Gitlab 现已全面支持 git over ssh 与 git over https。通过 HTTPS 访问请配置带有 read_repository / write_repository 权限的 Personal access token。通过 SSH 端口访问请使用 22 端口或 13389 端口。如果使用CAS注册了账户但不知道密码，可以自行至设置中更改；如有其他问题，请发邮件至 service@cra.moe 寻求协助。

Commit 282f23c6 authored Jul 17, 2012 by Eric Dumazet Committed by David S. Miller Jul 17, 2012

tcp: implement RFC 5961 3.2



Implement the RFC 5691 mitigation against Blind
Reset attack using RST bit.

Idea is to validate incoming RST sequence,
to match RCV.NXT value, instead of previouly accepted
window : (RCV.NXT <= SEG.SEQ < RCV.NXT+RCV.WND)

If sequence is in window but not an exact match, send
a "challenge ACK", so that the other part can resend an
RST with the appropriate sequence.

Add a new sysctl, tcp_challenge_ack_limit, to limit
number of challenge ACK sent per second.

Add a new SNMP counter to count number of challenge acks sent.
(netstat -s | grep TCPChallengeACK)

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Kiran Kumar Kella <kkiran@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a858d64b

Documentation/networking/ip-sysctl.txt

+5 −0

Original line number	Diff line number	Diff line
		@@ -565,6 +565,11 @@ tcp_limit_output_bytes - INTEGER
		reduce the size of individual GSO packet (64KB being the max)
		Default: 131072

		tcp_challenge_ack_limit - INTEGER
		Limits number of Challenge ACK sent per second, as recommended
		in RFC 5961 (Improving TCP's Robustness to Blind In-Window Attacks)
		Default: 100

		UDP variables:

		udp_mem - vector of 3 INTEGERs: min, pressure, max

include/linux/snmp.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -237,6 +237,7 @@ enum
		LINUX_MIB_TCPOFOQUEUE, /* TCPOFOQueue */
		LINUX_MIB_TCPOFODROP, /* TCPOFODrop */
		LINUX_MIB_TCPOFOMERGE, /* TCPOFOMerge */
		LINUX_MIB_TCPCHALLENGEACK, /* TCPChallengeACK */
		__LINUX_MIB_MAX
		};

include/net/tcp.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -254,6 +254,7 @@ extern int sysctl_tcp_thin_linear_timeouts;
		extern int sysctl_tcp_thin_dupack;
		extern int sysctl_tcp_early_retrans;
		extern int sysctl_tcp_limit_output_bytes;
		extern int sysctl_tcp_challenge_ack_limit;

		extern atomic_long_t tcp_memory_allocated;
		extern struct percpu_counter tcp_sockets_allocated;

net/ipv4/proc.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -261,6 +261,7 @@ static const struct snmp_mib snmp4_net_list[] = {
		SNMP_MIB_ITEM("TCPOFOQueue", LINUX_MIB_TCPOFOQUEUE),
		SNMP_MIB_ITEM("TCPOFODrop", LINUX_MIB_TCPOFODROP),
		SNMP_MIB_ITEM("TCPOFOMerge", LINUX_MIB_TCPOFOMERGE),
		SNMP_MIB_ITEM("TCPChallengeACK", LINUX_MIB_TCPCHALLENGEACK),
		SNMP_MIB_SENTINEL
		};

net/ipv4/sysctl_net_ipv4.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -605,6 +605,13 @@ static struct ctl_table ipv4_table[] = {
		.mode = 0644,
		.proc_handler = proc_dointvec
		},
		{
		.procname = "tcp_challenge_ack_limit",
		.data = &sysctl_tcp_challenge_ack_limit,
		.maxlen = sizeof(int),
		.mode = 0644,
		.proc_handler = proc_dointvec
		},
		#ifdef CONFIG_NET_DMA
		{
		.procname = "tcp_dma_copybreak",

CRA Git | Maintained and supported by SUSTech CRA and CCSE