| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250409112614.16153-1-jiayuan.chen@linux.dev> Date: Wed, 9 Apr 2025 19:26:03 +0800 From: Jiayuan Chen <jiayuan.chen@...ux.dev> To: kuba@...nel.org, edumazet@...gle.com Cc: mrpre@....com, Jiayuan Chen <jiayuan.chen@...ux.dev>, "David S. Miller" <davem@...emloft.net>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Jonathan Corbet <corbet@....net>, Neal Cardwell <ncardwell@...gle.com>, Kuniyuki Iwashima <kuniyu@...zon.com>, David Ahern <dsahern@...nel.org>, Steffen Klassert <steffen.klassert@...unet.com>, Sabrina Dubroca <sd@...asysnail.net>, Antony Antony <antony.antony@...unet.com>, Christian Hopps <chopps@...n.net>, netdev@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH net-next v4 0/2] tcp: add a new TW_PAWS drop reason Devices in the networking path, such as firewalls, NATs, or routers, which can perform SNAT or DNAT, use addresses from their own limited address pools to masquerade the source address during forwarding, causing PAWS verification to fail more easily under TW status. Currently, packet loss statistics for PAWS can only be viewed through MIB, which is a global metric and cannot be precisely obtained through tracing to get the specific 4-tuple of the dropped packet. In the past, we had to use kprobe ret to retrieve relevant skb information from tcp_timewait_state_process(). We add a drop_reason pointer and a new counter. --- v3 -> v4: 1. Update commit message and make it more concise. 2. Integrated Reviewed-by tag from v3. https://lore.kernel.org/netdev/20250407140001.13886-1-jiayuan.chen@linux.dev/T/#t v2 -> v3: Use new SNMP counter and drop reason suggested by Eric. https://lore.kernel.org/netdev/5cdc1bdd9caee92a6ae932638a862fd5c67630e8@linux.dev/T/#t I didn't provide a packetdrill script. I struggled for a long time to get packetdrill to fix the client port, but ultimately failed to do so... Instead, I wrote my own program to trigger PAWS, which can be found at https://github.com/mrpre/nettrigger/tree/main ''' //assume nginx running on 172.31.75.114:9999, current host is 172.31.75.115 iptables -t filter -I OUTPUT -p tcp --sport 12345 --tcp-flags RST RST -j DROP ./nettrigger -i eth0 -s 172.31.75.115:12345 -d 172.31.75.114:9999 -action paws ''' Jiayuan Chen (2): tcp: add TCP_RFC7323_TW_PAWS drop reason tcp: add LINUX_MIB_PAWS_TW_REJECTED counter Documentation/networking/net_cachelines/snmp.rst | 2 ++ include/net/dropreason-core.h | 7 +++++++ include/net/tcp.h | 3 ++- include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/tcp_ipv4.c | 3 ++- net/ipv4/tcp_minisocks.c | 9 ++++++--- net/ipv6/tcp_ipv6.c | 3 ++- 8 files changed, 23 insertions(+), 6 deletions(-) -- 2.47.1
Powered by blists - more mailing lists