On Fri, 2017-05-05 at 02:32 +0200, Florian Westphal wrote:
> Florian Westphal <f...@strlen.de> wrote:
> [..]
> > This breaks syncookies w. timestamps; cookie_timestamp_decode() lacks a
> > tsoff
> > for readjustment.
> >
> > We also need to pass the (recomputed) tsoff to tcp_get_cookie_sock().
>
> This small delta makes things work for me:
>
Hi Florian, thanks for looking at this.
One comment :
> diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
> index 895ff650db43..eb96825d6340 100644
> --- a/net/ipv6/syncookies.c
> +++ b/net/ipv6/syncookies.c
> @@ -18,6 +18,7 @@
> #include <linux/random.h>
> #include <linux/siphash.h>
> #include <linux/kernel.h>
> +#include <net/secure_seq.h>
> #include <net/ipv6.h>
> #include <net/tcp.h>
>
> @@ -143,6 +144,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct
> sk_buff *skb)
> int mss;
> struct dst_entry *dst;
> __u8 rcv_wscale;
> + u32 tsoff;
>
> if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies || !th->ack || th->rst)
> goto out;
> @@ -162,6 +164,12 @@ struct sock *cookie_v6_check(struct sock *sk, struct
> sk_buff *skb)
> memset(&tcp_opt, 0, sizeof(tcp_opt));
> tcp_parse_options(skb, &tcp_opt, 0, NULL);
>
> + tsoff = 0;
> + if (tcp_opt.saw_tstamp && tcp_opt.rcv_tsecr) {
> + tsoff = secure_tcpv6_ts_off(&ip_hdr(skb)->daddr,
> &ip_hdr(skb)->saddr);
I will use the ipv6_hdr(skb)->daddr.s6_addr32 and
ipv6_hdr(skb)->saddr.s6_addr32 if you agree ;)
> + tcp_opt.rcv_tsecr -= tsoff;
> + }
> +
Thanks !
