Commit 646697b9 authored by Florian Westphal's avatar Florian Westphal Committed by David S. Miller

syncookies: only increment SYNCOOKIESFAILED on validation error

Only count packets that failed cookie-authentication.
We can get SYNCOOKIESFAILED > 0 while we never even sent a single cookie.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f5fbf115
...@@ -275,8 +275,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) ...@@ -275,8 +275,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
if (!sysctl_tcp_syncookies || !th->ack || th->rst) if (!sysctl_tcp_syncookies || !th->ack || th->rst)
goto out; goto out;
if (tcp_synq_no_recent_overflow(sk) || if (tcp_synq_no_recent_overflow(sk))
(mss = __cookie_v4_check(ip_hdr(skb), th, cookie)) == 0) { goto out;
mss = __cookie_v4_check(ip_hdr(skb), th, cookie);
if (mss == 0) {
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
goto out; goto out;
} }
......
...@@ -171,8 +171,11 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) ...@@ -171,8 +171,11 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
if (!sysctl_tcp_syncookies || !th->ack || th->rst) if (!sysctl_tcp_syncookies || !th->ack || th->rst)
goto out; goto out;
if (tcp_synq_no_recent_overflow(sk) || if (tcp_synq_no_recent_overflow(sk))
(mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie)) == 0) { goto out;
mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie);
if (mss == 0) {
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED); NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
goto out; goto out;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment