diff options
Diffstat (limited to 'net/ipv6/tcp_ipv6.c')
| -rw-r--r-- | net/ipv6/tcp_ipv6.c | 37 |
1 files changed, 9 insertions, 28 deletions
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 87551ca568cd..3c9fa618b69d 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c | |||
| @@ -61,6 +61,7 @@ | |||
| 61 | #include <net/timewait_sock.h> | 61 | #include <net/timewait_sock.h> |
| 62 | #include <net/netdma.h> | 62 | #include <net/netdma.h> |
| 63 | #include <net/inet_common.h> | 63 | #include <net/inet_common.h> |
| 64 | #include <net/secure_seq.h> | ||
| 64 | 65 | ||
| 65 | #include <asm/uaccess.h> | 66 | #include <asm/uaccess.h> |
| 66 | 67 | ||
| @@ -530,20 +531,6 @@ static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req, | |||
| 530 | return tcp_v6_send_synack(sk, req, rvp); | 531 | return tcp_v6_send_synack(sk, req, rvp); |
| 531 | } | 532 | } |
| 532 | 533 | ||
| 533 | static inline void syn_flood_warning(struct sk_buff *skb) | ||
| 534 | { | ||
| 535 | #ifdef CONFIG_SYN_COOKIES | ||
| 536 | if (sysctl_tcp_syncookies) | ||
| 537 | printk(KERN_INFO | ||
| 538 | "TCPv6: Possible SYN flooding on port %d. " | ||
| 539 | "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest)); | ||
| 540 | else | ||
| 541 | #endif | ||
| 542 | printk(KERN_INFO | ||
| 543 | "TCPv6: Possible SYN flooding on port %d. " | ||
| 544 | "Dropping request.\n", ntohs(tcp_hdr(skb)->dest)); | ||
| 545 | } | ||
| 546 | |||
| 547 | static void tcp_v6_reqsk_destructor(struct request_sock *req) | 534 | static void tcp_v6_reqsk_destructor(struct request_sock *req) |
| 548 | { | 535 | { |
| 549 | kfree_skb(inet6_rsk(req)->pktopts); | 536 | kfree_skb(inet6_rsk(req)->pktopts); |
| @@ -1178,11 +1165,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 1178 | struct tcp_sock *tp = tcp_sk(sk); | 1165 | struct tcp_sock *tp = tcp_sk(sk); |
| 1179 | __u32 isn = TCP_SKB_CB(skb)->when; | 1166 | __u32 isn = TCP_SKB_CB(skb)->when; |
| 1180 | struct dst_entry *dst = NULL; | 1167 | struct dst_entry *dst = NULL; |
| 1181 | #ifdef CONFIG_SYN_COOKIES | ||
| 1182 | int want_cookie = 0; | 1168 | int want_cookie = 0; |
| 1183 | #else | ||
| 1184 | #define want_cookie 0 | ||
| 1185 | #endif | ||
| 1186 | 1169 | ||
| 1187 | if (skb->protocol == htons(ETH_P_IP)) | 1170 | if (skb->protocol == htons(ETH_P_IP)) |
| 1188 | return tcp_v4_conn_request(sk, skb); | 1171 | return tcp_v4_conn_request(sk, skb); |
| @@ -1191,14 +1174,9 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 1191 | goto drop; | 1174 | goto drop; |
| 1192 | 1175 | ||
| 1193 | if (inet_csk_reqsk_queue_is_full(sk) && !isn) { | 1176 | if (inet_csk_reqsk_queue_is_full(sk) && !isn) { |
| 1194 | if (net_ratelimit()) | 1177 | want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6"); |
| 1195 | syn_flood_warning(skb); | 1178 | if (!want_cookie) |
| 1196 | #ifdef CONFIG_SYN_COOKIES | 1179 | goto drop; |
| 1197 | if (sysctl_tcp_syncookies) | ||
| 1198 | want_cookie = 1; | ||
| 1199 | else | ||
| 1200 | #endif | ||
| 1201 | goto drop; | ||
| 1202 | } | 1180 | } |
| 1203 | 1181 | ||
| 1204 | if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) | 1182 | if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) |
| @@ -1248,9 +1226,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 1248 | while (l-- > 0) | 1226 | while (l-- > 0) |
| 1249 | *c++ ^= *hash_location++; | 1227 | *c++ ^= *hash_location++; |
| 1250 | 1228 | ||
| 1251 | #ifdef CONFIG_SYN_COOKIES | ||
| 1252 | want_cookie = 0; /* not our kind of cookie */ | 1229 | want_cookie = 0; /* not our kind of cookie */ |
| 1253 | #endif | ||
| 1254 | tmp_ext.cookie_out_never = 0; /* false */ | 1230 | tmp_ext.cookie_out_never = 0; /* false */ |
| 1255 | tmp_ext.cookie_plus = tmp_opt.cookie_plus; | 1231 | tmp_ext.cookie_plus = tmp_opt.cookie_plus; |
| 1256 | } else if (!tp->rx_opt.cookie_in_always) { | 1232 | } else if (!tp->rx_opt.cookie_in_always) { |
| @@ -1341,6 +1317,7 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) | |||
| 1341 | } | 1317 | } |
| 1342 | have_isn: | 1318 | have_isn: |
| 1343 | tcp_rsk(req)->snt_isn = isn; | 1319 | tcp_rsk(req)->snt_isn = isn; |
| 1320 | tcp_rsk(req)->snt_synack = tcp_time_stamp; | ||
| 1344 | 1321 | ||
| 1345 | security_inet_conn_request(sk, skb, req); | 1322 | security_inet_conn_request(sk, skb, req); |
| 1346 | 1323 | ||
| @@ -1509,6 +1486,10 @@ static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb, | |||
| 1509 | tcp_sync_mss(newsk, dst_mtu(dst)); | 1486 | tcp_sync_mss(newsk, dst_mtu(dst)); |
| 1510 | newtp->advmss = dst_metric_advmss(dst); | 1487 | newtp->advmss = dst_metric_advmss(dst); |
| 1511 | tcp_initialize_rcv_mss(newsk); | 1488 | tcp_initialize_rcv_mss(newsk); |
| 1489 | if (tcp_rsk(req)->snt_synack) | ||
| 1490 | tcp_valid_rtt_meas(newsk, | ||
| 1491 | tcp_time_stamp - tcp_rsk(req)->snt_synack); | ||
| 1492 | newtp->total_retrans = req->retrans; | ||
| 1512 | 1493 | ||
| 1513 | newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6; | 1494 | newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6; |
| 1514 | newinet->inet_rcv_saddr = LOOPBACK4_IPV6; | 1495 | newinet->inet_rcv_saddr = LOOPBACK4_IPV6; |