On Mon, Aug 03, 2015 at 02:03:28PM -0700, David Miller wrote:
> From: Glenn Griffin
> Date: Mon, 3 Aug 2015 09:56:54 -0700
>
> > openvswitch modifies the L4 checksum of a packet when modifying
> > the ip address. When an IP packet is fragmented only the first
> > fra
On Mon, Aug 03, 2015 at 02:03:28PM -0700, David Miller wrote:
From: Glenn Griffin ggriffin.ker...@gmail.com
Date: Mon, 3 Aug 2015 09:56:54 -0700
openvswitch modifies the L4 checksum of a packet when modifying
the ip address. When an IP packet is fragmented only the first
fragment
checksum failures in the
reassembled packet.
Signed-off-by: Glenn Griffin
---
Changes in v2:
- Compare frag_off in network byte order rather than host byte order
net/openvswitch/actions.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/openvswitch/actions.c
On Mon, Aug 03, 2015 at 09:25:53AM -0700, Pravin Shelar wrote:
> On Sat, Aug 1, 2015 at 6:31 PM, Glenn Griffin
> wrote:
> > openvswitch modifies the L4 checksum of a packet when modifying
> > the ip address. When an IP packet is fragmented only the first
> > fragme
On Mon, Aug 03, 2015 at 09:25:53AM -0700, Pravin Shelar wrote:
On Sat, Aug 1, 2015 at 6:31 PM, Glenn Griffin ggriffin.ker...@gmail.com
wrote:
openvswitch modifies the L4 checksum of a packet when modifying
the ip address. When an IP packet is fragmented only the first
fragment contains
checksum failures in the
reassembled packet.
Signed-off-by: Glenn Griffin ggriffin.ker...@gmail.com
---
Changes in v2:
- Compare frag_off in network byte order rather than host byte order
net/openvswitch/actions.c | 16
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git
> > Adding yet another member to the already bloated tcp_sock structure to
> > implement this is too high a cost.
>
> Yes, I was worried that would be deemed too high of a cost, but it was
> the most efficient way I could think to accomplish what I wanted.
>
> > I would instead prefer that there
Adding yet another member to the already bloated tcp_sock structure to
implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
I would instead prefer that there be some
I've posted a series of patches that I believe address Andi's concerns
about syncookies not supporting valuable tcp options (primarily SACK,
and window scaling). The premise being if the client support tcp
timestamps we can encode the additional tcp options in the initial
timestamp we send back
> Adding yet another member to the already bloated tcp_sock structure to
> implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
> I would instead prefer that there be some
Adding yet another member to the already bloated tcp_sock structure to
implement this is too high a cost.
Yes, I was worried that would be deemed too high of a cost, but it was
the most efficient way I could think to accomplish what I wanted.
I would instead prefer that there be some global
I've posted a series of patches that I believe address Andi's concerns
about syncookies not supporting valuable tcp options (primarily SACK,
and window scaling). The premise being if the client support tcp
timestamps we can encode the additional tcp options in the initial
timestamp we send back
example would probably be similar to the tcp
init sequence generator.
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/linux/tcp.h |6 ++
include/net/tcp.h|2 +-
net/ipv4/tcp_input.c | 12 ++--
net/ipv4/tcp_ipv4.c |2 +-
ne
.
This implementation encodes the following options in the timestamp,
snd_wscale, rcv_wscale, sack_ok, and also the necessary bits to calculate
the rtt, and ts_off accurately. Note that there are still 5 unused bits
that could be used for future options.
Signed-off-by: Glenn Griffin <[EM
Support IPv6 syncookies
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/net/tcp.h| 10 ++
net/ipv4/syncookies.c|9 +-
net/ipv4/tcp_input.c |1 +
net/ipv4/tcp_minisocks.c |2 +
net/ipv4/tcp_output.c|1 +
net/ipv6/Makefile|1
.
This implementation encodes the following options in the timestamp,
snd_wscale, rcv_wscale, sack_ok, and also the necessary bits to calculate
the rtt, and ts_off accurately. Note that there are still 5 unused bits
that could be used for future options.
Signed-off-by: Glenn Griffin [EMAIL
Support IPv6 syncookies
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h| 10 ++
net/ipv4/syncookies.c|9 +-
net/ipv4/tcp_input.c |1 +
net/ipv4/tcp_minisocks.c |2 +
net/ipv4/tcp_output.c|1 +
net/ipv6/Makefile|1 +
net/ipv6
example would probably be similar to the tcp
init sequence generator.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/linux/tcp.h |6 ++
include/net/tcp.h|2 +-
net/ipv4/tcp_input.c | 12 ++--
net/ipv4/tcp_ipv4.c |2 +-
net/ipv4
Updated to incorporate Eric's suggestion of using a per cpu buffer
rather than allocating on the stack. Just a two line change, but will
resend in it's entirety.
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/net/tcp.h|8 ++
net/ipv4/syncookies.c|7 +-
ne
> Or maybe use percpu storage for that...
That seems like a good approach. I'll incorporate it into my v6 patch,
and send out an update. Thanks.
> I am not sure if cookie_hash() is always called with preemption disabled.
> (If not, we have to use get_cpu_var()/put_cpu_var())
cookie_hash is
Or maybe use percpu storage for that...
That seems like a good approach. I'll incorporate it into my v6 patch,
and send out an update. Thanks.
I am not sure if cookie_hash() is always called with preemption disabled.
(If not, we have to use get_cpu_var()/put_cpu_var())
cookie_hash is
Updated to incorporate Eric's suggestion of using a per cpu buffer
rather than allocating on the stack. Just a two line change, but will
resend in it's entirety.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h|8 ++
net/ipv4/syncookies.c|7 +-
net/ipv4
possible to have v6 cookie support without v4. At this point
I have not taken Evgeniy's feedback on the hash buffer being to large to
keep on the stack. I was hoping to hear some other opinions on that.
Feedback is appreciated. Thanks.
Signed-off-by: Glenn Griffin <[EMAIL PROTEC
> > +static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
> > + __be16 sport, __be16 dport, u32 count, int c)
> > +{
> > + __u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS];
>
> This huge buffer should not be allocated on stack.
I can replace it will a kmalloc, but for
> I didn't think a module could have multiple module_inits. Are you
> sure that works?
Indeed. That will fail whenever ipv6 is compiled as a module. It's
been removed. It snuck in from the v4 implementation, where I'm still
having trouble understanding why it's needed there.
--Glenn
--
To
I didn't think a module could have multiple module_inits. Are you
sure that works?
Indeed. That will fail whenever ipv6 is compiled as a module. It's
been removed. It snuck in from the v4 implementation, where I'm still
having trouble understanding why it's needed there.
--Glenn
--
To
+static u32 cookie_hash(struct in6_addr *saddr, struct in6_addr *daddr,
+ __be16 sport, __be16 dport, u32 count, int c)
+{
+ __u32 tmp[16 + 5 + SHA_WORKSPACE_WORDS];
This huge buffer should not be allocated on stack.
I can replace it will a kmalloc, but for my
possible to have v6 cookie support without v4. At this point
I have not taken Evgeniy's feedback on the hash buffer being to large to
keep on the stack. I was hoping to hear some other opinions on that.
Feedback is appreciated. Thanks.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include
and into it's own ipv6/syncookies.c. The
same CONFIG options and sysctl variables as ipv4, but this way the code
is isolated to the ipv6 module.
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
net/ipv6/syncookies.c
Here is a reworked implementation that restricts the code to the ipv6 module as
Andi suggested. Uses the same CONFIG and sysctl variables as the ipv4
implementation.
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
ne
> Syncookies are discouraged these days. They disable too many
> valuable TCP features (window scaling, SACK) and even without them
> the kernel is usually strong enough to defend against syn floods
> and systems have much more memory than they used to be.
>
> So I don't think it makes much sense
Syncookies are discouraged these days. They disable too many
valuable TCP features (window scaling, SACK) and even without them
the kernel is usually strong enough to defend against syn floods
and systems have much more memory than they used to be.
So I don't think it makes much sense to add
Here is a reworked implementation that restricts the code to the ipv6 module as
Andi suggested. Uses the same CONFIG and sysctl variables as the ipv4
implementation.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
net/ipv6
and into it's own ipv6/syncookies.c. The
same CONFIG options and sysctl variables as ipv4, but this way the code
is isolated to the ipv6 module.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |6 +
net/ipv6/Makefile |1 +
net/ipv6/syncookies.c | 273
/suggestions
are welcome.
Signed-off-by: Glenn Griffin <[EMAIL PROTECTED]>
---
include/net/tcp.h |4 +
net/ipv4/syncookies.c | 203 -
net/ipv6/tcp_ipv6.c | 77 +-
3 files changed, 260 insertions(+), 24 deletions(-)
diff
/suggestions
are welcome.
Signed-off-by: Glenn Griffin [EMAIL PROTECTED]
---
include/net/tcp.h |4 +
net/ipv4/syncookies.c | 203 -
net/ipv6/tcp_ipv6.c | 77 +-
3 files changed, 260 insertions(+), 24 deletions(-)
diff --git
36 matches
Mail list logo