lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46c9a3cd5888df36ec17bcc5bfd57aab687d4273@linux.dev>
Date: Tue, 08 Apr 2025 14:57:29 +0000
From: "Jiayuan Chen" <jiayuan.chen@...ux.dev>
To: "Eric Dumazet" <edumazet@...gle.com>
Cc: bpf@...r.kernel.org, mrpre@....com, "David S. Miller"
 <davem@...emloft.net>, "Jakub Kicinski" <kuba@...nel.org>, "Paolo Abeni"
 <pabeni@...hat.com>, "Simon Horman" <horms@...nel.org>, "Jonathan Corbet"
 <corbet@....net>, "Neal Cardwell" <ncardwell@...gle.com>, "Kuniyuki
 Iwashima" <kuniyu@...zon.com>, "David Ahern" <dsahern@...nel.org>,
 "Steffen Klassert" <steffen.klassert@...unet.com>, "Sabrina Dubroca"
 <sd@...asysnail.net>, "Nicolas Dichtel" <nicolas.dichtel@...nd.com>,
 "Antony Antony" <antony.antony@...unet.com>, "Christian Hopps"
 <chopps@...n.net>, netdev@...r.kernel.org, linux-doc@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND net-next v3 2/2] tcp: add
 LINUX_MIB_PAWS_TW_REJECTED counter

April 8, 2025 at 22:18, "Eric Dumazet" <edumazet@...gle.com> wrote:



> 
> On Mon, Apr 7, 2025 at 4:00 PM Jiayuan Chen <jiayuan.chen@...ux.dev> wrote:
> 
> > 
> > When TCP is in TIME_WAIT state, PAWS verification uses
> >  LINUX_PAWSESTABREJECTED, which is ambiguous and cannot be distinguished
> >  from other PAWS verification processes.
> >  Moreover, when PAWS occurs in TIME_WAIT, we typically need to pay special
> >  attention to upstream network devices, so we added a new counter, like the
> >  existing PAWS_OLD_ACK one.
> > 
> 
> I really dislike the repetition of "upstream network devices".
> Is it mentioned in some RFC ?

I used this term to refer to devices that are located in the path of the
TCP connection, such as firewalls, NATs, or routers, which can perform
SNAT or DNAT and these network devices use addresses from their own limited
address pools to masquerade the source address during forwarding, this
can cause PAWS verification to fail more easily.

You are right that this term is not mentioned in RFC but it's commonly used
in IT infrastructure contexts. Sorry to have caused misunderstandings.

Thanks.
> > 
> > Also we update the doc with previously missing PAWS_OLD_ACK.
> >  usage:
> > 
> >  '''
> >  nstat -az | grep PAWSTimewait
> >  TcpExtPAWSTimewait 1 0.0
> >  '''
> > 
> >  Suggested-by: Eric Dumazet <edumazet@...gle.com>
> >  Signed-off-by: Jiayuan Chen <jiayuan.chen@...ux.dev>
> > 
> 
> Reviewed-by: Eric Dumazet <edumazet@...gle.com>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ