• Florian Westphal's avatar
    syncookies: split cookie_check_timestamp() into two functions · f1673381
    Florian Westphal authored
    The function cookie_check_timestamp(), both called from IPv4/6 context,
    is being used to decode the echoed timestamp from the SYN/ACK into TCP
    options used for follow-up communication with the peer.
    
    We can remove ECN handling from that function, split it into a separate
    one, and simply rename the original function into cookie_decode_options().
    cookie_decode_options() just fills in tcp_option struct based on the
    echoed timestamp received from the peer. Anything that fails in this
    function will actually discard the request socket.
    
    While this is the natural place for decoding options such as ECN which
    commit 172d69e6 ("syncookies: add support for ECN") added, we argue
    that in particular for ECN handling, it can be checked at a later point
    in time as the request sock would actually not need to be dropped from
    this, but just ECN support turned off.
    
    Therefore, we split this functionality into cookie_ecn_ok(), which tells
    us if the timestamp indicates ECN support AND the tcp_ecn sysctl is enabled.
    
    This prepares for per-route ECN support: just looking at the tcp_ecn sysctl
    won't be enough anymore at that point; if the timestamp indicates ECN
    and sysctl tcp_ecn == 0, we will also need to check the ECN dst metric.
    
    This would mean adding a route lookup to cookie_check_timestamp(), which
    we definitely want to avoid. As we already do a route lookup at a later
    point in cookie_{v4,v6}_check(), we can simply make use of that as well
    for the new cookie_ecn_ok() function w/o any additional cost.
    
    Joint work with Daniel Borkmann.
    Acked-by: default avatarEric Dumazet <edumazet@google.com>
    Signed-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    f1673381
syncookies.c 11.2 KB