1 files changed, 91 insertions, 11 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index f470fe4511db..73ba98921d64 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -10,8 +10,6 @@
 *      2 of the License, or (at your option) any later version.
 *
 *  $Id: syncookies.c,v 1.18 2002/02/01 22:01:04 davem Exp $
- *
- *  Missing: IPv6 support.
 */
 #include <linux/tcp.h>
@@ -21,26 +19,33 @@
 #include <linux/kernel.h>
 #include <net/tcp.h>
+/* Timestamps: lowest 9 bits store TCP options */
+#define TSBITS 9
+#define TSMASK (((__u32)1 << TSBITS) - 1)
 extern int sysctl_tcp_syncookies;
-static __u32 syncookie_secret[2][16-3+SHA_DIGEST_WORDS];
+__u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
+EXPORT_SYMBOL(syncookie_secret);
 static __init int init_syncookies(void)
 {
        get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
        return 0;
 }
-module_init(init_syncookies);
+__initcall(init_syncookies);
 #define COOKIEBITS 24   /* Upper bits store count */
 #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
+static DEFINE_PER_CPU(__u32, cookie_scratch)[16 + 5 + SHA_WORKSPACE_WORDS];
 static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
                       u32 count, int c)
 {
-        __u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS];
+        __u32 *tmp = __get_cpu_var(cookie_scratch);
-        memcpy(tmp + 3, syncookie_secret[c], sizeof(syncookie_secret[c]));
+        memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
        tmp[0] = (__force u32)saddr;
        tmp[1] = (__force u32)daddr;
        tmp[2] = ((__force u32)sport << 16) + (__force u32)dport;
@@ -50,6 +55,39 @@ static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
        return tmp[17];
 }
+/*
+ * when syncookies are in effect and tcp timestamps are enabled we encode
+ * tcp options in the lowest 9 bits of the timestamp value that will be
+ * sent in the syn-ack.
+ * Since subsequent timestamps use the normal tcp_time_stamp value, we
+ * must make sure that the resulting initial timestamp is <= tcp_time_stamp.
+ */
+__u32 cookie_init_timestamp(struct request_sock *req)
+{
+        struct inet_request_sock *ireq;
+        u32 ts, ts_now = tcp_time_stamp;
+        u32 options = 0;
+        ireq = inet_rsk(req);
+        if (ireq->wscale_ok) {
+                options = ireq->snd_wscale;
+                options |= ireq->rcv_wscale << 4;
+        }
+        options |= ireq->sack_ok << 8;
+        ts = ts_now & ~TSMASK;
+        ts |= options;
+        if (ts > ts_now) {
+                ts >>= TSBITS;
+                ts--;
+                ts <<= TSBITS;
+                ts |= options;
+        }
+        return ts;
+}
 static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
                                   __be16 dport, __u32 sseq, __u32 count,
                                   __u32 data)
@@ -184,6 +222,35 @@ static inline struct sock *get_cookie_sock(struct sock *sk, struct sk_buff *skb,
        return child;
 }
+/*
+ * when syncookies are in effect and tcp timestamps are enabled we stored
+ * additional tcp options in the timestamp.
+ * This extracts these options from the timestamp echo.
+ *
+ * The lowest 4 bits are for snd_wscale
+ * The next 4 lsb are for rcv_wscale
+ * The next lsb is for sack_ok
+ */
+void cookie_check_timestamp(struct tcp_options_received *tcp_opt)
+{
+        /* echoed timestamp, 9 lowest bits contain options */
+        u32 options = tcp_opt->rcv_tsecr & TSMASK;
+        tcp_opt->snd_wscale = options & 0xf;
+        options >>= 4;
+        tcp_opt->rcv_wscale = options & 0xf;
+        tcp_opt->sack_ok = (options >> 4) & 0x1;
+        if (tcp_opt->sack_ok)
+                tcp_sack_reset(tcp_opt);
+        if (tcp_opt->snd_wscale || tcp_opt->rcv_wscale)
+                tcp_opt->wscale_ok = 1;
+}
+EXPORT_SYMBOL(cookie_check_timestamp);
 struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                             struct ip_options *opt)
 {
@@ -197,6 +264,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        int mss;
        struct rtable *rt;
        __u8 rcv_wscale;
+        struct tcp_options_received tcp_opt;
        if (!sysctl_tcp_syncookies || !th->ack)
                goto out;
@@ -209,6 +277,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESRECV);
+        /* check for timestamp cookie support */
+        memset(&tcp_opt, 0, sizeof(tcp_opt));
+        tcp_parse_options(skb, &tcp_opt, 0);
+        if (tcp_opt.saw_tstamp)
+                cookie_check_timestamp(&tcp_opt);
        ret = NULL;
        req = reqsk_alloc(&tcp_request_sock_ops); /* for safety */
        if (!req)
@@ -227,6 +302,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        ireq->loc_addr          = ip_hdr(skb)->daddr;
        ireq->rmt_addr          = ip_hdr(skb)->saddr;
        ireq->opt               = NULL;
+        ireq->snd_wscale        = tcp_opt.snd_wscale;
+        ireq->rcv_wscale        = tcp_opt.rcv_wscale;
+        ireq->sack_ok           = tcp_opt.sack_ok;
+        ireq->wscale_ok         = tcp_opt.wscale_ok;
+        ireq->tstamp_ok         = tcp_opt.saw_tstamp;
+        req->ts_recent          = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0;
        /* We throwed the options of the initial SYN away, so we hope
         * the ACK carries the same options again (see RFC1122 4.2.3.8)
@@ -241,8 +322,6 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
                }
        }
-        ireq->snd_wscale = ireq->rcv_wscale = ireq->tstamp_ok = 0;
-        ireq->wscale_ok  = ireq->sack_ok = 0;
        req->expires    = 0UL;
        req->retrans    = 0;
@@ -271,11 +350,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        }
        /* Try to redo what tcp_v4_send_synack did. */
-        req->window_clamp = dst_metric(&rt->u.dst, RTAX_WINDOW);
+        req->window_clamp = tp->window_clamp ? :dst_metric(&rt->u.dst, RTAX_WINDOW);
        tcp_select_initial_window(tcp_full_space(sk), req->mss,
                                  &req->rcv_wnd, &req->window_clamp,
-                                  0, &rcv_wscale);
+                                  ireq->wscale_ok, &rcv_wscale);
-        /* BTW win scale with syncookies is 0 by definition */
        ireq->rcv_wscale  = rcv_wscale;
        ret = get_cookie_sock(sk, skb, req, &rt->u.dst);

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index f470fe4511db..73ba98921d64 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c
@@ -10,8 +10,6 @@
10	* 2 of the License, or (at your option) any later version.	10	* 2 of the License, or (at your option) any later version.
11	*	11	*
12	* $Id: syncookies.c,v 1.18 2002/02/01 22:01:04 davem Exp $	12	* $Id: syncookies.c,v 1.18 2002/02/01 22:01:04 davem Exp $
13	*
14	* Missing: IPv6 support.
15	*/	13	*/
16		14
17	#include <linux/tcp.h>	15	#include <linux/tcp.h>
@@ -21,26 +19,33 @@
21	#include <linux/kernel.h>	19	#include <linux/kernel.h>
22	#include <net/tcp.h>	20	#include <net/tcp.h>
23		21
		22	/* Timestamps: lowest 9 bits store TCP options */
		23	#define TSBITS 9
		24	#define TSMASK (((__u32)1 << TSBITS) - 1)
		25
24	extern int sysctl_tcp_syncookies;	26	extern int sysctl_tcp_syncookies;
25		27
26	static __u32 syncookie_secret[2][16-3+SHA_DIGEST_WORDS];	28	__u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
		29	EXPORT_SYMBOL(syncookie_secret);
27		30
28	static __init int init_syncookies(void)	31	static __init int init_syncookies(void)
29	{	32	{
30	get_random_bytes(syncookie_secret, sizeof(syncookie_secret));	33	get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
31	return 0;	34	return 0;
32	}	35	}
33	module_init(init_syncookies);	36	__initcall(init_syncookies);
34		37
35	#define COOKIEBITS 24 /* Upper bits store count */	38	#define COOKIEBITS 24 /* Upper bits store count */
36	#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)	39	#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
37		40
		41	static DEFINE_PER_CPU(__u32, cookie_scratch)[16 + 5 + SHA_WORKSPACE_WORDS];
		42
38	static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,	43	static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
39	u32 count, int c)	44	u32 count, int c)
40	{	45	{
41	__u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS];	46	__u32 *tmp = __get_cpu_var(cookie_scratch);
42		47
43	memcpy(tmp + 3, syncookie_secret[c], sizeof(syncookie_secret[c]));	48	memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
44	tmp[0] = (__force u32)saddr;	49	tmp[0] = (__force u32)saddr;
45	tmp[1] = (__force u32)daddr;	50	tmp[1] = (__force u32)daddr;
46	tmp[2] = ((__force u32)sport << 16) + (__force u32)dport;	51	tmp[2] = ((__force u32)sport << 16) + (__force u32)dport;
@@ -50,6 +55,39 @@ static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
50	return tmp[17];	55	return tmp[17];
51	}	56	}
52		57
		58
		59	/*
		60	* when syncookies are in effect and tcp timestamps are enabled we encode
		61	* tcp options in the lowest 9 bits of the timestamp value that will be
		62	* sent in the syn-ack.
		63	* Since subsequent timestamps use the normal tcp_time_stamp value, we
		64	* must make sure that the resulting initial timestamp is <= tcp_time_stamp.
		65	*/
		66	__u32 cookie_init_timestamp(struct request_sock *req)
		67	{
		68	struct inet_request_sock *ireq;
		69	u32 ts, ts_now = tcp_time_stamp;
		70	u32 options = 0;
		71
		72	ireq = inet_rsk(req);
		73	if (ireq->wscale_ok) {
		74	options = ireq->snd_wscale;
		75	options \|= ireq->rcv_wscale << 4;
		76	}
		77	options \|= ireq->sack_ok << 8;
		78
		79	ts = ts_now & ~TSMASK;
		80	ts \|= options;
		81	if (ts > ts_now) {
		82	ts >>= TSBITS;
		83	ts--;
		84	ts <<= TSBITS;
		85	ts \|= options;
		86	}
		87	return ts;
		88	}
		89
		90
53	static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,	91	static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
54	__be16 dport, __u32 sseq, __u32 count,	92	__be16 dport, __u32 sseq, __u32 count,
55	__u32 data)	93	__u32 data)
@@ -184,6 +222,35 @@ static inline struct sock get_cookie_sock(struct sock sk, struct sk_buff *skb,
184	return child;	222	return child;
185	}	223	}
186		224
		225
		226	/*
		227	* when syncookies are in effect and tcp timestamps are enabled we stored
		228	* additional tcp options in the timestamp.
		229	* This extracts these options from the timestamp echo.
		230	*
		231	* The lowest 4 bits are for snd_wscale
		232	* The next 4 lsb are for rcv_wscale
		233	* The next lsb is for sack_ok
		234	*/
		235	void cookie_check_timestamp(struct tcp_options_received *tcp_opt)
		236	{
		237	/* echoed timestamp, 9 lowest bits contain options */
		238	u32 options = tcp_opt->rcv_tsecr & TSMASK;
		239
		240	tcp_opt->snd_wscale = options & 0xf;
		241	options >>= 4;
		242	tcp_opt->rcv_wscale = options & 0xf;
		243
		244	tcp_opt->sack_ok = (options >> 4) & 0x1;
		245
		246	if (tcp_opt->sack_ok)
		247	tcp_sack_reset(tcp_opt);
		248
		249	if (tcp_opt->snd_wscale \|\| tcp_opt->rcv_wscale)
		250	tcp_opt->wscale_ok = 1;
		251	}
		252	EXPORT_SYMBOL(cookie_check_timestamp);
		253
187	struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,	254	struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
188	struct ip_options *opt)	255	struct ip_options *opt)
189	{	256	{
@@ -197,6 +264,7 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
197	int mss;	264	int mss;
198	struct rtable *rt;	265	struct rtable *rt;
199	__u8 rcv_wscale;	266	__u8 rcv_wscale;
		267	struct tcp_options_received tcp_opt;
200		268
201	if (!sysctl_tcp_syncookies \|\| !th->ack)	269	if (!sysctl_tcp_syncookies \|\| !th->ack)
202	goto out;	270	goto out;
@@ -209,6 +277,13 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
209		277
210	NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESRECV);	278	NET_INC_STATS_BH(LINUX_MIB_SYNCOOKIESRECV);
211		279
		280	/* check for timestamp cookie support */
		281	memset(&tcp_opt, 0, sizeof(tcp_opt));
		282	tcp_parse_options(skb, &tcp_opt, 0);
		283
		284	if (tcp_opt.saw_tstamp)
		285	cookie_check_timestamp(&tcp_opt);
		286
212	ret = NULL;	287	ret = NULL;
213	req = reqsk_alloc(&tcp_request_sock_ops); /* for safety */	288	req = reqsk_alloc(&tcp_request_sock_ops); /* for safety */
214	if (!req)	289	if (!req)
@@ -227,6 +302,12 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
227	ireq->loc_addr = ip_hdr(skb)->daddr;	302	ireq->loc_addr = ip_hdr(skb)->daddr;
228	ireq->rmt_addr = ip_hdr(skb)->saddr;	303	ireq->rmt_addr = ip_hdr(skb)->saddr;
229	ireq->opt = NULL;	304	ireq->opt = NULL;
		305	ireq->snd_wscale = tcp_opt.snd_wscale;
		306	ireq->rcv_wscale = tcp_opt.rcv_wscale;
		307	ireq->sack_ok = tcp_opt.sack_ok;
		308	ireq->wscale_ok = tcp_opt.wscale_ok;
		309	ireq->tstamp_ok = tcp_opt.saw_tstamp;
		310	req->ts_recent = tcp_opt.saw_tstamp ? tcp_opt.rcv_tsval : 0;
230		311
231	/* We throwed the options of the initial SYN away, so we hope	312	/* We throwed the options of the initial SYN away, so we hope
232	* the ACK carries the same options again (see RFC1122 4.2.3.8)	313	* the ACK carries the same options again (see RFC1122 4.2.3.8)
@@ -241,8 +322,6 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
241	}	322	}
242	}	323	}
243		324
244	ireq->snd_wscale = ireq->rcv_wscale = ireq->tstamp_ok = 0;
245	ireq->wscale_ok = ireq->sack_ok = 0;
246	req->expires = 0UL;	325	req->expires = 0UL;
247	req->retrans = 0;	326	req->retrans = 0;
248		327
@@ -271,11 +350,12 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
271	}	350	}
272		351
273	/* Try to redo what tcp_v4_send_synack did. */	352	/* Try to redo what tcp_v4_send_synack did. */
274	req->window_clamp = dst_metric(&rt->u.dst, RTAX_WINDOW);	353	req->window_clamp = tp->window_clamp ? :dst_metric(&rt->u.dst, RTAX_WINDOW);
		354
275	tcp_select_initial_window(tcp_full_space(sk), req->mss,	355	tcp_select_initial_window(tcp_full_space(sk), req->mss,
276	&req->rcv_wnd, &req->window_clamp,	356	&req->rcv_wnd, &req->window_clamp,
277	0, &rcv_wscale);	357	ireq->wscale_ok, &rcv_wscale);
278	/* BTW win scale with syncookies is 0 by definition */	358
279	ireq->rcv_wscale = rcv_wscale;	359	ireq->rcv_wscale = rcv_wscale;
280		360
281	ret = get_cookie_sock(sk, skb, req, &rt->u.dst);	361	ret = get_cookie_sock(sk, skb, req, &rt->u.dst);