aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/proc.c
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2012-07-17 10:13:05 +0200
committerDavid S. Miller <davem@davemloft.net>2012-07-17 01:36:20 -0700
commit282f23c6ee343126156dd41218b22ece96d747e3 (patch)
tree9a306d99ed77d760078d29699edd3007507d709b /net/ipv4/proc.c
parenta858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d (diff)
downloadkernel_goldelico_gta04-282f23c6ee343126156dd41218b22ece96d747e3.zip
kernel_goldelico_gta04-282f23c6ee343126156dd41218b22ece96d747e3.tar.gz
kernel_goldelico_gta04-282f23c6ee343126156dd41218b22ece96d747e3.tar.bz2
tcp: implement RFC 5961 3.2
Implement the RFC 5691 mitigation against Blind Reset attack using RST bit. Idea is to validate incoming RST sequence, to match RCV.NXT value, instead of previouly accepted window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND) If sequence is in window but not an exact match, send a "challenge ACK", so that the other part can resend an RST with the appropriate sequence. Add a new sysctl, tcp_challenge_ack_limit, to limit number of challenge ACK sent per second. Add a new SNMP counter to count number of challenge acks sent. (netstat -s | grep TCPChallengeACK) Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Kiran Kumar Kella <kkiran@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/proc.c')
-rw-r--r--net/ipv4/proc.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c
index dae25e76..3e8e78f 100644
--- a/net/ipv4/proc.c
+++ b/net/ipv4/proc.c
@@ -261,6 +261,7 @@ static const struct snmp_mib snmp4_net_list[] = {
SNMP_MIB_ITEM("TCPOFOQueue", LINUX_MIB_TCPOFOQUEUE),
SNMP_MIB_ITEM("TCPOFODrop", LINUX_MIB_TCPOFODROP),
SNMP_MIB_ITEM("TCPOFOMerge", LINUX_MIB_TCPOFOMERGE),
+ SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
SNMP_MIB_SENTINEL
};