Devices in the networking path, such as firewalls, NATs, or routers, which can perform SNAT or DNAT, use addresses from their own limited address pools to masquerade the source address during forwarding, causing PAWS verification to fail more easily under TW status. Currently, packet loss statistics for PAWS can only be viewed through MIB, which is a global metric and cannot be precisely obtained through tracing to get the specific 4-tuple of the dropped packet. In the past, we had to use kprobe ret to retrieve relevant skb information from tcp_timewait_state_process(). We add a drop_reason pointer and a new counter. --- v3 -> v4: 1. Update commit message and make it more concise. 2. Integrated Reviewed-by tag from v3. https://lore.kernel.org/netdev/20250407140001.13886-1-jiayuan.chen@xxxxxxxxx/T/#t v2 -> v3: Use new SNMP counter and drop reason suggested by Eric. https://lore.kernel.org/netdev/5cdc1bdd9caee92a6ae932638a862fd5c67630e8@xxxxxxxxx/T/#t I didn't provide a packetdrill script. I struggled for a long time to get packetdrill to fix the client port, but ultimately failed to do so... Instead, I wrote my own program to trigger PAWS, which can be found at https://github.com/mrpre/nettrigger/tree/main ''' //assume nginx running on 172.31.75.114:9999, current host is 172.31.75.115 iptables -t filter -I OUTPUT -p tcp --sport 12345 --tcp-flags RST RST -j DROP ./nettrigger -i eth0 -s 172.31.75.115:12345 -d 172.31.75.114:9999 -action paws ''' Jiayuan Chen (2): tcp: add TCP_RFC7323_TW_PAWS drop reason tcp: add LINUX_MIB_PAWS_TW_REJECTED counter Documentation/networking/net_cachelines/snmp.rst | 2 ++ include/net/dropreason-core.h | 7 +++++++ include/net/tcp.h | 3 ++- include/uapi/linux/snmp.h | 1 + net/ipv4/proc.c | 1 + net/ipv4/tcp_ipv4.c | 3 ++- net/ipv4/tcp_minisocks.c | 9 ++++++--- net/ipv6/tcp_ipv6.c | 3 ++- 8 files changed, 23 insertions(+), 6 deletions(-) -- 2.47.1
