tcp: add tcp_syncookies mode to allow unconditionally generation of syncookies
| If you want to test which effects syncookies have to your | network connections you can set this knob to 2 to enable | unconditionally generation of syncookies. Original idea and first implementation by Eric Dumazet. Cc: Florian Westphal <fw@strlen.de> Cc: David Miller <davem@davemloft.net> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
dcfd8d5830
commit
5ad37d5dee
@ -440,6 +440,10 @@ tcp_syncookies - BOOLEAN
|
||||
SYN flood warnings in logs not being really flooded, your server
|
||||
is seriously misconfigured.
|
||||
|
||||
If you want to test which effects syncookies have to your
|
||||
network connections you can set this knob to 2 to enable
|
||||
unconditionally generation of syncookies.
|
||||
|
||||
tcp_fastopen - INTEGER
|
||||
Enable TCP Fast Open feature (draft-ietf-tcpm-fastopen) to send data
|
||||
in the opening SYN packet. To use this feature, the client application
|
||||
|
@ -890,7 +890,7 @@ bool tcp_syn_flood_action(struct sock *sk,
|
||||
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);
|
||||
|
||||
lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
|
||||
if (!lopt->synflood_warned) {
|
||||
if (!lopt->synflood_warned && sysctl_tcp_syncookies != 2) {
|
||||
lopt->synflood_warned = 1;
|
||||
pr_info("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n",
|
||||
proto, ntohs(tcp_hdr(skb)->dest), msg);
|
||||
@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
|
||||
* limitations, they conserve resources and peer is
|
||||
* evidently real one.
|
||||
*/
|
||||
if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
|
||||
if ((sysctl_tcp_syncookies == 2 ||
|
||||
inet_csk_reqsk_queue_is_full(sk)) && !isn) {
|
||||
want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
|
||||
if (!want_cookie)
|
||||
goto drop;
|
||||
|
@ -963,7 +963,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
|
||||
if (!ipv6_unicast_destination(skb))
|
||||
goto drop;
|
||||
|
||||
if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
|
||||
if ((sysctl_tcp_syncookies == 2 ||
|
||||
inet_csk_reqsk_queue_is_full(sk)) && !isn) {
|
||||
want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
|
||||
if (!want_cookie)
|
||||
goto drop;
|
||||
|
Loading…
Reference in New Issue
Block a user