Commit 5ad37d5d authored by Hannes Frederic Sowa's avatar Hannes Frederic Sowa Committed by David S. Miller

tcp: add tcp_syncookies mode to allow unconditionally generation of syncookies

| If you want to test which effects syncookies have to your
| network connections you can set this knob to 2 to enable
| unconditionally generation of syncookies.

Original idea and first implementation by Eric Dumazet.

Cc: Florian Westphal <fw@strlen.de>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent dcfd8d58
...@@ -440,6 +440,10 @@ tcp_syncookies - BOOLEAN ...@@ -440,6 +440,10 @@ tcp_syncookies - BOOLEAN
SYN flood warnings in logs not being really flooded, your server SYN flood warnings in logs not being really flooded, your server
is seriously misconfigured. is seriously misconfigured.
If you want to test which effects syncookies have to your
network connections you can set this knob to 2 to enable
unconditionally generation of syncookies.
tcp_fastopen - INTEGER tcp_fastopen - INTEGER
Enable TCP Fast Open feature (draft-ietf-tcpm-fastopen) to send data Enable TCP Fast Open feature (draft-ietf-tcpm-fastopen) to send data
in the opening SYN packet. To use this feature, the client application in the opening SYN packet. To use this feature, the client application
......
...@@ -890,7 +890,7 @@ bool tcp_syn_flood_action(struct sock *sk, ...@@ -890,7 +890,7 @@ bool tcp_syn_flood_action(struct sock *sk,
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP); NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
lopt = inet_csk(sk)->icsk_accept_queue.listen_opt; lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
if (!lopt->synflood_warned) { if (!lopt->synflood_warned && sysctl_tcp_syncookies != 2) {
lopt->synflood_warned = 1; lopt->synflood_warned = 1;
pr_info("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n", pr_info("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n",
proto, ntohs(tcp_hdr(skb)->dest), msg); proto, ntohs(tcp_hdr(skb)->dest), msg);
...@@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) ...@@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
* limitations, they conserve resources and peer is * limitations, they conserve resources and peer is
* evidently real one. * evidently real one.
*/ */
if (inet_csk_reqsk_queue_is_full(sk) && !isn) { if ((sysctl_tcp_syncookies == 2 ||
inet_csk_reqsk_queue_is_full(sk)) && !isn) {
want_cookie = tcp_syn_flood_action(sk, skb, "TCP"); want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
if (!want_cookie) if (!want_cookie)
goto drop; goto drop;
......
...@@ -963,7 +963,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) ...@@ -963,7 +963,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
if (!ipv6_unicast_destination(skb)) if (!ipv6_unicast_destination(skb))
goto drop; goto drop;
if (inet_csk_reqsk_queue_is_full(sk) && !isn) { if ((sysctl_tcp_syncookies == 2 ||
inet_csk_reqsk_queue_is_full(sk)) && !isn) {
want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6"); want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
if (!want_cookie) if (!want_cookie)
goto drop; goto drop;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment