tcp: add tcp_syncookies mode to allow unconditionally generation of syncookies

| If you want to test which effects syncookies have to your
| network connections you can set this knob to 2 to enable
| unconditionally generation of syncookies.

Original idea and first implementation by Eric Dumazet.

Cc: Florian Westphal <fw@strlen.de>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 2 deletions

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 2a5d5c469d17..280efe5f19c1 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -890,7 +890,7 @@ bool tcp_syn_flood_action(struct sock *sk,
                 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
 
         lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
-        if (!lopt->synflood_warned) {
+        if (!lopt->synflood_warned && sysctl_tcp_syncookies != 2) {
                 lopt->synflood_warned = 1;
                 pr_info("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
                         proto, ntohs(tcp_hdr(skb)->dest), msg);
@@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
          * limitations, they conserve resources and peer is
          * evidently real one.
          */
-        if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
+        if ((sysctl_tcp_syncookies == 2 ||
+             inet_csk_reqsk_queue_is_full(sk)) && !isn) {
                 want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
                 if (!want_cookie)
                         goto drop;