search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Import 2.3.16
[davej-history.git] / net / ipv4 / syncookies.c
blob086da77c29cd77e82a30cf51435f3663cae98885
1 /*
2 * Syncookies implementation for the Linux kernel
3 *
4 * Copyright (C) 1997 Andi Kleen
5 * Based on ideas by D.J.Bernstein and Eric Schenk.
6 *
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version
10 * 2 of the License, or (at your option) any later version.
11 *
12 * $Id: syncookies.c,v 1.9 1999/08/23 06:30:34 davem Exp $
13 *
14 * Missing: IPv6 support.
15 */
16
17 #include <linux/config.h>
18 #if defined(CONFIG_SYN_COOKIES)
19 #include <linux/tcp.h>
20 #include <linux/malloc.h>
21 #include <linux/random.h>
22 #include <net/tcp.h>
23
24 extern int sysctl_tcp_syncookies;
25
26 static unsigned long tcp_lastsynq_overflow;
27
28 /*
29 * This table has to be sorted and terminated with (__u16)-1.
30 * XXX generate a better table.
31 * Unresolved Issues: HIPPI with a 64k MSS is not well supported.
32 */
33 static __u16 const msstab[] = {
34 64-1,
35 256-1,
36 512-1,
37 536-1,
38 1024-1,
39 1440-1,
40 1460-1,
41 4312-1,
42 (__u16)-1
43 };
44 /* The number doesn't include the -1 terminator */
45 #define NUM_MSS (sizeof(msstab)/sizeof(msstab[0]) - 1)
46
47 /*
48 * Generate a syncookie. mssp points to the mss, which is returned
49 * rounded down to the value encoded in the cookie.
50 */
51 __u32 cookie_v4_init_sequence(struct sock *sk, struct sk_buff *skb,
52 __u16 *mssp)
53 {
54 int mssind;
55 const __u16 mss = *mssp;
56
57 tcp_lastsynq_overflow = jiffies;
58 /* XXX sort msstab[] by probability? Binary search? */
59 for (mssind = 0; mss > msstab[mssind+1]; mssind++)
60 ;
61 *mssp = msstab[mssind]+1;
62
63 net_statistics.SyncookiesSent++;
64
65 return secure_tcp_syn_cookie(skb->nh.iph->saddr, skb->nh.iph->daddr,
66 skb->h.th->source, skb->h.th->dest,
67 ntohl(skb->h.th->seq),
68 jiffies / (HZ*60), mssind);
69 }
70
71 /*
72 * This (misnamed) value is the age of syncookie which is permitted.
73 * Its ideal value should be dependent on TCP_TIMEOUT_INIT and
74 * sysctl_tcp_retries1. It's a rather complicated formula (exponential
75 * backoff) to compute at runtime so it's currently hardcoded here.
76 */
77 #define COUNTER_TRIES 4
78 /*
79 * Check if a ack sequence number is a valid syncookie.
80 * Return the decoded mss if it is, or 0 if not.
81 */
82 static inline int cookie_check(struct sk_buff *skb, __u32 cookie)
83 {
84 __u32 seq;
85 __u32 mssind;
86
87 if ((jiffies - tcp_lastsynq_overflow) > TCP_TIMEOUT_INIT)
88 return 0;
89
90 seq = ntohl(skb->h.th->seq)-1;
91 mssind = check_tcp_syn_cookie(cookie,
92 skb->nh.iph->saddr, skb->nh.iph->daddr,
93 skb->h.th->source, skb->h.th->dest,
94 seq, jiffies/(HZ*60), COUNTER_TRIES);
95
96 return mssind < NUM_MSS ? msstab[mssind]+1 : 0;
97 }
98
99 extern struct or_calltable or_ipv4;
100
101 static inline struct sock *
102 get_cookie_sock(struct sock *sk, struct sk_buff *skb, struct open_request *req,
103 struct dst_entry *dst)
104 {
105 struct tcp_opt *tp = &sk->tp_pinfo.af_tcp;
106
107 /* Oops! It was missing, syn_recv_sock decreases it. */
108 tp->syn_backlog++;
109
110 sk = tp->af_specific->syn_recv_sock(sk, skb, req, dst);
111 if (sk) {
112 req->sk = sk;
113
114 /* Queue up for accept() */
115 tcp_synq_queue(tp, req);
116 } else {
117 tp->syn_backlog--;
118 req->class->destructor(req);
119 tcp_openreq_free(req);
120 }
121 return sk;
122 }
123
124 struct sock *
125 cookie_v4_check(struct sock *sk, struct sk_buff *skb, struct ip_options *opt)
126 {
127 __u32 cookie = ntohl(skb->h.th->ack_seq)-1;
128 struct open_request *req;
129 int mss;
130 struct rtable *rt;
131 __u8 rcv_wscale;
132
133 if (!sysctl_tcp_syncookies)
134 return sk;
135 if (!skb->h.th->ack)
136 return sk;
137
138 mss = cookie_check(skb, cookie);
139 if (mss == 0) {
140 net_statistics.SyncookiesFailed++;
141 return sk;
142 }
143
144 net_statistics.SyncookiesRecv++;
145
146 req = tcp_openreq_alloc();
147 if (req == NULL)
148 return NULL;
149
150 req->rcv_isn = htonl(skb->h.th->seq)-1;
151 req->snt_isn = cookie;
152 req->mss = mss;
153 req->rmt_port = skb->h.th->source;
154 req->af.v4_req.loc_addr = skb->nh.iph->daddr;
155 req->af.v4_req.rmt_addr = skb->nh.iph->saddr;
156 req->class = &or_ipv4; /* for savety */
157
158 req->af.v4_req.opt = NULL;
159
160 /* We throwed the options of the initial SYN away, so we hope
161 * the ACK carries the same options again (see RFC1122 4.2.3.8)
162 */
163 if (opt && opt->optlen) {
164 int opt_size = sizeof(struct ip_options) + opt->optlen;
165
166 req->af.v4_req.opt = kmalloc(opt_size, GFP_ATOMIC);
167 if (req->af.v4_req.opt) {
168 if (ip_options_echo(req->af.v4_req.opt, skb)) {
169 kfree_s(req->af.v4_req.opt, opt_size);
170 req->af.v4_req.opt = NULL;
171 }
172 }
173 }
174
175 req->snd_wscale = req->rcv_wscale = req->tstamp_ok = 0;
176 req->wscale_ok = 0;
177 req->expires = 0UL;
178 req->retrans = 0;
179
180 /*
181 * We need to lookup the route here to get at the correct
182 * window size. We should better make sure that the window size
183 * hasn't changed since we received the original syn, but I see
184 * no easy way to do this.
185 */
186 if (ip_route_output(&rt,
187 opt &&
188 opt->srr ? opt->faddr : req->af.v4_req.rmt_addr,
189 req->af.v4_req.loc_addr,
190 sk->protinfo.af_inet.tos | RTO_CONN,
191 0)) {
192 tcp_openreq_free(req);
193 return NULL;
194 }
195
196 /* Try to redo what tcp_v4_send_synack did. */
197 req->window_clamp = rt->u.dst.window;
198 tcp_select_initial_window(tcp_full_space(sk),req->mss,
199 &req->rcv_wnd, &req->window_clamp,
200 0, &rcv_wscale);
201 req->rcv_wscale = rcv_wscale;
202
203 return get_cookie_sock(sk, skb, req, &rt->u.dst);
204 }
205
206 #endif
Copy of Dave Jones history.git as used by http://archive.org/details/git-history-of-linux