SYN Cookie 中一个代码细节
本帖最后由 Godbach 于 2011-01-24 10:10 编辑
2.6.24.4 的内核
处理连接请求的函数 tcp_v4_conn_request
感觉最后一部分代码用条件宏判断属于多余啊。
因为从代码上来看 want_cookie 之所以可以等于 1,也就是因为 CONFIG_SYN_COOKIES 选项配置了并且 sysctl_tcp_syncookies 非0.
2.6.24.4 的内核
处理连接请求的函数 tcp_v4_conn_request
QUOTE:
int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
{
struct inet_request_sock *ireq;
struct tcp_options_received tmp_opt;
struct request_sock *req;
__be32 saddr = ip_hdr(skb)->saddr;
__be32 daddr = ip_hdr(skb)->daddr;
__u32 isn = TCP_SKB_CB(skb)->when;
struct dst_entry *dst = NULL;
#ifdef CONFIG_SYN_COOKIES
int want_cookie = 0;
#else
#define want_cookie 0 /* Argh, why doesn't gcc optimize this */
#endif
......
if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
#ifdef CONFIG_SYN_COOKIES
if (sysctl_tcp_syncookies) {
want_cookie = 1;
} else
#endif
goto drop;
}
......
if (want_cookie) {
#ifdef CONFIG_SYN_COOKIES
syn_flood_warning(skb);
#endif
isn = cookie_v4_init_sequence(sk, skb, &req->mss);
} else if (!isn) {
{
struct inet_request_sock *ireq;
struct tcp_options_received tmp_opt;
struct request_sock *req;
__be32 saddr = ip_hdr(skb)->saddr;
__be32 daddr = ip_hdr(skb)->daddr;
__u32 isn = TCP_SKB_CB(skb)->when;
struct dst_entry *dst = NULL;
#ifdef CONFIG_SYN_COOKIES
int want_cookie = 0;
#else
#define want_cookie 0 /* Argh, why doesn't gcc optimize this */
#endif
......
if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
#ifdef CONFIG_SYN_COOKIES
if (sysctl_tcp_syncookies) {
want_cookie = 1;
} else
#endif
goto drop;
}
......
if (want_cookie) {
#ifdef CONFIG_SYN_COOKIES
syn_flood_warning(skb);
#endif
isn = cookie_v4_init_sequence(sk, skb, &req->mss);
} else if (!isn) {
感觉最后一部分代码用条件宏判断属于多余啊。
QUOTE:
#ifdef CONFIG_SYN_COOKIES
syn_flood_warning(skb);
#endif
syn_flood_warning(skb);
#endif
因为从代码上来看 want_cookie 之所以可以等于 1,也就是因为 CONFIG_SYN_COOKIES 选项配置了并且 sysctl_tcp_syncookies 非0.
作者: Godbach 发布时间: 2011-01-24
从程序的逻辑来看,貌似是这样的。
作者: hritian 发布时间: 2011-01-24
QUOTE:
if (want_cookie) {
#ifdef CONFIG_SYN_COOKIES
syn_flood_warning(skb);
#endif
isn = cookie_v4_init_sequence(sk, skb, &req->mss);
#ifdef CONFIG_SYN_COOKIES
syn_flood_warning(skb);
#endif
isn = cookie_v4_init_sequence(sk, skb, &req->mss);
是啊,最后一样都直接使用 cookie 的方法计算 isn 了,明显进入了 syncookie 的流程中,前面反而还要加个条件宏判断,是否配置了 SYN_COOKIES
作者: Godbach 发布时间: 2011-01-24