Pandora Sourcecodes - pandora-kernel.git/commit

author	Eric Dumazet <edumazet@google.com>
	Tue, 17 Jul 2012 08:13:05 +0000 (10:13 +0200)
committer	David S. Miller <davem@davemloft.net>
	Tue, 17 Jul 2012 08:36:20 +0000 (01:36 -0700)
commit	282f23c6ee343126156dd41218b22ece96d747e3
tree	9a306d99ed77d760078d29699edd3007507d709b	tree \| snapshot
parent	a858d64b7709ca7bd2ee71d66ef3b7190cdcbb7d	commit \| diff

tcp: implement RFC 5961 3.2

Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Documentation/networking/ip-sysctl.txt		diff \| blob \| history
include/linux/snmp.h		diff \| blob \| history
include/net/tcp.h		diff \| blob \| history
net/ipv4/proc.c		diff \| blob \| history
net/ipv4/sysctl_net_ipv4.c		diff \| blob \| history
net/ipv4/tcp_input.c		diff \| blob \| history