git.baikalelectronics.ru Git - kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)
committer	David S. Miller <davem@davemloft.net>
	Tue, 17 Jul 2012 08:36:20 +0000 (01:36 -0700)
commit	dbe400804f0b4beab14001df3d32c7c9d14fbfa7
tree	9a306d99ed77d760078d29699edd3007507d709b	tree \| snapshot
parent	f0900c3e047255cf067b0721bc23368f7104a926	commit \| diff

tcp: implement RFC 5961 3.2

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Documentation/networking/ip-sysctl.txt		diff \| blob \| history
include/linux/snmp.h		diff \| blob \| history
include/net/tcp.h		diff \| blob \| history
net/ipv4/proc.c		diff \| blob \| history
net/ipv4/sysctl_net_ipv4.c		diff \| blob \| history
net/ipv4/tcp_input.c		diff \| blob \| history