1 files changed, 32 insertions, 48 deletions
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 14a15c49129d..b95331e6c077 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -25,15 +25,7 @@
 extern int sysctl_tcp_syncookies;
-__u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
+static u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
-EXPORT_SYMBOL(syncookie_secret);
-static __init int init_syncookies(void)
-{
-        get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
-        return 0;
-}
-__initcall(init_syncookies);
 #define COOKIEBITS 24   /* Upper bits store count */
 #define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
@@ -44,8 +36,11 @@ static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
 static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
                       u32 count, int c)
 {
-        __u32 *tmp = __get_cpu_var(ipv4_cookie_scratch);
+        __u32 *tmp;
+        net_get_random_once(syncookie_secret, sizeof(syncookie_secret));
+        tmp  = __get_cpu_var(ipv4_cookie_scratch);
        memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
        tmp[0] = (__force u32)saddr;
        tmp[1] = (__force u32)daddr;
@@ -89,8 +84,7 @@ __u32 cookie_init_timestamp(struct request_sock *req)
 static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
-                                   __be16 dport, __u32 sseq, __u32 count,
+                                   __be16 dport, __u32 sseq, __u32 data)
-                                   __u32 data)
 {
        /*
         * Compute the secure sequence number.
@@ -102,7 +96,7 @@ static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
         * As an extra hack, we add a small "data" value that encodes the
         * MSS into the second hash value.
         */
+        u32 count = tcp_cookie_time();
        return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +
                sseq + (count << COOKIEBITS) +
                ((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)
@@ -114,22 +108,21 @@ static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
 * If the syncookie is bad, the data returned will be out of
 * range.  This must be checked by the caller.
 *
- * The count value used to generate the cookie must be within
+ * The count value used to generate the cookie must be less than
- * "maxdiff" if the current (passed-in) "count".  The return value
+ * MAX_SYNCOOKIE_AGE minutes in the past.
- * is (__u32)-1 if this test fails.
+ * The return value (__u32)-1 if this test fails.
 */
 static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,
-                                  __be16 sport, __be16 dport, __u32 sseq,
+                                  __be16 sport, __be16 dport, __u32 sseq)
-                                  __u32 count, __u32 maxdiff)
 {
-        __u32 diff;
+        u32 diff, count = tcp_cookie_time();
        /* Strip away the layers from the cookie */
        cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;
        /* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */
        diff = (count - (cookie >> COOKIEBITS)) & ((__u32) - 1 >> COOKIEBITS);
-        if (diff >= maxdiff)
+        if (diff >= MAX_SYNCOOKIE_AGE)
                return (__u32)-1;
        return (cookie -
@@ -138,22 +131,22 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,
 }
 /*
- * MSS Values are taken from the 2009 paper
+ * MSS Values are chosen based on the 2011 paper
- * 'Measuring TCP Maximum Segment Size' by S. Alcock and R. Nelson:
+ * 'An Analysis of TCP Maximum Segement Sizes' by S. Alcock and R. Nelson.
- *  - values 1440 to 1460 accounted for 80% of observed mss values
+ * Values ..
- *  - values outside the 536-1460 range are rare (<0.2%).
+ *  .. lower than 536 are rare (< 0.2%)
+ *  .. between 537 and 1299 account for less than < 1.5% of observed values
+ *  .. in the 1300-1349 range account for about 15 to 20% of observed mss values
+ *  .. exceeding 1460 are very rare (< 0.04%)
 *
- * Table must be sorted.
+ *  1460 is the single most frequently announced mss value (30 to 46% depending
+ *  on monitor location).  Table must be sorted.
 */
 static __u16 const msstab[] = {
-        64,
-        512,
        536,
-        1024,
+        1300,
-        1440,
+        1440,   /* 1440, 1452: PPPoE */
        1460,
-        4312,
-        8960,
 };
 /*
@@ -173,7 +166,7 @@ u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th,
        return secure_tcp_syn_cookie(iph->saddr, iph->daddr,
                                     th->source, th->dest, ntohl(th->seq),
-                                     jiffies / (HZ * 60), mssind);
+                                     mssind);
 }
 EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence);
@@ -189,13 +182,6 @@ __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb, __u16 *mssp)
 }
 /*
- * This (misnamed) value is the age of syncookie which is permitted.
- * Its ideal value should be dependent on TCP_TIMEOUT_INIT and
- * sysctl_tcp_retries1. It's a rather complicated formula (exponential
- * backoff) to compute at runtime so it's currently hardcoded here.
- */
-#define COUNTER_TRIES 4
-/*
 * Check if a ack sequence number is a valid syncookie.
 * Return the decoded mss if it is, or 0 if not.
 */
@@ -204,9 +190,7 @@ int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th,
 {
        __u32 seq = ntohl(th->seq) - 1;
        __u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr,
-                                            th->source, th->dest, seq,
+                                            th->source, th->dest, seq);
-                                            jiffies / (HZ * 60),
-                                            COUNTER_TRIES);
        return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;
 }
@@ -315,10 +299,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        treq->rcv_isn           = ntohl(th->seq) - 1;
        treq->snt_isn           = cookie;
        req->mss                = mss;
-        ireq->loc_port          = th->dest;
+        ireq->ir_num            = ntohs(th->dest);
-        ireq->rmt_port          = th->source;
+        ireq->ir_rmt_port       = th->source;
-        ireq->loc_addr          = ip_hdr(skb)->daddr;
+        ireq->ir_loc_addr       = ip_hdr(skb)->daddr;
-        ireq->rmt_addr          = ip_hdr(skb)->saddr;
+        ireq->ir_rmt_addr       = ip_hdr(skb)->saddr;
        ireq->ecn_ok            = ecn_ok;
        ireq->snd_wscale        = tcp_opt.snd_wscale;
        ireq->sack_ok           = tcp_opt.sack_ok;
@@ -358,8 +342,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
        flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
                           RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
                           inet_sk_flowi_flags(sk),
-                           (opt && opt->srr) ? opt->faddr : ireq->rmt_addr,
+                           (opt && opt->srr) ? opt->faddr : ireq->ir_rmt_addr,
-                           ireq->loc_addr, th->source, th->dest);
+                           ireq->ir_loc_addr, th->source, th->dest);
        security_req_classify_flow(req, flowi4_to_flowi(&fl4));
        rt = ip_route_output_key(sock_net(sk), &fl4);
        if (IS_ERR(rt)) {

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c index 14a15c49129d..b95331e6c077 100644 --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c
@@ -25,15 +25,7 @@
25		25
26	extern int sysctl_tcp_syncookies;	26	extern int sysctl_tcp_syncookies;
27		27
28	__u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];	28	static u32 syncookie_secret[2][16-4+SHA_DIGEST_WORDS];
29	EXPORT_SYMBOL(syncookie_secret);
30
31	static __init int init_syncookies(void)
32	{
33	get_random_bytes(syncookie_secret, sizeof(syncookie_secret));
34	return 0;
35	}
36	__initcall(init_syncookies);
37		29
38	#define COOKIEBITS 24 /* Upper bits store count */	30	#define COOKIEBITS 24 /* Upper bits store count */
39	#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)	31	#define COOKIEMASK (((__u32)1 << COOKIEBITS) - 1)
@@ -44,8 +36,11 @@ static DEFINE_PER_CPU(__u32 [16 + 5 + SHA_WORKSPACE_WORDS],
44	static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,	36	static u32 cookie_hash(__be32 saddr, __be32 daddr, __be16 sport, __be16 dport,
45	u32 count, int c)	37	u32 count, int c)
46	{	38	{
47	__u32 *tmp = __get_cpu_var(ipv4_cookie_scratch);	39	__u32 *tmp;
		40
		41	net_get_random_once(syncookie_secret, sizeof(syncookie_secret));
48		42
		43	tmp = __get_cpu_var(ipv4_cookie_scratch);
49	memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));	44	memcpy(tmp + 4, syncookie_secret[c], sizeof(syncookie_secret[c]));
50	tmp[0] = (__force u32)saddr;	45	tmp[0] = (__force u32)saddr;
51	tmp[1] = (__force u32)daddr;	46	tmp[1] = (__force u32)daddr;
@@ -89,8 +84,7 @@ __u32 cookie_init_timestamp(struct request_sock *req)
89		84
90		85
91	static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,	86	static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
92	__be16 dport, __u32 sseq, __u32 count,	87	__be16 dport, __u32 sseq, __u32 data)
93	__u32 data)
94	{	88	{
95	/*	89	/*
96	* Compute the secure sequence number.	90	* Compute the secure sequence number.
@@ -102,7 +96,7 @@ static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
102	* As an extra hack, we add a small "data" value that encodes the	96	* As an extra hack, we add a small "data" value that encodes the
103	* MSS into the second hash value.	97	* MSS into the second hash value.
104	*/	98	*/
105		99	u32 count = tcp_cookie_time();
106	return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +	100	return (cookie_hash(saddr, daddr, sport, dport, 0, 0) +
107	sseq + (count << COOKIEBITS) +	101	sseq + (count << COOKIEBITS) +
108	((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)	102	((cookie_hash(saddr, daddr, sport, dport, count, 1) + data)
@@ -114,22 +108,21 @@ static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
114	* If the syncookie is bad, the data returned will be out of	108	* If the syncookie is bad, the data returned will be out of
115	* range. This must be checked by the caller.	109	* range. This must be checked by the caller.
116	*	110	*
117	* The count value used to generate the cookie must be within	111	* The count value used to generate the cookie must be less than
118	* "maxdiff" if the current (passed-in) "count". The return value	112	* MAX_SYNCOOKIE_AGE minutes in the past.
119	* is (__u32)-1 if this test fails.	113	* The return value (__u32)-1 if this test fails.
120	*/	114	*/
121	static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,	115	static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,
122	__be16 sport, __be16 dport, __u32 sseq,	116	__be16 sport, __be16 dport, __u32 sseq)
123	__u32 count, __u32 maxdiff)
124	{	117	{
125	__u32 diff;	118	u32 diff, count = tcp_cookie_time();
126		119
127	/* Strip away the layers from the cookie */	120	/* Strip away the layers from the cookie */
128	cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;	121	cookie -= cookie_hash(saddr, daddr, sport, dport, 0, 0) + sseq;
129		122
130	/* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */	123	/* Cookie is now reduced to (count * 2^24) ^ (hash % 2^24) */
131	diff = (count - (cookie >> COOKIEBITS)) & ((__u32) - 1 >> COOKIEBITS);	124	diff = (count - (cookie >> COOKIEBITS)) & ((__u32) - 1 >> COOKIEBITS);
132	if (diff >= maxdiff)	125	if (diff >= MAX_SYNCOOKIE_AGE)
133	return (__u32)-1;	126	return (__u32)-1;
134		127
135	return (cookie -	128	return (cookie -
@@ -138,22 +131,22 @@ static __u32 check_tcp_syn_cookie(__u32 cookie, __be32 saddr, __be32 daddr,
138	}	131	}
139		132
140	/*	133	/*
141	* MSS Values are taken from the 2009 paper	134	* MSS Values are chosen based on the 2011 paper
142	* 'Measuring TCP Maximum Segment Size' by S. Alcock and R. Nelson:	135	* 'An Analysis of TCP Maximum Segement Sizes' by S. Alcock and R. Nelson.
143	* - values 1440 to 1460 accounted for 80% of observed mss values	136	* Values ..
144	* - values outside the 536-1460 range are rare (<0.2%).	137	* .. lower than 536 are rare (< 0.2%)
		138	* .. between 537 and 1299 account for less than < 1.5% of observed values
		139	* .. in the 1300-1349 range account for about 15 to 20% of observed mss values
		140	* .. exceeding 1460 are very rare (< 0.04%)
145	*	141	*
146	* Table must be sorted.	142	* 1460 is the single most frequently announced mss value (30 to 46% depending
		143	* on monitor location). Table must be sorted.
147	*/	144	*/
148	static __u16 const msstab[] = {	145	static __u16 const msstab[] = {
149	64,
150	512,
151	536,	146	536,
152	1024,	147	1300,
153	1440,	148	1440, /* 1440, 1452: PPPoE */
154	1460,	149	1460,
155	4312,
156	8960,
157	};	150	};
158		151
159	/*	152	/*
@@ -173,7 +166,7 @@ u32 __cookie_v4_init_sequence(const struct iphdr iph, const struct tcphdr th,
173		166
174	return secure_tcp_syn_cookie(iph->saddr, iph->daddr,	167	return secure_tcp_syn_cookie(iph->saddr, iph->daddr,
175	th->source, th->dest, ntohl(th->seq),	168	th->source, th->dest, ntohl(th->seq),
176	jiffies / (HZ * 60), mssind);	169	mssind);
177	}	170	}
178	EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence);	171	EXPORT_SYMBOL_GPL(__cookie_v4_init_sequence);
179		172
@@ -189,13 +182,6 @@ __u32 cookie_v4_init_sequence(struct sock sk, struct sk_buff skb, __u16 *mssp)
189	}	182	}
190		183
191	/*	184	/*
192	* This (misnamed) value is the age of syncookie which is permitted.
193	* Its ideal value should be dependent on TCP_TIMEOUT_INIT and
194	* sysctl_tcp_retries1. It's a rather complicated formula (exponential
195	* backoff) to compute at runtime so it's currently hardcoded here.
196	*/
197	#define COUNTER_TRIES 4
198	/*
199	* Check if a ack sequence number is a valid syncookie.	185	* Check if a ack sequence number is a valid syncookie.
200	* Return the decoded mss if it is, or 0 if not.	186	* Return the decoded mss if it is, or 0 if not.
201	*/	187	*/
@@ -204,9 +190,7 @@ int __cookie_v4_check(const struct iphdr iph, const struct tcphdr th,
204	{	190	{
205	__u32 seq = ntohl(th->seq) - 1;	191	__u32 seq = ntohl(th->seq) - 1;
206	__u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr,	192	__u32 mssind = check_tcp_syn_cookie(cookie, iph->saddr, iph->daddr,
207	th->source, th->dest, seq,	193	th->source, th->dest, seq);
208	jiffies / (HZ * 60),
209	COUNTER_TRIES);
210		194
211	return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;	195	return mssind < ARRAY_SIZE(msstab) ? msstab[mssind] : 0;
212	}	196	}
@@ -315,10 +299,10 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
315	treq->rcv_isn = ntohl(th->seq) - 1;	299	treq->rcv_isn = ntohl(th->seq) - 1;
316	treq->snt_isn = cookie;	300	treq->snt_isn = cookie;
317	req->mss = mss;	301	req->mss = mss;
318	ireq->loc_port = th->dest;	302	ireq->ir_num = ntohs(th->dest);
319	ireq->rmt_port = th->source;	303	ireq->ir_rmt_port = th->source;
320	ireq->loc_addr = ip_hdr(skb)->daddr;	304	ireq->ir_loc_addr = ip_hdr(skb)->daddr;
321	ireq->rmt_addr = ip_hdr(skb)->saddr;	305	ireq->ir_rmt_addr = ip_hdr(skb)->saddr;
322	ireq->ecn_ok = ecn_ok;	306	ireq->ecn_ok = ecn_ok;
323	ireq->snd_wscale = tcp_opt.snd_wscale;	307	ireq->snd_wscale = tcp_opt.snd_wscale;
324	ireq->sack_ok = tcp_opt.sack_ok;	308	ireq->sack_ok = tcp_opt.sack_ok;
@@ -358,8 +342,8 @@ struct sock cookie_v4_check(struct sock sk, struct sk_buff *skb,
358	flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,	342	flowi4_init_output(&fl4, sk->sk_bound_dev_if, sk->sk_mark,
359	RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,	343	RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE, IPPROTO_TCP,
360	inet_sk_flowi_flags(sk),	344	inet_sk_flowi_flags(sk),
361	(opt && opt->srr) ? opt->faddr : ireq->rmt_addr,	345	(opt && opt->srr) ? opt->faddr : ireq->ir_rmt_addr,
362	ireq->loc_addr, th->source, th->dest);	346	ireq->ir_loc_addr, th->source, th->dest);
363	security_req_classify_flow(req, flowi4_to_flowi(&fl4));	347	security_req_classify_flow(req, flowi4_to_flowi(&fl4));
364	rt = ip_route_output_key(sock_net(sk), &fl4);	348	rt = ip_route_output_key(sock_net(sk), &fl4);
365	if (IS_ERR(rt)) {	349	if (IS_ERR(rt)) {