tcp: make global challenge ack rate limitation per net-ns and default disabled

Because per host rate limiting has been proven problematic (side channel attacks can be based on it), per host rate limiting of challenge acks ideally should be per netns and turned off by default. This is a long due followup of following commits: 083ae308280d ("tcp: enable per-socket rate limiting of all 'challenge acks'") f2b2c582e824 ("tcp: mitigate ACK loops for connections as tcp_sock") 75ff39ccc1bd ("tcp: make challenge acks less predictable") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Jason Baron <jbaron@akamai.com> Acked-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Eric Dumazet 2022-08-30 11:56:56 -0700
committer: Jakub Kicinski 2022-08-31 19:56:48 -0700
commit: 79e3602caa6f9d59c4f66a268407080496dae408 (patch)
tree: 639b61f605e41a495d774f43c4e3062296bd3836 /include/net
parent: 8c70521238b7863c2af607e20bcba20f974c969b (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index c7320ef356d9..6320a76cefdc 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -179,6 +179,8 @@ struct netns_ipv4 {
 	unsigned int sysctl_tcp_fastopen_blackhole_timeout;
 	atomic_t tfo_active_disable_times;
 	unsigned long tfo_active_disable_stamp;
+	u32 tcp_challenge_timestamp;
+	u32 tcp_challenge_count;
 
 	int sysctl_udp_wmem_min;
 	int sysctl_udp_rmem_min;
author	Eric Dumazet	2022-08-30 11:56:56 -0700
committer	Jakub Kicinski	2022-08-31 19:56:48 -0700
commit	79e3602caa6f9d59c4f66a268407080496dae408 (patch)
tree	639b61f605e41a495d774f43c4e3062296bd3836 /include/net
parent	8c70521238b7863c2af607e20bcba20f974c969b (diff)