• E
    net: add real socket cookies · 33cf7c90
    Eric Dumazet 提交于
    A long standing problem in netlink socket dumps is the use
    of kernel socket addresses as cookies.
    
    1) It is a security concern.
    
    2) Sockets can be reused quite quickly, so there is
       no guarantee a cookie is used once and identify
       a flow.
    
    3) request sock, establish sock, and timewait socks
       for a given flow have different cookies.
    
    Part of our effort to bring better TCP statistics requires
    to switch to a different allocator.
    
    In this patch, I chose to use a per network namespace 64bit generator,
    and to use it only in the case a socket needs to be dumped to netlink.
    (This might be refined later if needed)
    
    Note that I tried to carry cookies from request sock, to establish sock,
    then timewait sockets.
    Signed-off-by: NEric Dumazet <edumazet@google.com>
    Cc: Eric Salo <salo@google.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    33cf7c90
syncookies.c 11.3 KB