[PATCH net-next] fou: Support binding FoU socket

[PATCH net-next] fou: Support binding FoU socket

[Kristian Evensen]

An FoU socket is currently bound to the wildcard-address. While this
works fine, there are several use-cases where the use of the
wildcard-address is not desirable. For example, I use FoU on some
multi-homed servers and would like to use FoU on only one of the
interfaces.

This commit adds support for binding FoU sockets to a given source
address/interface, as well as connecting the socket to a given
destination address/port. udp_tunnel already provides the required
infrastructure, so most of the code added is for exposing and setting
the different attributes (local address, peer address, etc.).

The lookups performed when we add, delete or get an FoU-socket has also
been updated to compare all the attributes a user can set. Since the
comparison now involves several elements, I have added a separate
comparison-function instead of open-coding.

I have been running this code for a while on some servers I am
responsible for, and I have not found any regressions. If none of the
new attributes are provided, then an FoU-socket is configured as before.
If any of the new attributes are provided, the FoU-socket is configured
as expected.

Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
---
 include/uapi/linux/fou.h |   6 ++
 net/ipv4/fou.c           | 121 +++++++++++++++++++++++++++++++++------
 2 files changed, 111 insertions(+), 16 deletions(-)

diff --git a/include/uapi/linux/fou.h b/include/uapi/linux/fou.h
index f2ea833a2812..87c2c9f08803 100644
--- a/include/uapi/linux/fou.h
+++ b/include/uapi/linux/fou.h
@@ -16,6 +16,12 @@ enum {
 	FOU_ATTR_IPPROTO,			/* u8 */
 	FOU_ATTR_TYPE,				/* u8 */
 	FOU_ATTR_REMCSUM_NOPARTIAL,		/* flag */
+	FOU_ATTR_LOCAL_V4,			/* u32 */
+	FOU_ATTR_LOCAL_V6,			/* in6_addr */
+	FOU_ATTR_PEER_V4,			/* u32 */
+	FOU_ATTR_PEER_V6,			/* in6_addr */
+	FOU_ATTR_PEER_PORT,			/* u16 */
+	FOU_ATTR_IFINDEX,			/* s32 */
 
 	__FOU_ATTR_MAX,
 };
diff --git a/net/ipv4/fou.c b/net/ipv4/fou.c
index 79e98e21cdd7..f8c655f407b2 100644
--- a/net/ipv4/fou.c
+++ b/net/ipv4/fou.c
@@ -499,15 +499,32 @@ static int gue_gro_complete(struct sock *sk, struct sk_buff *skb, int nhoff)
 	return err;
 }
 
-static int fou_add_to_port_list(struct net *net, struct fou *fou)
+static bool fou_cfg_cmp(struct fou *fou, struct fou_cfg *cfg)
+{
+	struct sock *sk = fou->sock->sk;
+	struct udp_port_cfg *udp_cfg = &cfg->udp_config;
+
+	return fou->family == udp_cfg->family &&
+	       fou->port == udp_cfg->local_udp_port &&
+	       sk->sk_dport == udp_cfg->peer_udp_port &&
+	       sk->sk_bound_dev_if == udp_cfg->bind_ifindex &&
+	       ((fou->family == AF_INET &&
+		 sk->sk_rcv_saddr == udp_cfg->local_ip.s_addr &&
+		 sk->sk_daddr == udp_cfg->peer_ip.s_addr) ||
+		(fou->family == AF_INET6 &&
+		 !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
+		 !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
+}
+
+static int fou_add_to_port_list(struct net *net, struct fou *fou,
+				struct fou_cfg *cfg)
 {
 	struct fou_net *fn = net_generic(net, fou_net_id);
 	struct fou *fout;
 
 	mutex_lock(&fn->fou_lock);
 	list_for_each_entry(fout, &fn->fou_list, list) {
-		if (fou->port == fout->port &&
-		    fou->family == fout->family) {
+		if (fou_cfg_cmp(fout, cfg)) {
 			mutex_unlock(&fn->fou_lock);
 			return -EALREADY;
 		}
@@ -585,7 +602,7 @@ static int fou_create(struct net *net, struct fou_cfg *cfg,
 
 	sk->sk_allocation = GFP_ATOMIC;
 
-	err = fou_add_to_port_list(net, fou);
+	err = fou_add_to_port_list(net, fou, cfg);
 	if (err)
 		goto error;
 
@@ -605,14 +622,12 @@ static int fou_create(struct net *net, struct fou_cfg *cfg,
 static int fou_destroy(struct net *net, struct fou_cfg *cfg)
 {
 	struct fou_net *fn = net_generic(net, fou_net_id);
-	__be16 port = cfg->udp_config.local_udp_port;
-	u8 family = cfg->udp_config.family;
 	int err = -EINVAL;
 	struct fou *fou;
 
 	mutex_lock(&fn->fou_lock);
 	list_for_each_entry(fou, &fn->fou_list, list) {
-		if (fou->port == port && fou->family == family) {
+		if (fou_cfg_cmp(fou, cfg)) {
 			fou_release(fou);
 			err = 0;
 			break;
@@ -626,16 +641,26 @@ static int fou_destroy(struct net *net, struct fou_cfg *cfg)
 static struct genl_family fou_nl_family;
 
 static const struct nla_policy fou_nl_policy[FOU_ATTR_MAX + 1] = {
-	[FOU_ATTR_PORT] = { .type = NLA_U16, },
-	[FOU_ATTR_AF] = { .type = NLA_U8, },
-	[FOU_ATTR_IPPROTO] = { .type = NLA_U8, },
-	[FOU_ATTR_TYPE] = { .type = NLA_U8, },
-	[FOU_ATTR_REMCSUM_NOPARTIAL] = { .type = NLA_FLAG, },
+	[FOU_ATTR_PORT]			= { .type = NLA_U16, },
+	[FOU_ATTR_AF]			= { .type = NLA_U8, },
+	[FOU_ATTR_IPPROTO]		= { .type = NLA_U8, },
+	[FOU_ATTR_TYPE]			= { .type = NLA_U8, },
+	[FOU_ATTR_REMCSUM_NOPARTIAL]	= { .type = NLA_FLAG, },
+	[FOU_ATTR_LOCAL_V4]		= { .type = NLA_U32, },
+	[FOU_ATTR_PEER_V4]		= { .type = NLA_U32, },
+	[FOU_ATTR_LOCAL_V6]		= { .type = sizeof(struct in6_addr), },
+	[FOU_ATTR_PEER_V6]		= { .type = sizeof(struct in6_addr), },
+	[FOU_ATTR_PEER_PORT]		= { .type = NLA_U16, },
+	[FOU_ATTR_IFINDEX]		= { .type = NLA_S32, },
 };
 
 static int parse_nl_config(struct genl_info *info,
 			   struct fou_cfg *cfg)
 {
+	bool has_local = false, has_peer = false;
+	struct nlattr *attr;
+	__be16 port;
+
 	memset(cfg, 0, sizeof(*cfg));
 
 	cfg->udp_config.family = AF_INET;
@@ -657,8 +682,7 @@ static int parse_nl_config(struct genl_info *info,
 	}
 
 	if (info->attrs[FOU_ATTR_PORT]) {
-		__be16 port = nla_get_be16(info->attrs[FOU_ATTR_PORT]);
-
+		port = nla_get_be16(info->attrs[FOU_ATTR_PORT]);
 		cfg->udp_config.local_udp_port = port;
 	}
 
@@ -671,6 +695,51 @@ static int parse_nl_config(struct genl_info *info,
 	if (info->attrs[FOU_ATTR_REMCSUM_NOPARTIAL])
 		cfg->flags |= FOU_F_REMCSUM_NOPARTIAL;
 
+	if (cfg->udp_config.family == AF_INET) {
+		if (info->attrs[FOU_ATTR_LOCAL_V4]) {
+			attr = info->attrs[FOU_ATTR_LOCAL_V4];
+			cfg->udp_config.local_ip.s_addr = nla_get_in_addr(attr);
+			has_local = true;
+		}
+
+		if (info->attrs[FOU_ATTR_PEER_V4]) {
+			attr = info->attrs[FOU_ATTR_PEER_V4];
+			cfg->udp_config.peer_ip.s_addr = nla_get_in_addr(attr);
+			has_peer = true;
+		}
+	} else {
+		if (info->attrs[FOU_ATTR_LOCAL_V6]) {
+			attr = info->attrs[FOU_ATTR_LOCAL_V6];
+			cfg->udp_config.local_ip6 = nla_get_in6_addr(attr);
+			has_local = true;
+		}
+
+		if (info->attrs[FOU_ATTR_PEER_V6]) {
+			attr = info->attrs[FOU_ATTR_PEER_V6];
+			cfg->udp_config.peer_ip6 = nla_get_in6_addr(attr);
+			has_peer = true;
+		}
+	}
+
+	if (info->attrs[FOU_ATTR_PEER_PORT]) {
+		if (!has_peer)
+			return -EINVAL;
+
+		port = nla_get_be16(info->attrs[FOU_ATTR_PEER_PORT]);
+		cfg->udp_config.peer_udp_port = port;
+	}
+
+	if (info->attrs[FOU_ATTR_IFINDEX]) {
+		int ifindex;
+
+		if (!has_local)
+			return -EINVAL;
+
+		ifindex = nla_get_s32(info->attrs[FOU_ATTR_IFINDEX]);
+
+		cfg->udp_config.bind_ifindex = ifindex;
+	}
+
 	return 0;
 }
 
@@ -702,15 +771,35 @@ static int fou_nl_cmd_rm_port(struct sk_buff *skb, struct genl_info *info)
 
 static int fou_fill_info(struct fou *fou, struct sk_buff *msg)
 {
+	struct sock *sk = fou->sock->sk;
+
 	if (nla_put_u8(msg, FOU_ATTR_AF, fou->sock->sk->sk_family) ||
 	    nla_put_be16(msg, FOU_ATTR_PORT, fou->port) ||
+	    nla_put_be16(msg, FOU_ATTR_PEER_PORT, sk->sk_dport) ||
 	    nla_put_u8(msg, FOU_ATTR_IPPROTO, fou->protocol) ||
-	    nla_put_u8(msg, FOU_ATTR_TYPE, fou->type))
+	    nla_put_u8(msg, FOU_ATTR_TYPE, fou->type) ||
+	    nla_put_s32(msg, FOU_ATTR_IFINDEX, sk->sk_bound_dev_if))
 		return -1;
 
 	if (fou->flags & FOU_F_REMCSUM_NOPARTIAL)
 		if (nla_put_flag(msg, FOU_ATTR_REMCSUM_NOPARTIAL))
 			return -1;
+
+	if (fou->sock->sk->sk_family == AF_INET) {
+		if (nla_put_in_addr(msg, FOU_ATTR_LOCAL_V4, sk->sk_rcv_saddr))
+			return -1;
+
+		if (nla_put_in_addr(msg, FOU_ATTR_PEER_V4, sk->sk_daddr))
+			return -1;
+	} else {
+		if (nla_put_in6_addr(msg, FOU_ATTR_LOCAL_V6,
+				     &sk->sk_v6_rcv_saddr))
+			return -1;
+
+		if (nla_put_in6_addr(msg, FOU_ATTR_PEER_V6, &sk->sk_v6_daddr))
+			return -1;
+	}
+
 	return 0;
 }
 
@@ -763,7 +852,7 @@ static int fou_nl_cmd_get_port(struct sk_buff *skb, struct genl_info *info)
 	ret = -ESRCH;
 	mutex_lock(&fn->fou_lock);
 	list_for_each_entry(fout, &fn->fou_list, list) {
-		if (port == fout->port && family == fout->family) {
+		if (fou_cfg_cmp(fout, &cfg)) {
 			ret = fou_dump_info(fout, info->snd_portid,
 					    info->snd_seq, 0, msg,
 					    info->genlhdr->cmd);
-- 
2.19.1

Re: [PATCH net-next] fou: Support binding FoU socket

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 8160 bytes --]

Hi Kristian,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on net-next/master]

url:    https://github.com/0day-ci/linux/commits/Kristian-Evensen/fou-Support-binding-FoU-socket/20190321-232759
config: x86_64-kexec (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

All error/warnings (new ones prefixed by >>):

   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net/ipv4/fou.c:7:
   net/ipv4/fou.c: In function 'fou_cfg_cmp':
>> include/net/sock.h:361:37: error: 'struct sock_common' has no member named 'skc_v6_rcv_saddr'; did you mean 'skc_rcv_saddr'?
    #define sk_v6_rcv_saddr __sk_common.skc_v6_rcv_saddr
                                        ^
>> net/ipv4/fou.c:515:24: note: in expansion of macro 'sk_v6_rcv_saddr'
       !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
                           ^~~~~~~~~~~~~~~
>> net/ipv4/fou.c:515:51: error: 'struct udp_port_cfg' has no member named 'local_ip6'; did you mean 'local_ip'?
       !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
                                                      ^~~~~~~~~
                                                      local_ip
   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net/ipv4/fou.c:7:
>> include/net/sock.h:360:34: error: 'struct sock_common' has no member named 'skc_v6_daddr'; did you mean 'skc_daddr'?
    #define sk_v6_daddr  __sk_common.skc_v6_daddr
                                     ^
>> net/ipv4/fou.c:516:24: note: in expansion of macro 'sk_v6_daddr'
       !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
                           ^~~~~~~~~~~
>> net/ipv4/fou.c:516:47: error: 'struct udp_port_cfg' has no member named 'peer_ip6'; did you mean 'peer_ip'?
       !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
                                                  ^~~~~~~~
                                                  peer_ip
   net/ipv4/fou.c: In function 'parse_nl_config':
   net/ipv4/fou.c:713:20: error: 'struct udp_port_cfg' has no member named 'local_ip6'; did you mean 'local_ip'?
       cfg->udp_config.local_ip6 = nla_get_in6_addr(attr);
                       ^~~~~~~~~
                       local_ip
   net/ipv4/fou.c:719:20: error: 'struct udp_port_cfg' has no member named 'peer_ip6'; did you mean 'peer_ip'?
       cfg->udp_config.peer_ip6 = nla_get_in6_addr(attr);
                       ^~~~~~~~
                       peer_ip
   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net/ipv4/fou.c:7:
   net/ipv4/fou.c: In function 'fou_fill_info':
>> include/net/sock.h:361:37: error: 'struct sock_common' has no member named 'skc_v6_rcv_saddr'; did you mean 'skc_rcv_saddr'?
    #define sk_v6_rcv_saddr __sk_common.skc_v6_rcv_saddr
                                        ^
   net/ipv4/fou.c:796:15: note: in expansion of macro 'sk_v6_rcv_saddr'
             &sk->sk_v6_rcv_saddr))
                  ^~~~~~~~~~~~~~~
>> include/net/sock.h:360:34: error: 'struct sock_common' has no member named 'skc_v6_daddr'; did you mean 'skc_daddr'?
    #define sk_v6_daddr  __sk_common.skc_v6_daddr
                                     ^
   net/ipv4/fou.c:799:52: note: in expansion of macro 'sk_v6_daddr'
      if (nla_put_in6_addr(msg, FOU_ATTR_PEER_V6, &sk->sk_v6_daddr))
                                                       ^~~~~~~~~~~
   net/ipv4/fou.c: In function 'fou_cfg_cmp':
   net/ipv4/fou.c:517:1: warning: control reaches end of non-void function [-Wreturn-type]
    }
    ^
--
   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net//ipv4/fou.c:7:
   net//ipv4/fou.c: In function 'fou_cfg_cmp':
>> include/net/sock.h:361:37: error: 'struct sock_common' has no member named 'skc_v6_rcv_saddr'; did you mean 'skc_rcv_saddr'?
    #define sk_v6_rcv_saddr __sk_common.skc_v6_rcv_saddr
                                        ^
   net//ipv4/fou.c:515:24: note: in expansion of macro 'sk_v6_rcv_saddr'
       !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
                           ^~~~~~~~~~~~~~~
   net//ipv4/fou.c:515:51: error: 'struct udp_port_cfg' has no member named 'local_ip6'; did you mean 'local_ip'?
       !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
                                                      ^~~~~~~~~
                                                      local_ip
   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net//ipv4/fou.c:7:
>> include/net/sock.h:360:34: error: 'struct sock_common' has no member named 'skc_v6_daddr'; did you mean 'skc_daddr'?
    #define sk_v6_daddr  __sk_common.skc_v6_daddr
                                     ^
   net//ipv4/fou.c:516:24: note: in expansion of macro 'sk_v6_daddr'
       !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
                           ^~~~~~~~~~~
   net//ipv4/fou.c:516:47: error: 'struct udp_port_cfg' has no member named 'peer_ip6'; did you mean 'peer_ip'?
       !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
                                                  ^~~~~~~~
                                                  peer_ip
   net//ipv4/fou.c: In function 'parse_nl_config':
   net//ipv4/fou.c:713:20: error: 'struct udp_port_cfg' has no member named 'local_ip6'; did you mean 'local_ip'?
       cfg->udp_config.local_ip6 = nla_get_in6_addr(attr);
                       ^~~~~~~~~
                       local_ip
   net//ipv4/fou.c:719:20: error: 'struct udp_port_cfg' has no member named 'peer_ip6'; did you mean 'peer_ip'?
       cfg->udp_config.peer_ip6 = nla_get_in6_addr(attr);
                       ^~~~~~~~
                       peer_ip
   In file included from include/net/inet_sock.h:26:0,
                    from include/linux/udp.h:20,
                    from net//ipv4/fou.c:7:
   net//ipv4/fou.c: In function 'fou_fill_info':
>> include/net/sock.h:361:37: error: 'struct sock_common' has no member named 'skc_v6_rcv_saddr'; did you mean 'skc_rcv_saddr'?
    #define sk_v6_rcv_saddr __sk_common.skc_v6_rcv_saddr
                                        ^
   net//ipv4/fou.c:796:15: note: in expansion of macro 'sk_v6_rcv_saddr'
             &sk->sk_v6_rcv_saddr))
                  ^~~~~~~~~~~~~~~
>> include/net/sock.h:360:34: error: 'struct sock_common' has no member named 'skc_v6_daddr'; did you mean 'skc_daddr'?
    #define sk_v6_daddr  __sk_common.skc_v6_daddr
                                     ^
   net//ipv4/fou.c:799:52: note: in expansion of macro 'sk_v6_daddr'
      if (nla_put_in6_addr(msg, FOU_ATTR_PEER_V6, &sk->sk_v6_daddr))
                                                       ^~~~~~~~~~~
   net//ipv4/fou.c: In function 'fou_cfg_cmp':
   net//ipv4/fou.c:517:1: warning: control reaches end of non-void function [-Wreturn-type]
    }
    ^

vim +515 net/ipv4/fou.c

   501	
   502	static bool fou_cfg_cmp(struct fou *fou, struct fou_cfg *cfg)
   503	{
   504		struct sock *sk = fou->sock->sk;
   505		struct udp_port_cfg *udp_cfg = &cfg->udp_config;
   506	
   507		return fou->family == udp_cfg->family &&
   508		       fou->port == udp_cfg->local_udp_port &&
   509		       sk->sk_dport == udp_cfg->peer_udp_port &&
   510		       sk->sk_bound_dev_if == udp_cfg->bind_ifindex &&
   511		       ((fou->family == AF_INET &&
   512			 sk->sk_rcv_saddr == udp_cfg->local_ip.s_addr &&
   513			 sk->sk_daddr == udp_cfg->peer_ip.s_addr) ||
   514			(fou->family == AF_INET6 &&
 > 515			 !ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, &udp_cfg->local_ip6) &&
 > 516			 !ipv6_addr_cmp(&sk->sk_v6_daddr, &udp_cfg->peer_ip6)));
   517	}
   518	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 26481 bytes --]

Re: [PATCH net-next] fou: Support binding FoU socket

[David Miller]

From: Kristian Evensen <kristian.evensen@gmail.com>
Date: Wed, 20 Mar 2019 09:25:28 +0100

> The lookups performed when we add, delete or get an FoU-socket has also
> been updated to compare all the attributes a user can set. Since the
> comparison now involves several elements, I have added a separate
> comparison-function instead of open-coding.

This seems to allow adding both a wildcarded and a non-wildcarded fou
socket, which otherwise has overlapping match scenerios.

I don't think you want to allow that unless you can determine that
you aren't creating a situation where multiple fou sockets could
match the same tunneled packet.

Re: [PATCH net-next] fou: Support binding FoU socket

[Kristian Evensen]

Hi,

On Thu, Mar 21, 2019 at 9:10 PM David Miller <davem@davemloft.net> wrote:
> This seems to allow adding both a wildcarded and a non-wildcarded fou
> socket, which otherwise has overlapping match scenerios.
>
> I don't think you want to allow that unless you can determine that
> you aren't creating a situation where multiple fou sockets could
> match the same tunneled packet.

(Apologies to David for multiple copies of this reply. I thought I was
safe from HTML-encoded emails when using Gmail through the browser.
Turns out not to be true for mobile ...)

Thanks for your comments and apoligies for my late reply, Gmail
flagged you message as spam for some reason.

I tried to test and make sure that we would not get any false
positives when mixing non-wildcarded/wildcarded sockets. In my tests,
I first created a wildcard socket bound to port 9999. I then tried to
add a second, non-wildcarded socket bound to the same port. I also
tried to fetch and delete the socket, including souce address, peer
address or interface index in the netlink request. Both the create,
fetch and delete request failed. Deleting/fetching the socket was only
successful when my netlink request attributes matched those used to
create the socket.

I then did the same tests, but with a socket bound to a local ip
address, a socket bound to a local address + interface, and a bound
socket that was also «connected» to a peer. Add only worked when no
socket with the matching source address/interface (or wildcard)
existed, while fetch/delete was only succesful when all attributes
matched.

Perhaps there is something I am misunderstanding, or a case I am not aware of?

Thanks again for your comments!

BR,
Kristian

Re: [PATCH net-next] fou: Support binding FoU socket

[David Miller]

From: Kristian Evensen <kristian.evensen@gmail.com>
Date: Sun, 24 Mar 2019 10:24:55 +0100

> Perhaps there is something I am misunderstanding, or a case I am not aware
> of?

Ok if all of your tests pass then my concerns are addressed.

Please deal with the kbuild robot reported build failures and
resubmit, thanks.