Re: patch for caching TCP options with syncookies
you are correct that memory is allocated on a syn with this patch. however, instead of using a large open_request struct and the other resources necessary to track the connection's state, a struct of size 20 B is allocated and stored in a hash table using the ISN (syn_cookie value) as the index into this hash table. the struct caches the window_scale, timestamp, and sack options. it is based on how bsd handles a syn_flood, using a syn_cache in conjunction with syn_cookies. jensen --- John Heffner <[EMAIL PROTECTED]> wrote: > jensen galan wrote: > > greetings! > > > > this is my first creation of a patch for the linux > > kernel. if you have time, could you please take a > look > > at it and give me some feedback. > > > > this patch creates a syn_cache for caching TCP > options > > when syn_cookies are in use (by default, all TCP > > options are lost when using syncookies). > > > > any feedback on the implementation of this cache > would > > also be appreciated. > > > > if anybody's interested, i have also written a > paper > > on this project. > > > > jensen > > It might be good if you could send a link to the > paper. The point of > syncookies is to allocate zero state on a syn > (storing it entirely in > the ISN). I didn't read the patch that carefully > yet, but it looks like > this is allocating memory on a syn. > >-John > > - > To unsubscribe from this list: send the line > "unsubscribe netdev" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at > http://vger.kernel.org/majordomo-info.html > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: patch for caching TCP options with syncookies
jensen galan wrote: greetings! this is my first creation of a patch for the linux kernel. if you have time, could you please take a look at it and give me some feedback. this patch creates a syn_cache for caching TCP options when syn_cookies are in use (by default, all TCP options are lost when using syncookies). any feedback on the implementation of this cache would also be appreciated. if anybody's interested, i have also written a paper on this project. jensen It might be good if you could send a link to the paper. The point of syncookies is to allocate zero state on a syn (storing it entirely in the ISN). I didn't read the patch that carefully yet, but it looks like this is allocating memory on a syn. -John - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: patch for caching TCP options with syncookies
On 3/15/06, jensen galan <[EMAIL PROTECTED]> wrote: > greetings! > > this is my first creation of a patch for the linux > kernel. if you have time, could you please take a look > at it and give me some feedback. > > this patch creates a syn_cache for caching TCP options > when syn_cookies are in use (by default, all TCP > options are lost when using syncookies). > > any feedback on the implementation of this cache would > also be appreciated. Interesting, but... > if anybody's interested, i have also written a paper > on this project. > > jensen > > > diff -Naur linux-2.6.11.11/include/net/tcp.h > linux_new-2.6.11.11/include/net/tcp.h ... can you please update your patch to the latest kernel tree? Preferably David Miller's net-2.6.17 git tree, available at www.kernel.org/git. You'll notice some differences :-) Then repost and we can continue the discussion as I'll probably do some work in this area to support DCCP's Init Cookies. Thanks, - Arnaldo - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
patch for caching TCP options with syncookies
greetings!
this is my first creation of a patch for the linux
kernel. if you have time, could you please take a look
at it and give me some feedback.
this patch creates a syn_cache for caching TCP options
when syn_cookies are in use (by default, all TCP
options are lost when using syncookies).
any feedback on the implementation of this cache would
also be appreciated.
if anybody's interested, i have also written a paper
on this project.
jensen
diff -Naur linux-2.6.11.11/include/net/tcp.h
linux_new-2.6.11.11/include/net/tcp.h
--- linux-2.6.11.11/include/net/tcp.h 2005-05-27
05:06:46.0 +
+++ linux_new-2.6.11.11/include/net/tcp.h 2006-03-15
07:21:39.0 +
@@ -669,6 +669,32 @@
} af;
};
+/* added struct for caching syn_options */
+struct syn_opt {
+ struct hlist_node hentry;
+ __u32 isn_key;
+ unsigned long expires;
+ __u8snd_wscale : 4,
+ tstamp_ok : 1,
+ sack_ok : 1,
+ wscale_ok : 1;
+};
+
+struct syn_hash_bucket {
+ rwlock_t lock;
+ struct hlist_head chain;
+ __u8size;
+};
+
+extern struct syn_hash_bucket *syn_hasht;
+extern struct timer_list synhashtimer;
+
+/*
+ * change these values to increase (or decrease) the
SYNHASH size
+ */
+#define SYNHASH_SIZE 512
+#define SYNHASH_BUCKET 30
+
/* SLAB cache for open requests. */
extern kmem_cache_t *tcp_openreq_cachep;
@@ -681,6 +707,12 @@
tcp_openreq_fastfree(req);
}
+/* SLAB cache for syn_opt. */
+extern kmem_cache_t *syn_opt_cachep;
+
+#define syn_opt_alloc()
kmem_cache_alloc(syn_opt_cachep, SLAB_ATOMIC)
+#define syn_opt_fastfree(syn_req)
kmem_cache_free(syn_opt_cachep, syn_req)
+
#if defined(CONFIG_IPV6) ||
defined(CONFIG_IPV6_MODULE)
#define TCP_INET_FAMILY(fam) ((fam) == AF_INET)
#else
diff -Naur linux-2.6.11.11/net/ipv4/syncookies.c
linux_new-2.6.11.11/net/ipv4/syncookies.c
--- linux-2.6.11.11/net/ipv4/syncookies.c 2005-05-27
05:06:46.0 +
+++ linux_new-2.6.11.11/net/ipv4/syncookies.c
2006-03-15 07:22:34.0 +
@@ -19,6 +19,7 @@
#include
#include
#include
+#include
extern int sysctl_tcp_syncookies;
@@ -121,6 +122,9 @@
int mss;
struct rtable *rt;
__u8 rcv_wscale;
+ struct syn_opt *tmp, *found;
+ struct hlist_node *pos;
+ int n; // key for hash table
if (!sysctl_tcp_syncookies || !skb->h.th->ack)
goto out;
@@ -162,11 +166,38 @@
}
}
- req->snd_wscale = req->rcv_wscale = req->tstamp_ok =
0;
- req->wscale_ok = req->sack_ok = 0;
+ /* look up cached syn options in hash table */
+ n = cookie % SYNHASH_SIZE;
+ read_lock(&syn_hasht[n].lock);
+ hlist_for_each_entry(tmp, pos, &syn_hasht[n].chain,
hentry) {
+ if (cookie == tmp->isn_key) {
+ if (!(time_after(jiffies, tmp->expires))) {
+ found = tmp;
+ break;
+ }
+ // FOUND COOKIE, BUT EXPIRED
+ else {
+ found = NULL;
+ break;
+ }
+ }
+ }
+ read_unlock(&syn_hasht[n].lock);
+
+ /* must check if found exists. may have expired */
+ if (found) {
+ req->snd_wscale = found->snd_wscale;
+ req->tstamp_ok = found->tstamp_ok;
+ req->wscale_ok = found->wscale_ok;
+ req->sack_ok= found->sack_ok;
+ }
+ else {
+ req->snd_wscale = req->rcv_wscale = req->tstamp_ok
= 0;
+ req->wscale_ok = req->sack_ok = 0;
+ }
req->expires= 0UL;
req->retrans= 0;
-
+
/*
* We need to lookup the route here to get at the
correct
* window size. We should better make sure that the
window size
@@ -194,8 +225,10 @@
req->window_clamp = dst_metric(&rt->u.dst,
RTAX_WINDOW);
tcp_select_initial_window(tcp_full_space(sk),
req->mss,
&req->rcv_wnd, &req->window_clamp,
- 0, &rcv_wscale);
+ req->wscale_ok, &rcv_wscale);
+
/* BTW win scale with syncookies is 0 by definition
*/
+ /* this is not true with syn_cache */
req->rcv_wscale = rcv_wscale;
ret = get_cookie_sock(sk, skb, req, &rt->u.dst);
diff -Naur linux-2.6.11.11/net/ipv4/tcp.c
linux_new-2.6.11.11/net/ipv4/tcp.c
--- linux-2.6.11.11/net/ipv4/tcp.c 2005-05-27
05:06:46.0 +
+++ linux_new-2.6.11.11/net/ipv4/tcp.c 2006-03-15
07:21:59.0 +
@@ -257,6 +257,7 @@
#include
#include
#include
+#include
#include
#include
@@ -272,9 +273,13 @@
DEFINE_SNMP_STAT(struct tcp_mib, tcp_statistics);
kmem_cache_t *tcp_openreq_cac
