• Eric Dumazet's avatar
    tcp: syncookies: extend validity range · 264ea103
    Eric Dumazet authored
    Now we allow storing more request socks per listener, we might
    hit syncookie mode less often and hit following bug in our stack :
    
    When we send a burst of syncookies, then exit this mode,
    tcp_synq_no_recent_overflow() can return false if the ACK packets coming
    from clients are coming three seconds after the end of syncookie
    episode.
    
    This is a way too strong requirement and conflicts with rest of
    syncookie code which allows ACK to be aged up to 2 minutes.
    
    Perfectly valid ACK packets are dropped just because clients might be
    in a crowded wifi environment or on another planet.
    
    So let's fix this, and also change tcp_synq_overflow() to not
    dirty a cache line for every syncookie we send, as we are under attack.
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Acked-by: default avatarFlorian Westphal <fw@strlen.de>
    Acked-by: default avatarYuchung Cheng <ycheng@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    264ea103
tcp.h 52.1 KB