REPLY_ARG_NOSRCCHECK) ? FLOWI_FLAG_ANYSRC : 0; | 181 | return (arg->flags & IP_REPLY_ARG_NOSRCCHECK) ? FLOWI_FLAG_ANYSRC : 0; |
| 182 | } | 182 | } |
| 183 | 183 | ||
| 184 | void ip_send_unicast_reply(struct net *net, struct sk_buff *skb, | 184 | void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, |
| 185 | const struct ip_options *sopt, | 185 | const struct ip_options *sopt, |
| 186 | __be32 daddr, __be32 saddr, | 186 | __be32 daddr, __be32 saddr, |
| 187 | const struct ip_reply_arg *arg, | 187 | const struct ip_reply_arg *arg, |
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h index 24945cefc4fd..0ffef1a38efc 100644 --- a/include/net/netns/ipv4.h +++ b/include/net/netns/ipv4.h | |||
| @@ -52,6 +52,7 @@ struct netns_ipv4 { | |||
| 52 | struct inet_peer_base *peers; | 52 | struct inet_peer_base *peers; |
| 53 | struct tcpm_hash_bucket *tcp_metrics_hash; | 53 | struct tcpm_hash_bucket *tcp_metrics_hash; |
| 54 | unsigned int tcp_metrics_hash_log; | 54 | unsigned int tcp_metrics_hash_log; |
| 55 | struct sock * __percpu *tcp_sk; | ||
| 55 | struct netns_frags frags; | 56 | struct netns_frags frags; |
| 56 | #ifdef CONFIG_NETFILTER | 57 | #ifdef CONFIG_NETFILTER |
| 57 | struct xt_table *iptable_filter; | 58 | struct xt_table *iptable_filter; |