From 91236ce0117fe5662b106b54824c84e44bfd7a2d Mon Sep 17 00:00:00 2001
From: Florin Coras <fcoras@cisco.com>
Date: Sun, 16 Dec 2018 11:41:45 -0800
Subject: [PATCH] tcp: accept rst that fail paws

Change-Id: I945d1644a23b6a3d50c9beaffc732d2b6facd974
Signed-off-by: Florin Coras <fcoras@cisco.com>
---
 src/vnet/tcp/tcp_input.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/vnet/tcp/tcp_input.c b/src/vnet/tcp/tcp_input.c
index 94dcaaf9eda..4406d685b6c 100644
--- a/src/vnet/tcp/tcp_input.c
+++ b/src/vnet/tcp/tcp_input.c
@@ -316,18 +316,18 @@ tcp_segment_validate (tcp_worker_ctx_t * wrk, tcp_connection_t * tc0,
 			tcp_time_now_w_thread (tc0->c_thread_index)))
 	{
 	  tc0->tsval_recent = tc0->rcv_opts.tsval;
-	  clib_warning ("paws failed - really old segment. REALLY?");
+	  clib_warning ("paws failed: 24-day old segment");
 	}
-      else
+      /* Drop after ack if not rst. Resets can fail paws check as per
+       * RFC 7323 sec. 5.2: When an <RST> segment is received, it MUST NOT
+       * be subjected to the PAWS check by verifying an acceptable value in
+       * SEG.TSval */
+      else if (!tcp_rst (th0))
 	{
-	  /* Drop after ack if not rst */
-	  if (!tcp_rst (th0))
-	    {
-	      tcp_program_ack (wrk, tc0);
-	      TCP_EVT_DBG (TCP_EVT_DUPACK_SENT, tc0, vnet_buffer (b0)->tcp);
-	    }
+	  tcp_program_ack (wrk, tc0);
+	  TCP_EVT_DBG (TCP_EVT_DUPACK_SENT, tc0, vnet_buffer (b0)->tcp);
+	  goto error;
 	}
-      goto error;
     }
 
   /* 1st: check sequence number */
-- 
2.16.6