On Mon, Aug 03, 2015 at 02:03:28PM -0700, David Miller wrote:
From: Glenn Griffin ggriffin.ker...@gmail.com
Date: Mon, 3 Aug 2015 09:56:54 -0700
openvswitch modifies the L4 checksum of a packet when modifying
the ip address. When an IP packet is fragmented only the first
fragment
On Mon, Aug 03, 2015 at 09:25:53AM -0700, Pravin Shelar wrote:
On Sat, Aug 1, 2015 at 6:31 PM, Glenn Griffin ggriffin.ker...@gmail.com
wrote:
openvswitch modifies the L4 checksum of a packet when modifying
the ip address. When an IP packet is fragmented only the first
fragment contains
checksum failures in the
reassembled packet.
Signed-off-by: Glenn Griffin ggriffin.ker...@gmail.com
---
Changes in v2:
- Compare frag_off in network byte order rather than host byte order
net/openvswitch/actions.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git
Adding yet another member to the already bloated tcp_sock structure to
implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
I would instead prefer that there be some
Adding yet another member to the already bloated tcp_sock structure to
implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
I would instead prefer that there be some global
I've posted a series of patches that I believe address Andi's concerns
about syncookies not supporting valuable tcp options (primarily SACK,
and window scaling). The premise being if the client support tcp
timestamps we can encode the additional tcp options in the initial
timestamp we send back
Support IPv6 syncookies
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h| 10 ++
net/ipv4/syncookies.c|9 +-
net/ipv4/tcp_input.c |1 +
net/ipv4/tcp_minisocks.c |2 +
net/ipv4/tcp_output.c|1 +
net/ipv6/Makefile|1 +
net/ipv6
example would probably be similar to the tcp
init sequence generator.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/linux/tcp.h |6 ++
include/net/tcp.h|2 +-
net/ipv4/tcp_input.c | 12 ++--
net/ipv4/tcp_ipv4.c |2 +-
net/ipv4
.
This implementation encodes the following options in the timestamp,
snd_wscale, rcv_wscale, sack_ok, and also the necessary bits to calculate
the rtt, and ts_off accurately. Note that there are still 5 unused bits
that could be used for future options.
Signed-off-by: Glenn Griffin [EMAIL
Or maybe use percpu storage for that...
That seems like a good approach. I'll incorporate it into my v6 patch,
and send out an update. Thanks.
I am not sure if cookie_hash() is always called with preemption disabled.
(If not, we have to use get_cpu_var()/put_cpu_var())
cookie_hash is
Updated to incorporate Eric's suggestion of using a per cpu buffer
rather than allocating on the stack. Just a two line change, but will
resend in it's entirety.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h|8 ++
net/ipv4/syncookies.c|7 +-
net/ipv4
I didn't think a module could have multiple module_inits. Are you
sure that works?
Indeed. That will fail whenever ipv6 is compiled as a module. It's
been removed. It snuck in from the v4 implementation, where I'm still
having trouble understanding why it's needed there.
--Glenn
--
To
+static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
+ __be16 sport, __be16 dport, u32 count, int c)
+{
+ __u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS];
This huge buffer should not be allocated on stack.
I can replace it will a kmalloc, but for my
possible to have v6 cookie support without v4. At this point
I have not taken Evgeniy's feedback on the hash buffer being to large to
keep on the stack. I was hoping to hear some other opinions on that.
Feedback is appreciated. Thanks.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include
Syncookies are discouraged these days. They disable too many
valuable TCP features (window scaling, SACK) and even without them
the kernel is usually strong enough to defend against syn floods
and systems have much more memory than they used to be.
So I don't think it makes much sense to add
Here is a reworked implementation that restricts the code to the ipv6 module as
Andi suggested. Uses the same CONFIG and sysctl variables as the ipv4
implementation.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
net/ipv6
and into it's own ipv6/syncookies.c. The
same CONFIG options and sysctl variables as ipv4, but this way the code
is isolated to the ipv6 module.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
net/ipv6/syncookies.c | 273
/suggestions
are welcome.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |4 +
net/ipv4/syncookies.c | 203 -
net/ipv6/tcp_ipv6.c | 77 +-
3 files changed, 260 insertions(+), 24 deletions(-)
diff --git
In researching the linux implementation of syn cookies I stumbled on a few
points that aren't initially clear to me. I was hoping somehow could elaborate
and shed some light onto what I'm missing.
at net/ipv6/tcp_ipv6.c:1249 within tcp_v6_conn_request()
There is the following comment:
I posted this 2 weeks ago on the bonding-devel list, but didn't
receive any feedback so thought I would bring it up to a larger
audience.
Included is a patch for a new xmit_hash_policy for the bonding driver
that selects slaves based on MAC and IP information. This is a middle
ground between
20 matches
Mail list logo
