gnunet-developers
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] [PATCH] tcp_stealth: fix compilation if TCP_MD5S


From: Julian Kirsch
Subject: Re: [GNUnet-developers] [PATCH] tcp_stealth: fix compilation if TCP_MD5SIG is not enabled
Date: Tue, 19 Aug 2014 11:42:34 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0

Alexander,

the af_specific->md5_lookup() is used because it's part of the condition
that needs to be met [0] for a timestamp to be added to the SYN (and
thus if TCP Stealth needs to consider the timestamp in the hash
calculation). If MD5 is active, TCP timestamps are disabled by default.

Making TCP_MD5SIG mandatory for TCP Stealth is not an option (it really,
really should only be used by BGP routers, no idea why my kernel-dev
configuration includes it), so we definitively need the #ifdefs.

Thanks again for your valuable input!

-Julian

---
[0] http://lxr.free-electrons.com/source/net/ipv4/tcp_output.c#L551

On 2014-08-18 21:24, Alexander Holler wrote:
> This patch was just compile-time tested (besides that it might not match
> the style Linux kernel devs do want).
> 
> As I'm just starting to setup kernels and test this nice feature, this
> patch might just be handled as a bugreport. I haven't look in deep at
> what af_specific->md5_lookup() is used for, so currently I assume it
> isn't needed for operation if CONFIG_TCP_MD5SIG is disabled.
> 
> Otherwise the tcp_stealth patch would need a
> 
> select TCP_MD5SIG
> 
> in Kconfig.
> 
> Signed-off-by: Alexander Holler <address@hidden>
> ---
>  net/ipv4/tcp_ipv4.c | 7 +++++--
>  net/ipv6/tcp_ipv6.c | 7 +++++--
>  2 files changed, 10 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 6148bb5..5947dbd 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -245,8 +245,11 @@ int tcp_v4_connect(struct sock *sk, struct sockaddr 
> *uaddr, int addr_len)
>  
>       if (!tp->write_seq && likely(!tp->repair) &&
>           unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) {
> -             if (likely(sysctl_tcp_timestamps &&
> -                        !tp->af_specific->md5_lookup(sk, sk))) {
> +             if (likely(sysctl_tcp_timestamps
> +#ifdef CONFIG_TCP_MD5SIG
> +                 && !tp->af_specific->md5_lookup(sk, sk)
> +#endif
> +                 )) {
>                       tp->write_seq = tcp_stealth_sequence_number(sk,
>                                               &inet->inet_daddr,
>                                               sizeof(inet->inet_daddr),
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 33c87df..d8d7b2b 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -303,8 +303,11 @@ static int tcp_v6_connect(struct sock *sk, struct 
> sockaddr *uaddr,
>  
>       if (!tp->write_seq && likely(!tp->repair) &&
>           unlikely(tp->stealth.mode & TCP_STEALTH_MODE_AUTH)) {
> -             if (likely(sysctl_tcp_timestamps &&
> -                        !tp->af_specific->md5_lookup(sk, sk))) {
> +             if (likely(sysctl_tcp_timestamps
> +#ifdef CONFIG_TCP_MD5SIG
> +                 && !tp->af_specific->md5_lookup(sk, sk)
> +#endif
> +                 )) {
>                       tp->write_seq = tcp_stealth_sequence_number(sk,
>                                               sk->sk_v6_daddr.s6_addr32,
>                                               sizeof(sk->sk_v6_daddr),
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]