diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2011-08-29 23:21:44 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2011-09-15 14:49:43 -0400 |
| commit | 946cedccbd7387488d2cee5da92cdfeb28d2e670 (patch) | |
| tree | fbb0d9c8dc11d6efee64e2a077a4951831932058 /include | |
| parent | 27e95a8c670e0c587990ec5b9a87a7ea17873d28 (diff) | |
tcp: Change possible SYN flooding messages
"Possible SYN flooding on port xxxx " messages can fill logs on servers.
Change logic to log the message only once per listener, and add two new
SNMP counters to track :
TCPReqQFullDoCookies : number of times a SYNCOOKIE was replied to client
TCPReqQFullDrop : number of times a SYN request was dropped because
syncookies were not enabled.
Based on a prior patch from Tom Herbert, and suggestions from David.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/snmp.h | 2 | ||||
| -rw-r--r-- | include/net/request_sock.h | 3 | ||||
| -rw-r--r-- | include/net/tcp.h | 3 |
3 files changed, 7 insertions, 1 deletions
diff --git a/include/linux/snmp.h b/include/linux/snmp.h index 12b2b18e50c1..e16557a357e5 100644 --- a/include/linux/snmp.h +++ b/include/linux/snmp.h | |||
| @@ -231,6 +231,8 @@ enum | |||
| 231 | LINUX_MIB_TCPDEFERACCEPTDROP, | 231 | LINUX_MIB_TCPDEFERACCEPTDROP, |
| 232 | LINUX_MIB_IPRPFILTER, /* IP Reverse Path Filter (rp_filter) */ | 232 | LINUX_MIB_IPRPFILTER, /* IP Reverse Path Filter (rp_filter) */ |
| 233 | LINUX_MIB_TCPTIMEWAITOVERFLOW, /* TCPTimeWaitOverflow */ | 233 | LINUX_MIB_TCPTIMEWAITOVERFLOW, /* TCPTimeWaitOverflow */ |
| 234 | LINUX_MIB_TCPREQQFULLDOCOOKIES, /* TCPReqQFullDoCookies */ | ||
| 235 | LINUX_MIB_TCPREQQFULLDROP, /* TCPReqQFullDrop */ | ||
| 234 | __LINUX_MIB_MAX | 236 | __LINUX_MIB_MAX |
| 235 | }; | 237 | }; |
| 236 | 238 | ||
diff --git a/include/net/request_sock.h b/include/net/request_sock.h index 99e6e19b57c2..4c0766e201e3 100644 --- a/include/net/request_sock.h +++ b/include/net/request_sock.h | |||
| @@ -96,7 +96,8 @@ extern int sysctl_max_syn_backlog; | |||
| 96 | */ | 96 | */ |
| 97 | struct listen_sock { | 97 | struct listen_sock { |
| 98 | u8 max_qlen_log; | 98 | u8 max_qlen_log; |
| 99 | /* 3 bytes hole, try to use */ | 99 | u8 synflood_warned; |
| 100 | /* 2 bytes hole, try to use */ | ||
| 100 | int qlen; | 101 | int qlen; |
| 101 | int qlen_young; | 102 | int qlen_young; |
| 102 | int clock_hand; | 103 | int clock_hand; |
diff --git a/include/net/tcp.h b/include/net/tcp.h index 149a415d1e0a..e9b48b094683 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h | |||
| @@ -460,6 +460,9 @@ extern int tcp_write_wakeup(struct sock *); | |||
| 460 | extern void tcp_send_fin(struct sock *sk); | 460 | extern void tcp_send_fin(struct sock *sk); |
| 461 | extern void tcp_send_active_reset(struct sock *sk, gfp_t priority); | 461 | extern void tcp_send_active_reset(struct sock *sk, gfp_t priority); |
| 462 | extern int tcp_send_synack(struct sock *); | 462 | extern int tcp_send_synack(struct sock *); |
| 463 | extern int tcp_syn_flood_action(struct sock *sk, | ||
| 464 | const struct sk_buff *skb, | ||
| 465 | const char *proto); | ||
| 463 | extern void tcp_push_one(struct sock *, unsigned int mss_now); | 466 | extern void tcp_push_one(struct sock *, unsigned int mss_now); |
| 464 | extern void tcp_send_ack(struct sock *sk); | 467 | extern void tcp_send_ack(struct sock *sk); |
| 465 | extern void tcp_send_delayed_ack(struct sock *sk); | 468 | extern void tcp_send_delayed_ack(struct sock *sk); |