* [PATCH net-next] tcp: syncookies: extend validity range
@ 2015-05-14 21:26 Eric Dumazet
2015-05-14 21:45 ` Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Eric Dumazet @ 2015-05-14 21:26 UTC (permalink / raw)
To: David Miller; +Cc: netdev, Florian Westphal, Neal Cardwell, Yuchung Cheng
From: Eric Dumazet <edumazet@google.com>
Now we allow storing more request socks per listener, we might
hit syncookie mode less often and hit following bug in our stack :
When we send a burst of syncookies, then exit this mode,
tcp_synq_no_recent_overflow() can return false if the ACK packets coming
from clients are coming three seconds after the end of syncookie
episode.
This is a way too strong requirement and conflicts with rest of
syncookie code which allows ACK to be aged up to 2 minutes.
Perfectly valid ACK packets are dropped just because clients might be
in a crowded wifi environment or on another planet.
So let's fix this, and also change tcp_synq_overflow() to not
dirty a cache line for every syncookie we send, as we are under attack.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
As this is an old bug, I chose net-next tree.
include/net/tcp.h | 38 ++++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index b8ea12880fd9..7ace6acbf5fd 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -326,18 +326,6 @@ static inline bool tcp_too_many_orphans(struct sock *sk, int shift)
bool tcp_check_oom(struct sock *sk, int shift);
-/* syncookies: remember time of last synqueue overflow */
-static inline void tcp_synq_overflow(struct sock *sk)
-{
- tcp_sk(sk)->rx_opt.ts_recent_stamp = jiffies;
-}
-
-/* syncookies: no recent synqueue overflow on this listening socket? */
-static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
-{
- unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
- return time_after(jiffies, last_overflow + TCP_TIMEOUT_FALLBACK);
-}
extern struct proto tcp_prot;
@@ -483,13 +471,35 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
* i.e. a sent cookie is valid only at most for 2*60 seconds (or less if
* the counter advances immediately after a cookie is generated).
*/
-#define MAX_SYNCOOKIE_AGE 2
+#define MAX_SYNCOOKIE_AGE 2
+#define TCP_SYNCOOKIE_PERIOD (60 * HZ)
+#define TCP_SYNCOOKIE_VALID (MAX_SYNCOOKIE_AGE * TCP_SYNCOOKIE_PERIOD)
+
+/* syncookies: remember time of last synqueue overflow
+ * But do not dirty this field too often (once per second is enough)
+ */
+static inline void tcp_synq_overflow(struct sock *sk)
+{
+ unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+ unsigned long now = jiffies;
+
+ if (time_after(now, last_overflow + HZ))
+ tcp_sk(sk)->rx_opt.ts_recent_stamp = now;
+}
+
+/* syncookies: no recent synqueue overflow on this listening socket? */
+static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
+{
+ unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
+
+ return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID);
+}
static inline u32 tcp_cookie_time(void)
{
u64 val = get_jiffies_64();
- do_div(val, 60 * HZ);
+ do_div(val, TCP_SYNCOOKIE_PERIOD);
return val;
}
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] tcp: syncookies: extend validity range
2015-05-14 21:26 [PATCH net-next] tcp: syncookies: extend validity range Eric Dumazet
@ 2015-05-14 21:45 ` Florian Westphal
2015-05-15 0:12 ` Yuchung Cheng
2015-05-15 2:33 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Florian Westphal @ 2015-05-14 21:45 UTC (permalink / raw)
To: Eric Dumazet
Cc: David Miller, netdev, Florian Westphal, Neal Cardwell, Yuchung Cheng
Eric Dumazet <eric.dumazet@gmail.com> wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> Now we allow storing more request socks per listener, we might
> hit syncookie mode less often and hit following bug in our stack :
>
> When we send a burst of syncookies, then exit this mode,
> tcp_synq_no_recent_overflow() can return false if the ACK packets coming
> from clients are coming three seconds after the end of syncookie
> episode.
Heh. Indeed. This dates back to original from 1997...
> This is a way too strong requirement and conflicts with rest of
> syncookie code which allows ACK to be aged up to 2 minutes.
>
> Perfectly valid ACK packets are dropped just because clients might be
> in a crowded wifi environment or on another planet.
>
> So let's fix this, and also change tcp_synq_overflow() to not
> dirty a cache line for every syncookie we send, as we are under attack.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> ---
> As this is an old bug, I chose net-next tree.
Looks great, thanks Eric!
Acked-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] tcp: syncookies: extend validity range
2015-05-14 21:26 [PATCH net-next] tcp: syncookies: extend validity range Eric Dumazet
2015-05-14 21:45 ` Florian Westphal
@ 2015-05-15 0:12 ` Yuchung Cheng
2015-05-15 2:33 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: Yuchung Cheng @ 2015-05-15 0:12 UTC (permalink / raw)
To: Eric Dumazet; +Cc: David Miller, netdev, Florian Westphal, Neal Cardwell
On Thu, May 14, 2015 at 2:26 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> From: Eric Dumazet <edumazet@google.com>
>
> Now we allow storing more request socks per listener, we might
> hit syncookie mode less often and hit following bug in our stack :
>
> When we send a burst of syncookies, then exit this mode,
> tcp_synq_no_recent_overflow() can return false if the ACK packets coming
> from clients are coming three seconds after the end of syncookie
> episode.
>
> This is a way too strong requirement and conflicts with rest of
> syncookie code which allows ACK to be aged up to 2 minutes.
>
> Perfectly valid ACK packets are dropped just because clients might be
> in a crowded wifi environment or on another planet.
>
> So let's fix this, and also change tcp_synq_overflow() to not
> dirty a cache line for every syncookie we send, as we are under attack.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Hopefully this reduces phony LINUX_MIB_SYNCOOKIESFAILED counts!
> ---
> As this is an old bug, I chose net-next tree.
>
> include/net/tcp.h | 38 ++++++++++++++++++++++++--------------
> 1 file changed, 24 insertions(+), 14 deletions(-)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index b8ea12880fd9..7ace6acbf5fd 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -326,18 +326,6 @@ static inline bool tcp_too_many_orphans(struct sock *sk, int shift)
>
> bool tcp_check_oom(struct sock *sk, int shift);
>
> -/* syncookies: remember time of last synqueue overflow */
> -static inline void tcp_synq_overflow(struct sock *sk)
> -{
> - tcp_sk(sk)->rx_opt.ts_recent_stamp = jiffies;
> -}
> -
> -/* syncookies: no recent synqueue overflow on this listening socket? */
> -static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
> -{
> - unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
> - return time_after(jiffies, last_overflow + TCP_TIMEOUT_FALLBACK);
> -}
>
> extern struct proto tcp_prot;
>
> @@ -483,13 +471,35 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
> * i.e. a sent cookie is valid only at most for 2*60 seconds (or less if
> * the counter advances immediately after a cookie is generated).
> */
> -#define MAX_SYNCOOKIE_AGE 2
> +#define MAX_SYNCOOKIE_AGE 2
> +#define TCP_SYNCOOKIE_PERIOD (60 * HZ)
> +#define TCP_SYNCOOKIE_VALID (MAX_SYNCOOKIE_AGE * TCP_SYNCOOKIE_PERIOD)
> +
> +/* syncookies: remember time of last synqueue overflow
> + * But do not dirty this field too often (once per second is enough)
> + */
> +static inline void tcp_synq_overflow(struct sock *sk)
> +{
> + unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
> + unsigned long now = jiffies;
> +
> + if (time_after(now, last_overflow + HZ))
> + tcp_sk(sk)->rx_opt.ts_recent_stamp = now;
> +}
> +
> +/* syncookies: no recent synqueue overflow on this listening socket? */
> +static inline bool tcp_synq_no_recent_overflow(const struct sock *sk)
> +{
> + unsigned long last_overflow = tcp_sk(sk)->rx_opt.ts_recent_stamp;
> +
> + return time_after(jiffies, last_overflow + TCP_SYNCOOKIE_VALID);
> +}
>
> static inline u32 tcp_cookie_time(void)
> {
> u64 val = get_jiffies_64();
>
> - do_div(val, 60 * HZ);
> + do_div(val, TCP_SYNCOOKIE_PERIOD);
> return val;
> }
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net-next] tcp: syncookies: extend validity range
2015-05-14 21:26 [PATCH net-next] tcp: syncookies: extend validity range Eric Dumazet
2015-05-14 21:45 ` Florian Westphal
2015-05-15 0:12 ` Yuchung Cheng
@ 2015-05-15 2:33 ` David Miller
2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2015-05-15 2:33 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev, fw, ncardwell, ycheng
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 14 May 2015 14:26:56 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> Now we allow storing more request socks per listener, we might
> hit syncookie mode less often and hit following bug in our stack :
>
> When we send a burst of syncookies, then exit this mode,
> tcp_synq_no_recent_overflow() can return false if the ACK packets coming
> from clients are coming three seconds after the end of syncookie
> episode.
>
> This is a way too strong requirement and conflicts with rest of
> syncookie code which allows ACK to be aged up to 2 minutes.
>
> Perfectly valid ACK packets are dropped just because clients might be
> in a crowded wifi environment or on another planet.
>
> So let's fix this, and also change tcp_synq_overflow() to not
> dirty a cache line for every syncookie we send, as we are under attack.
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
Applied, thanks.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-05-15 2:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-14 21:26 [PATCH net-next] tcp: syncookies: extend validity range Eric Dumazet
2015-05-14 21:45 ` Florian Westphal
2015-05-15 0:12 ` Yuchung Cheng
2015-05-15 2:33 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.