tcp: add tcp_syncookies mode to allow unconditionally generation of syncookies (5ad37d5d) · Commits · e / devices / android_kernel_xiaomi_markw

Documentation/networking/ip-sysctl.txt

+4 −0

Original line number	Diff line number	Diff line
		@@ -440,6 +440,10 @@ tcp_syncookies - BOOLEAN
		SYN flood warnings in logs not being really flooded, your server
		is seriously misconfigured.

		If you want to test which effects syncookies have to your
		network connections you can set this knob to 2 to enable
		unconditionally generation of syncookies.

		tcp_fastopen - INTEGER
		Enable TCP Fast Open feature (draft-ietf-tcpm-fastopen) to send data
		in the opening SYN packet. To use this feature, the client application

+3 −2

Original line number	Diff line number	Diff line
		@@ -890,7 +890,7 @@ bool tcp_syn_flood_action(struct sock *sk,
		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPREQQFULLDROP);

		lopt = inet_csk(sk)->icsk_accept_queue.listen_opt;
		if (!lopt->synflood_warned) {
		if (!lopt->synflood_warned && sysctl_tcp_syncookies != 2) {
		lopt->synflood_warned = 1;
		pr_info("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n",
		proto, ntohs(tcp_hdr(skb)->dest), msg);
		@@ -1462,7 +1462,8 @@ int tcp_v4_conn_request(struct sock sk, struct sk_buff skb)
		* limitations, they conserve resources and peer is
		* evidently real one.
		*/
		if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
		if ((sysctl_tcp_syncookies == 2 \|\|
		inet_csk_reqsk_queue_is_full(sk)) && !isn) {
		want_cookie = tcp_syn_flood_action(sk, skb, "TCP");
		if (!want_cookie)
		goto drop;

+2 −1

Original line number	Diff line number	Diff line
		@@ -963,7 +963,8 @@ static int tcp_v6_conn_request(struct sock sk, struct sk_buff skb)
		if (!ipv6_unicast_destination(skb))
		goto drop;

		if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
		if ((sysctl_tcp_syncookies == 2 \|\|
		inet_csk_reqsk_queue_is_full(sk)) && !isn) {
		want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
		if (!want_cookie)
		goto drop;