Took the set of patches from 4.19 to handle IP fragmentation DoS
and applied them against 4.14.69. Most of these are from Eric.
In a couple case, it required some manual merge conflict resolution.
Tested normal IP fragmentation with iperf3 and malicious IP fragments
with fragmentsmack. Under fragmentation attack (700Kpps) the original
4.14.69 consumes 97% CPU; with this patch it drops to 5%.
v3 - send to wider audience
v2 - added patch from 4.19 linux-next to fix ip fragmentation crash
Dan Carpenter (1):
ipv4: frags: precedence bug in ip_expire()
Eric Dumazet (22):
inet: frags: change inet_frags_init_net() return value
inet: frags: add a pointer to struct netns_frags
inet: frags: refactor ipfrag_init()
inet: frags: refactor ipv6_frag_init()
inet: frags: refactor lowpan_net_frag_init()
ipv6: export ip6 fragments sysctl to unprivileged users
rhashtable: add schedule points
inet: frags: use rhashtables for reassembly units
inet: frags: remove some helpers
inet: frags: get rif of inet_frag_evicting()
inet: frags: remove inet_frag_maybe_warn_overflow()
inet: frags: break the 2GB limit for frags storage
inet: frags: do not clone skb in ip_expire()
ipv6: frags: rewrite ip6_expire_frag_queue()
rhashtable: reorganize struct rhashtable layout
inet: frags: reorganize struct netns_frags
inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
inet: frags: fix ip6frag_low_thresh boundary
net: speed up skb_rbtree_purge()
net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
net: add rb_to_skb() and other rb tree helpers
net: sk_buff rbnode reorg
Florian Westphal (1):
ipv6: defrag: drop non-last frags smaller than min mtu
Kees Cook (1):
inet: frags: Convert timers to use timer_setup()
Peter Oskolkov (4):
ip: discard IPv4 datagrams with overlapping segments.
net: modify skb_rbtree_purge to return the truesize of all purged
skbs.
ip: add helpers to process in-order fragments faster.
ip: process in-order fragments efficiently
Taehee Yoo (1):
ip: frags: fix crash in ip_do_fragment()
Documentation/networking/ip-sysctl.txt | 13 +-
include/linux/rhashtable.h | 8 +-
include/linux/skbuff.h | 50 +-
include/net/inet_frag.h | 135 +++---
include/net/ip.h | 1 -
include/net/ipv6.h | 26 +-
include/uapi/linux/snmp.h | 1 +
lib/rhashtable.c | 2 +
net/core/skbuff.c | 31 +-
net/ieee802154/6lowpan/6lowpan_i.h | 26 +-
net/ieee802154/6lowpan/reassembly.c | 153 ++++---
net/ipv4/inet_fragment.c | 378 ++++------------
net/ipv4/ip_fragment.c | 578 +++++++++++++-----------
net/ipv4/proc.c | 7 +-
net/ipv4/tcp_fastopen.c | 8 +-
net/ipv4/tcp_input.c | 33 +-
net/ipv6/netfilter/nf_conntrack_reasm.c | 105 ++---
net/ipv6/proc.c | 5 +-
net/ipv6/reassembly.c | 217 ++++-----
net/sched/sch_netem.c | 14 +-
20 files changed, 802 insertions(+), 989 deletions(-)
--
2.18.0
