syncookies: only increment SYNCOOKIESFAILED on validation error

Only count packets that failed cookie-authentication.
We can get SYNCOOKIESFAILED > 0 while we never even sent a single cookie.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 32b98d0207b48b07472f0954e327483900be08e6..4ac7bcaf2f46ea6dd6976f6596d3469f5e4f4271 100644 (file)
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -275,8 +275,11 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
        if (!sysctl_tcp_syncookies || !th->ack || th->rst)
                goto out;
 
-       if (tcp_synq_no_recent_overflow(sk) ||
-           (mss = __cookie_v4_check(ip_hdr(skb), th, cookie)) == 0) {
+       if (tcp_synq_no_recent_overflow(sk))
+               goto out;
+
+       mss = __cookie_v4_check(ip_hdr(skb), th, cookie);
+       if (mss == 0) {
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
                goto out;
        }

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 0e26e795b703cee7ca2367b397966444c1403b05..be291baa2ec2e181b7aefd7b006ef401804d67c0 100644 (file)
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -171,8 +171,11 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
        if (!sysctl_tcp_syncookies || !th->ack || th->rst)
                goto out;
 
-       if (tcp_synq_no_recent_overflow(sk) ||
-               (mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie)) == 0) {
+       if (tcp_synq_no_recent_overflow(sk))
+               goto out;
+
+       mss = __cookie_v6_check(ipv6_hdr(skb), th, cookie);
+       if (mss == 0) {
                NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_SYNCOOKIESFAILED);
                goto out;
        }