6 files changed, 45 insertions, 1 deletions

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index e20c17a7d34e..e1e021594cff 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -565,6 +565,11 @@ tcp_limit_output_bytes - INTEGER
         reduce the size of individual GSO packet (64KB being the max)
         Default: 131072
 
+tcp_challenge_ack_limit - INTEGER
+        Limits number of Challenge ACK sent per second, as recommended
+        in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
+        Default: 100
+
 UDP variables:
 
 udp_mem - vector of 3 INTEGERs: min, pressure, max
diff --git a/include/linux/snmp.h b/include/linux/snmp.h
index 6e4c51123828..673e0e928b2b 100644
--- a/include/linux/snmp.h
+++ b/include/linux/snmp.h
@@ -237,6 +237,7 @@ enum
         LINUX_MIB_TCPOFOQUEUE,                  /* TCPOFOQueue */
         LINUX_MIB_TCPOFODROP,                   /* TCPOFODrop */
         LINUX_MIB_TCPOFOMERGE,                  /* TCPOFOMerge */
+        LINUX_MIB_TCPCHALLENGEACK,              /* TCPChallengeACK */
         __LINUX_MIB_MAX
 };
 
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 439984b9af49..85c5090bfe25 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -254,6 +254,7 @@ extern int sysctl_tcp_thin_linear_timeouts;
 extern int sysctl_tcp_thin_dupack;
 extern int sysctl_tcp_early_retrans;
 extern int sysctl_tcp_limit_output_bytes;
+extern int sysctl_tcp_challenge_ack_limit;
 
 extern atomic_long_t tcp_memory_allocated;
 extern struct percpu_counter tcp_sockets_allocated;
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index dae25e7622cf..3e8e78f12a38 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -261,6 +261,7 @@ static const struct snmp_mib snmp4_net_list[] = {
         SNMP_MIB_ITEM("TCPOFOQueue", LINUX_MIB_TCPOFOQUEUE),
         SNMP_MIB_ITEM("TCPOFODrop", LINUX_MIB_TCPOFODROP),
         SNMP_MIB_ITEM("TCPOFOMerge", LINUX_MIB_TCPOFOMERGE),
+        SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
         SNMP_MIB_SENTINEL
 };
 
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 70730f7aeafe..3f6a1e762e9c 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -605,6 +605,13 @@ static struct ctl_table ipv4_table[] = {
                 .mode           = 0644,
                 .proc_handler   = proc_dointvec
         },
+        {
+                .procname       = "tcp_challenge_ack_limit",
+                .data           = &sysctl_tcp_challenge_ack_limit,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
 #ifdef CONFIG_NET_DMA
         {
                 .procname       = "tcp_dma_copybreak",
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index cc4e12f1f2f7..c841a8990377 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -88,6 +88,9 @@ int sysctl_tcp_app_win __read_mostly = 31;
 int sysctl_tcp_adv_win_scale __read_mostly = 1;
 EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
 
+/* rfc5961 challenge ack rate limiting */
+int sysctl_tcp_challenge_ack_limit = 100;
+
 int sysctl_tcp_stdurg __read_mostly;
 int sysctl_tcp_rfc1337 __read_mostly;
 int sysctl_tcp_max_orphans __read_mostly = NR_FILE;
@@ -5247,6 +5250,23 @@ out:
 }
 #endif /* CONFIG_NET_DMA */
 
+static void tcp_send_challenge_ack(struct sock *sk)
+{
+        /* unprotected vars, we dont care of overwrites */
+        static u32 challenge_timestamp;
+        static unsigned int challenge_count;
+        u32 now = jiffies / HZ;
+
+        if (now != challenge_timestamp) {
+                challenge_timestamp = now;
+                challenge_count = 0;
+        }
+        if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
+                tcp_send_ack(sk);
+        }
+}
+
 /* Does PAWS and seqno based validation of an incoming segment, flags will
  * play significant role here.
  */
@@ -5283,7 +5303,16 @@ static int tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 
         /* Step 2: check RST bit */
         if (th->rst) {
-                tcp_reset(sk);
+                /* RFC 5961 3.2 :
+                 * If sequence number exactly matches RCV.NXT, then
+                 *     RESET the connection
+                 * else
+                 *     Send a challenge ACK
+                 */
+                if (TCP_SKB_CB(skb)->seq == tp->rcv_nxt)
+                        tcp_reset(sk);
+                else
+                        tcp_send_challenge_ack(sk);
                 goto discard;
         }