[PATCH 1/2] syncookies: print synflood warning if syn queue is full
From: Florian Westphal <fw@strlen.de>
Date: 2009-10-16 19:50:35
Subsystem:
networking [general], networking [tcp], the rest · Maintainers:
"David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Neal Cardwell, Linus Torvalds
Always print a warning if the syn queue is full, just like the tcp/ipv6 code does. The "want_cookie" define is no longer needed -- gcc removes the relevant branches in the CONFIG_SYN_COOKIES=n case. Signed-off-by: Florian Westphal <fw@strlen.de> --- net/ipv4/tcp_ipv4.c | 27 ++++++++++++--------------- 1 files changed, 12 insertions(+), 15 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 7cda24b..93b02a3 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c@@ -786,19 +786,19 @@ static void tcp_v4_reqsk_destructor(struct request_sock *req) kfree(inet_rsk(req)->opt); } -#ifdef CONFIG_SYN_COOKIES static void syn_flood_warning(struct sk_buff *skb) { - static unsigned long warntime; - - if (time_after(jiffies, (warntime + HZ * 60))) { - warntime = jiffies; +#ifdef CONFIG_SYN_COOKIES + if (sysctl_tcp_syncookies) printk(KERN_INFO - "possible SYN flooding on port %d. Sending cookies.\n", - ntohs(tcp_hdr(skb)->dest)); - } -} + "Possible SYN flooding on port %d. " + "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest)); + else #endif + printk(KERN_INFO + "Possible SYN flooding on port %d. " + "Dropping request.\n", ntohs(tcp_hdr(skb)->dest)); +} /* * Save and compile IPv4 options into the request_sock if needed.
@@ -1217,11 +1217,7 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) __be32 daddr = ip_hdr(skb)->daddr; __u32 isn = TCP_SKB_CB(skb)->when; struct dst_entry *dst = NULL; -#ifdef CONFIG_SYN_COOKIES int want_cookie = 0; -#else -#define want_cookie 0 /* Argh, why doesn't gcc optimize this :( */ -#endif /* Never answer to SYNs send to broadcast or multicast */ if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
@@ -1232,6 +1228,8 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) * evidently real one. */ if (inet_csk_reqsk_queue_is_full(sk) && !isn) { + if (net_ratelimit()) + syn_flood_warning(skb); #ifdef CONFIG_SYN_COOKIES if (sysctl_tcp_syncookies) { want_cookie = 1;
@@ -1283,10 +1281,9 @@ int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb) if (want_cookie) { #ifdef CONFIG_SYN_COOKIES - syn_flood_warning(skb); req->cookie_ts = tmp_opt.tstamp_ok; -#endif isn = cookie_v4_init_sequence(sk, skb, &req->mss); +#endif } else if (!isn) { struct inet_peer *peer = NULL;
--
1.6.3.3