git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 30 Aug 2022 18:56:56 +0000 (11:56 -0700)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 1 Sep 2022 02:56:48 +0000 (19:56 -0700)
commit	53e8367ab644c10c454851282da65cf63a44eeb4
tree	639b61f605e41a495d774f43c4e3062296bd3836	tree \| snapshot
parent	7578a0aa49ced90deddcd75d939367f93ce4975a	commit \| diff

tcp: make global challenge ack rate limitation per net-ns and default disabled

Because per host rate limiting has been proven problematic (side channel
attacks can be based on it), per host rate limiting of challenge acks ideally
should be per netns and turned off by default.

This is a long due followup of following commits:

c561c04d2c86 ("tcp: enable per-socket rate limiting of all 'challenge acks'")
576b7f612fc8 ("tcp: mitigate ACK loops for connections as tcp_sock")
bd66127128a4 ("tcp: make challenge acks less predictable")

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jason Baron <jbaron@akamai.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Documentation/networking/ip-sysctl.rst		diff \| blob \| history
include/net/netns/ipv4.h		diff \| blob \| history
net/ipv4/tcp_input.c		diff \| blob \| history
net/ipv4/tcp_ipv4.c		diff \| blob \| history