From: Jakub Kicinski <kuba@kernel.org>
Date: Fri, 11 Apr 2025 01:29:27 +0000 (-0700)
Subject: Merge branch 'tcp-add-a-new-tw_paws-drop-reason'
X-Git-Tag: v6.16-rc1~132^2~337
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c1e0100c6aa5ee5cf773cb00355309e79b2fac1b;p=thirdparty%2Flinux.git

Merge branch 'tcp-add-a-new-tw_paws-drop-reason'

Jiayuan Chen says:

====================
tcp: add a new TW_PAWS drop reason

Devices in the networking path, such as firewalls, NATs, or routers, which
can perform SNAT or DNAT, use addresses from their own limited address
pools to masquerade the source address during forwarding, causing PAWS
verification to fail more easily under TW status.

Currently, packet loss statistics for PAWS can only be viewed through MIB,
which is a global metric and cannot be precisely obtained through tracing
to get the specific 4-tuple of the dropped packet. In the past, we had to
use kprobe ret to retrieve relevant skb information from
tcp_timewait_state_process().

We add a drop_reason pointer and a new counter.

I didn't provide a packetdrill script.
I struggled for a long time to get packetdrill to fix the client port, but
ultimately failed to do so...

Instead, I wrote my own program to trigger PAWS, which can be found at
https://github.com/mrpre/nettrigger/tree/main
'''
//assume nginx running on 172.31.75.114:9999, current host is 172.31.75.115
iptables -t filter -I OUTPUT -p tcp --sport 12345 --tcp-flags RST RST -j DROP
./nettrigger -i eth0 -s 172.31.75.115:12345 -d 172.31.75.114:9999 -action paws
'''

v2: https://lore.kernel.org/5cdc1bdd9caee92a6ae932638a862fd5c67630e8@linux.dev
v3: https://lore.kernel.org/20250407140001.13886-1-jiayuan.chen@linux.dev
====================

Link: https://patch.msgid.link/20250409112614.16153-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---

c1e0100c6aa5ee5cf773cb00355309e79b2fac1b