linux/include/net
Hannes Frederic Sowa a26552afe8 tcp: don't allow syn packets without timestamps to pass tcp_tw_recycle logic
tcp_tw_recycle heavily relies on tcp timestamps to build a per-host
ordering of incoming connections and teardowns without the need to
hold state on a specific quadruple for TCP_TIMEWAIT_LEN, but only for
the last measured RTO. To do so, we keep the last seen timestamp in a
per-host indexed data structure and verify if the incoming timestamp
in a connection request is strictly greater than the saved one during
last connection teardown. Thus we can verify later on that no old data
packets will be accepted by the new connection.

During moving a socket to time-wait state we already verify if timestamps
where seen on a connection. Only if that was the case we let the
time-wait socket expire after the RTO, otherwise normal TCP_TIMEWAIT_LEN
will be used. But we don't verify this on incoming SYN packets. If a
connection teardown was less than TCP_PAWS_MSL seconds in the past we
cannot guarantee to not accept data packets from an old connection if
no timestamps are present. We should drop this SYN packet. This patch
closes this loophole.

Please note, this patch does not make tcp_tw_recycle in any way more
usable but only adds another safety check:
Sporadic drops of SYN packets because of reordering in the network or
in the socket backlog queues can happen. Users behing NAT trying to
connect to a tcp_tw_recycle enabled server can get caught in blackholes
and their connection requests may regullary get dropped because hosts
behind an address translator don't have synchronized tcp timestamp clocks.
tcp_tw_recycle cannot work if peers don't have tcp timestamps enabled.

In general, use of tcp_tw_recycle is disadvised.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-08-14 14:38:54 -07:00
..
9p 9pnet: p9_client->conn field is unused. Remove it. 2014-03-25 16:38:16 -05:00
bluetooth Bluetooth: Rename pairable mgmt setting to bondable 2014-07-30 19:28:41 +02:00
caif caif_hsi.h: Remove extern from function prototypes 2013-09-23 16:29:41 -04:00
irda include/net/: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
iucv af_iucv: fix recvmsg by replacing skb_pull() function 2013-04-08 17:16:57 -04:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-07-22 00:44:59 -07:00
netns netfilter: kill remnants of ulog targets 2014-07-25 14:55:44 +02:00
nfc NFC: digital: Add 'tg_listen_md' and 'tg_get_rf_tech' driver hooks 2014-07-23 01:17:31 +02:00
phonet
sctp sctp: Fixup v4mapped behaviour to comply with Sock API 2014-07-31 21:49:06 -07:00
tc_act net_sched: act: hide struct tcf_common from API 2014-02-12 19:23:32 -05:00
6lowpan.h 6lowpan: remove unused function 2014-07-30 19:28:41 +02:00
act_api.h net_sched: act: refuse to remove bound action outside 2014-02-12 19:23:32 -05:00
addrconf.h net: ipv6: Introduce ip6_sk_dst_hoplimit. 2014-04-30 13:31:26 -04:00
af_ieee802154.h ieee802154: add dgram sockopts for security control 2014-05-16 17:23:41 -04:00
af_rxrpc.h af_rxrpc.h: Remove extern from function prototypes 2013-07-31 17:50:01 -07:00
af_unix.h af_unix: improve STREAM behavior with fragmented memory 2013-08-10 01:16:44 -07:00
af_vsock.h vsock: Make transport the proto owner 2014-05-05 13:13:50 -04:00
ah.h
arp.h arp: make arp_invalidate static 2013-12-28 17:02:46 -05:00
atmclip.h
ax25.h ax25.h: Remove extern from function prototypes 2013-07-31 17:50:02 -07:00
ax88796.h
busy_poll.h sched, net: Fixup busy_loop_us_clock() 2014-01-13 17:39:11 +01:00
cfg80211-wext.h
cfg80211.h cfg80211: remove channel_switch combination check 2014-06-25 18:06:20 +02:00
checksum.h net: Allow csum_add to be provided in arch 2014-05-05 15:26:29 -04:00
cipso_ipv4.h cipso: cleanup cipso_v4_translate() when !CONFIG_NETLABEL 2013-12-10 17:56:54 -05:00
cls_cgroup.h cgroup: clean up cgroup_subsys names and initialization 2014-02-08 10:36:58 -05:00
codel.h net: introduce reciprocal_scale helper and convert users 2014-01-21 23:17:20 -08:00
compat.h compat.h: Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
datalink.h net: Move prototype declaration to header file include/net/datalink.h from net/ipx/af_ipx.c 2014-02-09 17:32:50 -08:00
dcbevent.h include/net/: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
dcbnl.h Update setapp/getapp prototypes in dcbnl_rtnl_ops to return int instead of u8 2014-07-17 16:02:29 -07:00
dn_dev.h dn_dev: add support for IFA_FLAGS nl attribute 2013-12-10 21:50:00 -05:00
dn_fib.h decnet (dn*.h): Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
dn_neigh.h decnet (dn*.h): Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
dn_nsp.h decnet (dn*.h): Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
dn_route.h net: Move prototype declaration to appropriate header file from decnet/af_decnet.c 2014-02-09 17:32:49 -08:00
dn.h net: Move prototype declaration to header file include/net/dn.h from net/decnet/af_decnet.c 2014-02-09 17:32:49 -08:00
dsa.h net: dsa: add ds_to_priv 2014-04-30 13:31:25 -04:00
dsfield.h
dst_ops.h
dst.h ipv4: add a sock pointer to dst->output() path. 2014-04-15 13:47:15 -04:00
esp.h net: move pskb_put() to core code 2013-11-07 19:28:58 -05:00
ethoc.h net: ethoc: set up MII management bus clock 2014-02-04 20:19:51 -08:00
fib_rules.h fib_rules.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
firewire.h firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection. 2013-03-26 12:32:13 -04:00
flow_keys.h flow_dissector: Abstract out hash computation 2014-07-07 21:14:20 -07:00
flow.h ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2014-04-16 15:05:11 -04:00
flowcache.h flowcache: Make flow cache name space aware 2014-02-12 07:02:11 +01:00
garp.h garp.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
gen_stats.h gen_stats.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
genetlink.h genl: Add genlmsg_new_unicast() for unicast message allocation 2014-01-06 15:51:53 -08:00
gre.h gre: Call gso_make_checksum 2014-06-04 22:46:38 -07:00
gro_cells.h
icmp.h icmp.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
ieee80211_radiotap.h mac80211: propagate STBC / LDPC flags to radiotap 2014-02-06 09:34:58 +01:00
ieee802154_netdev.h ieee802154, mac802154: implement devkey record option 2014-05-16 17:23:42 -04:00
ieee802154.h ieee802154: add definitions for link-layer security and header functions 2014-05-15 15:51:42 -04:00
if_inet6.h ipv6: addrconf: implement address generation modes 2014-07-11 15:05:45 -07:00
inet6_connection_sock.h ipv4: add a sock pointer to ip_queue_xmit() 2014-04-15 12:58:34 -04:00
inet6_hashtables.h ipv6: split inet6_ehashfn to hash functions per compilation unit 2013-10-19 19:45:34 -04:00
inet_common.h inet*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
inet_connection_sock.h tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-08-14 14:38:54 -07:00
inet_ecn.h tunnel: fix RFC number in comment for INET_ECN_decapsulate() 2014-05-07 15:30:52 -04:00
inet_frag.h inet: frags: use kmem_cache for inet_frag_queue 2014-08-02 15:31:31 -07:00
inet_hashtables.h net: Use a more standard macro for INET_ADDR_COOKIE 2014-05-14 16:07:23 -04:00
inet_sock.h net: remove inet6_reqsk_alloc 2014-06-27 15:53:35 -07:00
inet_timewait_sock.h inet: move ipv6only in sock_common 2014-07-01 23:46:21 -07:00
inetpeer.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-06-03 23:32:12 -07:00
ip6_checksum.h udp: Generic functions to set checksum 2014-06-04 22:46:38 -07:00
ip6_fib.h ipv6: do not overwrite inetpeer metrics prematurely 2014-03-27 15:09:07 -04:00
ip6_route.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-05-24 00:32:30 -04:00
ip6_tunnel.h net: unify the pcpu_tstats and br_cpu_netstats as one 2014-01-04 20:10:24 -05:00
ip_fib.h ip*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
ip_tunnels.h ip_tunnel(ipv4): fix tunnels with "local any remote $remote_ip" 2014-07-30 15:18:58 -07:00
ip_vs.h arch: Mass conversion of smp_mb__*() 2014-04-18 14:20:48 +02:00
ip.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-07-30 13:25:49 -07:00
ipcomp.h
ipconfig.h
ipv6.h inet: frag: don't account number of fragment queues 2014-07-27 22:34:36 -07:00
ipx.h net: Move prototype declaration to header file include/net/ipx.h from net/ipx/af_ipx.c 2014-02-09 17:32:50 -08:00
iw_handler.h iw_handler.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
lapb.h lapb.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
lib80211.h hostap: Don't use create_proc_read_entry() 2013-04-29 15:41:56 -04:00
llc_c_ac.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_c_ev.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_c_st.h
llc_conn.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_if.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_pdu.h net: llc: fix order of evaluation in llc_conn_ac_inc_vr_by_1 2014-01-01 22:22:43 -05:00
llc_s_ac.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_s_ev.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_s_st.h
llc_sap.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc.h llc: make lock static 2014-01-03 20:56:48 -05:00
mac80211.h mac80211: add support for Rx reordering offloading 2014-07-21 17:42:07 +02:00
mac802154.h mac802154: at86rf230: add hw flags and merge ops 2014-07-07 21:29:24 -07:00
mip6.h include/net/: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
mld.h net: ipv6: mld: get rid of MLDV2_MRC and simplify calculation 2013-09-04 14:53:20 -04:00
mrp.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-10-01 17:06:14 -04:00
ndisc.h ndisc.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
neighbour.h neigh: sysctl - simplify address calculation of gc_* variables 2014-07-14 14:32:51 -07:00
net_namespace.h 6lowpan: nuke net_ieee802154_lowpan() accessor when 6lowpan is disabled 2014-04-24 12:36:00 -04:00
net_ratelimit.h
netdma.h
netevent.h netevent/netlink.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
netlabel.h netlabel: fix the netlbl_catmap_setlong() dummy function 2014-08-07 20:55:21 -04:00
netlink.h netlink: Fix shadow warning on jiffies 2014-07-28 17:20:43 -07:00
netprio_cgroup.h cgroup: clean up cgroup_subsys names and initialization 2014-02-08 10:36:58 -05:00
netrom.h netrom.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
nexthop.h
nl802154.h ieee802154: use ieee802154_addr instead of *_sa variants 2014-03-14 22:15:26 -04:00
p8022.h p8022.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
ping.h ipv6: make IPV6_RECVPKTINFO work for ipv4 datagrams 2014-01-19 19:53:18 -08:00
pkt_cls.h sched, cls: check if we could overwrite actions when changing a filter 2014-04-27 23:42:39 -04:00
pkt_sched.h net_sched: drr: warn when qdisc is not work conserving 2014-06-11 15:50:59 -07:00
protocol.h net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
psnap.h psnap.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
raw.h raw/rawv6.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
rawv6.h raw/rawv6.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
red.h reciprocal_divide: update/correction of the algorithm 2014-01-21 23:17:20 -08:00
regulatory.h cfg80211: Enable GO operation on additional channels 2014-04-09 10:55:34 +02:00
request_sock.h inet: includes a sock_common in request_sock 2013-10-10 00:08:07 -04:00
rose.h rose.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
route.h ipv4: remove ip_rt_dump from route.c 2014-03-24 12:45:01 -04:00
rtnetlink.h net: rtnetlink - make create_link take name_assign_type 2014-07-15 16:13:07 -07:00
sch_generic.h flow_keys: Record IP layer protocol in skb_flow_dissect() 2014-06-23 14:32:19 -07:00
scm.h scm.h: Remove extern from function prototypes 2013-09-23 01:51:09 -04:00
secure_seq.h inetpeer: get rid of ip_id_count 2014-06-02 11:00:41 -07:00
slhc_vj.h
snmp.h net: clean up snmp stats code 2014-05-07 16:06:05 -04:00
sock.h tcp: fix tcp_release_cb() to dispatch via address family for mtu_reduced() 2014-08-14 14:38:54 -07:00
Space.h drivers: net: Include new header file in sbni.c 2013-12-19 18:51:20 -05:00
stp.h stp.h: Remove extern from function prototypes 2013-09-23 01:51:09 -04:00
tcp_memcontrol.h tcp_memcontrol: Kill struct tcp_memcontrol 2013-10-21 18:43:02 -04:00
tcp_states.h
tcp.h tcp: don't allow syn packets without timestamps to pass tcp_tw_recycle logic 2014-08-14 14:38:54 -07:00
timewait_sock.h
transp_v6.h ipv6: make IPV6_RECVPKTINFO work for ipv4 datagrams 2014-01-19 19:53:18 -08:00
tso.h net: Add a software TSO helper API 2014-05-22 14:57:15 -04:00
udp_tunnel.h udp: Add udp_sock_create for UDP tunnels to open listener socket 2014-07-14 16:12:15 -07:00
udp.h udp: Add function to make source port for UDP tunnels 2014-07-07 21:14:21 -07:00
udplite.h udplite.h: Remove extern from function prototypes 2013-09-23 16:29:40 -04:00
vsock_addr.h VSOCK: Move af_vsock.h and vsock_addr.h to include/net 2013-07-27 22:14:06 -07:00
vxlan.h vxlan: Call udp_flow_src_port 2014-07-07 21:14:21 -07:00
wext.h wext.h: Remove extern from function prototypes 2013-09-23 16:29:40 -04:00
wimax.h wimax: Spelling s/than/that/, wording s/destinatary/recipient/ 2014-05-05 15:37:55 +02:00
wpan-phy.h ieee802154: add netlink APIs for smartMAC configuration 2014-02-17 16:42:39 -05:00
x25.h x25.h: Remove extern from function prototypes 2013-09-23 16:29:41 -04:00
x25device.h
xfrm.h xfrm: Remove useless xfrm_audit struct. 2014-04-23 08:21:04 +02:00