forked from Minki/linux
syncookies: only increment SYNCOOKIESFAILED on validation error
Only count packets that failed cookie-authentication. We can get SYNCOOKIESFAILED > 0 while we never even sent a single cookie. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
f5fbf11569
commit
646697b9e3
@ -275,8 +275,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
|
||||
if (!sysctl_tcp_syncookies || !th->ack || th->rst)
|
||||
goto out;
|
||||
|
||||
if (tcp_synq_no_recent_overflow(sk) ||
|
||||
(mss = __cookie_v4_check(ip_hdr(skb), th, cookie)) == 0) {
|
||||
if (tcp_synq_no_recent_overflow(sk))
|
||||
goto out;
|
||||
|
||||
mss = __cookie_v4_check(ip_hdr(skb), th, cookie);
|
||||
if (mss == 0) {
|
||||
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
|
||||
goto out;
|
||||
}
|
||||
|
@ -171,8 +171,11 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
|
||||
if (!sysctl_tcp_syncookies || !th->ack || th->rst)
|
||||
goto out;
|
||||
|
||||
if (tcp_synq_no_recent_overflow(sk) ||
|
||||
(mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie)) == 0) {
|
||||
if (tcp_synq_no_recent_overflow(sk))
|
||||
goto out;
|
||||
|
||||
mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie);
|
||||
if (mss == 0) {
|
||||
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
|
||||
goto out;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user