a26552afe8
tcp_tw_recycle heavily relies on tcp timestamps to build a per-host ordering of incoming connections and teardowns without the need to hold state on a specific quadruple for TCP_TIMEWAIT_LEN, but only for the last measured RTO. To do so, we keep the last seen timestamp in a per-host indexed data structure and verify if the incoming timestamp in a connection request is strictly greater than the saved one during last connection teardown. Thus we can verify later on that no old data packets will be accepted by the new connection. During moving a socket to time-wait state we already verify if timestamps where seen on a connection. Only if that was the case we let the time-wait socket expire after the RTO, otherwise normal TCP_TIMEWAIT_LEN will be used. But we don't verify this on incoming SYN packets. If a connection teardown was less than TCP_PAWS_MSL seconds in the past we cannot guarantee to not accept data packets from an old connection if no timestamps are present. We should drop this SYN packet. This patch closes this loophole. Please note, this patch does not make tcp_tw_recycle in any way more usable but only adds another safety check: Sporadic drops of SYN packets because of reordering in the network or in the socket backlog queues can happen. Users behing NAT trying to connect to a tcp_tw_recycle enabled server can get caught in blackholes and their connection requests may regullary get dropped because hosts behind an address translator don't have synchronized tcp timestamp clocks. tcp_tw_recycle cannot work if peers don't have tcp timestamps enabled. In general, use of tcp_tw_recycle is disadvised. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: Florian Westphal <fw@strlen.de> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| 9p | ||
| bluetooth | ||
| caif | ||
| irda | ||
| iucv | ||
| netfilter | ||
| netns | ||
| nfc | ||
| phonet | ||
| sctp | ||
| tc_act | ||
| 6lowpan.h | ||
| act_api.h | ||
| addrconf.h | ||
| af_ieee802154.h | ||
| af_rxrpc.h | ||
| af_unix.h | ||
| af_vsock.h | ||
| ah.h | ||
| arp.h | ||
| atmclip.h | ||
| ax25.h | ||
| ax88796.h | ||
| busy_poll.h | ||
| cfg80211-wext.h | ||
| cfg80211.h | ||
| checksum.h | ||
| cipso_ipv4.h | ||
| cls_cgroup.h | ||
| codel.h | ||
| compat.h | ||
| datalink.h | ||
| dcbevent.h | ||
| dcbnl.h | ||
| dn_dev.h | ||
| dn_fib.h | ||
| dn_neigh.h | ||
| dn_nsp.h | ||
| dn_route.h | ||
| dn.h | ||
| dsa.h | ||
| dsfield.h | ||
| dst_ops.h | ||
| dst.h | ||
| esp.h | ||
| ethoc.h | ||
| fib_rules.h | ||
| firewire.h | ||
| flow_keys.h | ||
| flow.h | ||
| flowcache.h | ||
| garp.h | ||
| gen_stats.h | ||
| genetlink.h | ||
| gre.h | ||
| gro_cells.h | ||
| icmp.h | ||
| ieee80211_radiotap.h | ||
| ieee802154_netdev.h | ||
| ieee802154.h | ||
| if_inet6.h | ||
| inet6_connection_sock.h | ||
| inet6_hashtables.h | ||
| inet_common.h | ||
| inet_connection_sock.h | ||
| inet_ecn.h | ||
| inet_frag.h | ||
| inet_hashtables.h | ||
| inet_sock.h | ||
| inet_timewait_sock.h | ||
| inetpeer.h | ||
| ip6_checksum.h | ||
| ip6_fib.h | ||
| ip6_route.h | ||
| ip6_tunnel.h | ||
| ip_fib.h | ||
| ip_tunnels.h | ||
| ip_vs.h | ||
| ip.h | ||
| ipcomp.h | ||
| ipconfig.h | ||
| ipv6.h | ||
| ipx.h | ||
| iw_handler.h | ||
| lapb.h | ||
| lib80211.h | ||
| llc_c_ac.h | ||
| llc_c_ev.h | ||
| llc_c_st.h | ||
| llc_conn.h | ||
| llc_if.h | ||
| llc_pdu.h | ||
| llc_s_ac.h | ||
| llc_s_ev.h | ||
| llc_s_st.h | ||
| llc_sap.h | ||
| llc.h | ||
| mac80211.h | ||
| mac802154.h | ||
| mip6.h | ||
| mld.h | ||
| mrp.h | ||
| ndisc.h | ||
| neighbour.h | ||
| net_namespace.h | ||
| net_ratelimit.h | ||
| netdma.h | ||
| netevent.h | ||
| netlabel.h | ||
| netlink.h | ||
| netprio_cgroup.h | ||
| netrom.h | ||
| nexthop.h | ||
| nl802154.h | ||
| p8022.h | ||
| ping.h | ||
| pkt_cls.h | ||
| pkt_sched.h | ||
| protocol.h | ||
| psnap.h | ||
| raw.h | ||
| rawv6.h | ||
| red.h | ||
| regulatory.h | ||
| request_sock.h | ||
| rose.h | ||
| route.h | ||
| rtnetlink.h | ||
| sch_generic.h | ||
| scm.h | ||
| secure_seq.h | ||
| slhc_vj.h | ||
| snmp.h | ||
| sock.h | ||
| Space.h | ||
| stp.h | ||
| tcp_memcontrol.h | ||
| tcp_states.h | ||
| tcp.h | ||
| timewait_sock.h | ||
| transp_v6.h | ||
| tso.h | ||
| udp_tunnel.h | ||
| udp.h | ||
| udplite.h | ||
| vsock_addr.h | ||
| vxlan.h | ||
| wext.h | ||
| wimax.h | ||
| wpan-phy.h | ||
| x25.h | ||
| x25device.h | ||
| xfrm.h | ||