Page MenuHomeFreeBSD
Files F151368106

D52754.id163144.diff
No OneTemporary
Actions

D52754.id163144.diff
View Options

diff --git a/sys/netinet/tcp_syncache.h b/sys/netinet/tcp_syncache.h
--- a/sys/netinet/tcp_syncache.h
+++ b/sys/netinet/tcp_syncache.h
@@ -67,6 +67,8 @@
u_int8_t sc_requested_s_scale:4,
sc_requested_r_scale:4;
u_int16_t sc_flags;
+ u_int32_t sc_challenge_ack_cnt; /* chall. ACKs sent in epoch */
+ sbintime_t sc_challenge_ack_end; /* End of chall. ack epoch */
#if defined(TCP_OFFLOAD)
struct toedev *sc_tod; /* entry added by this TOE */
void *sc_todctx; /* TOE driver context */
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -122,6 +122,7 @@
static void syncache_free(struct syncache *);
static void syncache_insert(struct syncache *, struct syncache_head *);
static int syncache_respond(struct syncache *, const struct mbuf *, int);
+static int syncache_send_challenge_ack(struct syncache *, struct mbuf *);
static struct socket *syncache_socket(struct syncache *, struct socket *,
struct mbuf *m);
static void syncache_timeout(struct syncache *sc, struct syncache_head *sch,
@@ -694,10 +695,7 @@
"sending challenge ACK\n",
s, __func__,
th->th_seq, sc->sc_irs + 1, sc->sc_wnd);
- if (syncache_respond(sc, m, TH_ACK) == 0) {
- TCPSTAT_INC(tcps_sndacks);
- TCPSTAT_INC(tcps_sndtotal);
- } else {
+ if (syncache_send_challenge_ack(sc, m) != 0) {
syncache_drop(sc, sch);
TCPSTAT_INC(tcps_sc_dropped);
}
@@ -963,6 +961,10 @@
if (sc->sc_rxmits > 1)
tp->snd_cwnd = 1;
+ /* Copy over the challenge ACK state. */
+ tp->t_challenge_ack_end = sc->sc_challenge_ack_end;
+ tp->t_challenge_ack_cnt = sc->sc_challenge_ack_cnt;
+
#ifdef TCP_OFFLOAD
/*
* Allow a TOE driver to install its hooks. Note that we hold the
@@ -2053,6 +2055,24 @@
return (error);
}
+static int
+syncache_send_challenge_ack(struct syncache *sc, struct mbuf *m)
+{
+ int error;
+
+ if (tcp_challenge_ack_check(&sc->sc_challenge_ack_end,
+ &sc->sc_challenge_ack_cnt)) {
+ error = syncache_respond(sc, m, TH_ACK);
+ if (error == 0) {
+ TCPSTAT_INC(tcps_sndacks);
+ TCPSTAT_INC(tcps_sndtotal);
+ }
+ } else {
+ error = 0;
+ }
+ return (error);
+}
+
/*
* The purpose of syncookies is to handle spoofed SYN flooding DoS attacks
* that exceed the capacity of the syncache by avoiding the storage of any

File Metadata

Mime Type
text/plain
Expires
Wed, Apr 8, 10:26 PM (6 h, 31 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
31118834
Default Alt Text
D52754.id163144.diff (2 KB)

Event Timeline