* [MPTCP][PATCH mptcp-next 0/5] add MP_CAPABLE 'C' flag
@ 2021-04-27 10:07 Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Geliang Tang
0 siblings, 1 reply; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch set addressed the issue #183.
patch 3 is from the "data checksum support" series.
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/183
Geliang Tang (5):
mptcp: add a new sysctl join_denied
mptcp: add join_denied in mptcp_out_options
mptcp: add sk parameter for mptcp_parse_option
mptcp: add join_denied in mptcp_sock
selftests: mptcp: add join_denied testcases
Documentation/networking/mptcp-sysctl.rst | 8 ++++
include/net/mptcp.h | 3 +-
net/mptcp/ctrl.c | 14 ++++++
net/mptcp/options.c | 28 +++++++++---
net/mptcp/protocol.c | 1 +
net/mptcp/protocol.h | 11 +++--
net/mptcp/subflow.c | 11 ++---
.../testing/selftests/net/mptcp/mptcp_join.sh | 45 +++++++++++++++++++
8 files changed, 106 insertions(+), 15 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 8+ messages in thread
* [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied
2021-04-27 10:07 [MPTCP][PATCH mptcp-next 0/5] add MP_CAPABLE 'C' flag Geliang Tang
@ 2021-04-27 10:07 ` Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 2/5] mptcp: add join_denied in mptcp_out_options Geliang Tang
2021-04-27 23:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Mat Martineau
0 siblings, 2 replies; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch added a new sysctl, named join_denied, to control
whether the joins can be denied.
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
---
Documentation/networking/mptcp-sysctl.rst | 8 ++++++++
net/mptcp/ctrl.c | 14 ++++++++++++++
net/mptcp/protocol.h | 1 +
3 files changed, 23 insertions(+)
diff --git a/Documentation/networking/mptcp-sysctl.rst b/Documentation/networking/mptcp-sysctl.rst
index 6af0196c4297..dbf4df3e6950 100644
--- a/Documentation/networking/mptcp-sysctl.rst
+++ b/Documentation/networking/mptcp-sysctl.rst
@@ -24,3 +24,11 @@ add_addr_timeout - INTEGER (seconds)
sysctl.
Default: 120
+
+join_denied - INTEGER
+ Control whether the joins can be denied.
+
+ The joins can be denied if the value is nonzero. This is a
+ per-namespace sysctl.
+
+ Default: 0
diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
index 96ba616f59bf..4613bf42397d 100644
--- a/net/mptcp/ctrl.c
+++ b/net/mptcp/ctrl.c
@@ -19,6 +19,7 @@ struct mptcp_pernet {
int mptcp_enabled;
unsigned int add_addr_timeout;
+ int join_denied;
};
static struct mptcp_pernet *mptcp_get_pernet(struct net *net)
@@ -36,6 +37,11 @@ unsigned int mptcp_get_add_addr_timeout(struct net *net)
return mptcp_get_pernet(net)->add_addr_timeout;
}
+int mptcp_is_join_denied(struct net *net)
+{
+ return mptcp_get_pernet(net)->join_denied;
+}
+
static struct ctl_table mptcp_sysctl_table[] = {
{
.procname = "enabled",
@@ -52,6 +58,12 @@ static struct ctl_table mptcp_sysctl_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec_jiffies,
},
+ {
+ .procname = "join_denied",
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
{}
};
@@ -59,6 +71,7 @@ static void mptcp_pernet_set_defaults(struct mptcp_pernet *pernet)
{
pernet->mptcp_enabled = 1;
pernet->add_addr_timeout = TCP_RTO_MAX;
+ pernet->join_denied = 0;
}
static int mptcp_pernet_new_table(struct net *net, struct mptcp_pernet *pernet)
@@ -75,6 +88,7 @@ static int mptcp_pernet_new_table(struct net *net, struct mptcp_pernet *pernet)
table[0].data = &pernet->mptcp_enabled;
table[1].data = &pernet->add_addr_timeout;
+ table[2].data = &pernet->join_denied;
hdr = register_net_sysctl(net, MPTCP_SYSCTL_PATH, table);
if (!hdr)
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index d230a75af631..a14c1ba85212 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -524,6 +524,7 @@ static inline void mptcp_subflow_delegated_done(struct mptcp_subflow_context *su
int mptcp_is_enabled(struct net *net);
unsigned int mptcp_get_add_addr_timeout(struct net *net);
+int mptcp_is_join_denied(struct net *net);
void mptcp_subflow_fully_established(struct mptcp_subflow_context *subflow,
struct mptcp_options_received *mp_opt);
bool mptcp_subflow_data_available(struct sock *sk);
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [MPTCP][PATCH mptcp-next 2/5] mptcp: add join_denied in mptcp_out_options
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Geliang Tang
@ 2021-04-27 10:07 ` Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 3/5] mptcp: add sk parameter for mptcp_parse_option Geliang Tang
2021-04-27 23:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Mat Martineau
1 sibling, 1 reply; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch defined a new flag MPTCP_CAP_JOIN_DENIED for the third bit,
labeled "C" of the MP_CAPABLE option.
Add a new flag join_denied in struct mptcp_out_options. If this flag is
set, send out the MP_CAPABLE option with the flag MPTCP_CAP_JOIN_DENIED.
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
---
include/net/mptcp.h | 3 ++-
net/mptcp/options.c | 10 ++++++++--
net/mptcp/protocol.h | 6 ++++--
net/mptcp/subflow.c | 1 +
4 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/include/net/mptcp.h b/include/net/mptcp.h
index 83f23774b908..0d83491ab0a2 100644
--- a/include/net/mptcp.h
+++ b/include/net/mptcp.h
@@ -64,7 +64,8 @@ struct mptcp_out_options {
u8 join_id;
u8 backup;
u8 reset_reason:4;
- u8 reset_transient:1;
+ u8 reset_transient:1,
+ join_denied:1;
u32 nonce;
u64 thmac;
u32 token;
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 99fc21406168..df90f8b46055 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -381,6 +381,7 @@ bool mptcp_syn_options(struct sock *sk, const struct sk_buff *skb,
subflow->snd_isn = TCP_SKB_CB(skb)->end_seq;
if (subflow->request_mptcp) {
opts->suboptions = OPTION_MPTCP_MPC_SYN;
+ opts->join_denied = mptcp_is_join_denied(sock_net(sk));
*size = TCPOLEN_MPTCP_MPC_SYN;
return true;
} else if (subflow->request_join) {
@@ -466,6 +467,7 @@ static bool mptcp_established_options_mp(struct sock *sk, struct sk_buff *skb,
opts->suboptions = OPTION_MPTCP_MPC_ACK;
opts->sndr_key = subflow->local_key;
opts->rcvr_key = subflow->remote_key;
+ opts->join_denied = mptcp_is_join_denied(sock_net(sk));
/* Section 3.1.
* The MP_CAPABLE option is carried on the SYN, SYN/ACK, and ACK
@@ -790,6 +792,7 @@ bool mptcp_synack_options(const struct request_sock *req, unsigned int *size,
if (subflow_req->mp_capable) {
opts->suboptions = OPTION_MPTCP_MPC_SYNACK;
opts->sndr_key = subflow_req->local_key;
+ opts->join_denied = subflow_req->join_denied;
*size = TCPOLEN_MPTCP_MPC_SYNACK;
pr_debug("subflow_req=%p, local_key=%llu",
subflow_req, subflow_req->local_key);
@@ -1124,7 +1127,7 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp,
{
if ((OPTION_MPTCP_MPC_SYN | OPTION_MPTCP_MPC_SYNACK |
OPTION_MPTCP_MPC_ACK) & opts->suboptions) {
- u8 len;
+ u8 len, flag = MPTCP_CAP_HMAC_SHA256;
if (OPTION_MPTCP_MPC_SYN & opts->suboptions)
len = TCPOLEN_MPTCP_MPC_SYN;
@@ -1135,9 +1138,12 @@ void mptcp_write_options(__be32 *ptr, const struct tcp_sock *tp,
else
len = TCPOLEN_MPTCP_MPC_ACK;
+ if (opts->join_denied)
+ flag |= MPTCP_CAP_JOIN_DENIED;
+
*ptr++ = mptcp_option(MPTCPOPT_MP_CAPABLE, len,
MPTCP_SUPPORTED_VERSION,
- MPTCP_CAP_HMAC_SHA256);
+ flag);
if (!((OPTION_MPTCP_MPC_SYNACK | OPTION_MPTCP_MPC_ACK) &
opts->suboptions))
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index a14c1ba85212..ce8bebf13637 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -77,8 +77,9 @@
#define MPTCP_VERSION_MASK (0x0F)
#define MPTCP_CAP_CHECKSUM_REQD BIT(7)
#define MPTCP_CAP_EXTENSIBILITY BIT(6)
+#define MPTCP_CAP_JOIN_DENIED BIT(5)
#define MPTCP_CAP_HMAC_SHA256 BIT(0)
-#define MPTCP_CAP_FLAG_MASK (0x3F)
+#define MPTCP_CAP_FLAG_MASK (0x1F)
/* MPTCP DSS flags */
#define MPTCP_DSS_DATA_FIN BIT(4)
@@ -338,7 +339,8 @@ struct mptcp_subflow_request_sock {
struct tcp_request_sock sk;
u16 mp_capable : 1,
mp_join : 1,
- backup : 1;
+ backup : 1,
+ join_denied : 1;
u8 local_id;
u8 remote_id;
u64 local_key;
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 15620bafc544..64cacbb75454 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -108,6 +108,7 @@ static void subflow_init_req(struct request_sock *req, const struct sock *sk_lis
subflow_req->mp_capable = 0;
subflow_req->mp_join = 0;
+ subflow_req->join_denied = mptcp_is_join_denied(sock_net(sk_listener));
subflow_req->msk = NULL;
mptcp_token_init_request(req);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [MPTCP][PATCH mptcp-next 3/5] mptcp: add sk parameter for mptcp_parse_option
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 2/5] mptcp: add join_denied in mptcp_out_options Geliang Tang
@ 2021-04-27 10:07 ` Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Geliang Tang
0 siblings, 1 reply; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch added a new parameter name sk in mptcp_parse_option() and
mptcp_get_options().
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
---
net/mptcp/options.c | 10 ++++++----
net/mptcp/protocol.h | 3 ++-
net/mptcp/subflow.c | 10 +++++-----
3 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index df90f8b46055..7b354125f33b 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -20,7 +20,8 @@ static bool mptcp_cap_flag_sha256(u8 flags)
return (flags & MPTCP_CAP_FLAG_MASK) == MPTCP_CAP_HMAC_SHA256;
}
-static void mptcp_parse_option(const struct sk_buff *skb,
+static void mptcp_parse_option(const struct sock *sk,
+ const struct sk_buff *skb,
const unsigned char *ptr, int opsize,
struct mptcp_options_received *mp_opt)
{
@@ -324,7 +325,8 @@ static void mptcp_parse_option(const struct sk_buff *skb,
}
}
-void mptcp_get_options(const struct sk_buff *skb,
+void mptcp_get_options(const struct sock *sk,
+ const struct sk_buff *skb,
struct mptcp_options_received *mp_opt)
{
const struct tcphdr *th = tcp_hdr(skb);
@@ -363,7 +365,7 @@ void mptcp_get_options(const struct sk_buff *skb,
if (opsize > length)
return; /* don't parse partial options */
if (opcode == TCPOPT_MPTCP)
- mptcp_parse_option(skb, ptr, opsize, mp_opt);
+ mptcp_parse_option(sk, skb, ptr, opsize, mp_opt);
ptr += opsize - 2;
length -= opsize;
}
@@ -1011,7 +1013,7 @@ void mptcp_incoming_options(struct sock *sk, struct sk_buff *skb)
return;
}
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk, skb, &mp_opt);
if (!check_fully_established(msk, sk, subflow, skb, &mp_opt))
return;
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index ce8bebf13637..1d828668b15a 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -578,7 +578,8 @@ int __init mptcp_proto_v6_init(void);
struct sock *mptcp_sk_clone(const struct sock *sk,
const struct mptcp_options_received *mp_opt,
struct request_sock *req);
-void mptcp_get_options(const struct sk_buff *skb,
+void mptcp_get_options(const struct sock *sk,
+ const struct sk_buff *skb,
struct mptcp_options_received *mp_opt);
void mptcp_finish_connect(struct sock *sk);
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 64cacbb75454..c4fbbefb2c93 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -151,7 +151,7 @@ static int subflow_check_req(struct request_sock *req,
return -EINVAL;
#endif
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk_listener, skb, &mp_opt);
if (mp_opt.mp_capable) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE);
@@ -248,7 +248,7 @@ int mptcp_subflow_init_cookie_req(struct request_sock *req,
int err;
subflow_init_req(req, sk_listener);
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk_listener, skb, &mp_opt);
if (mp_opt.mp_capable && mp_opt.mp_join)
return -EINVAL;
@@ -395,7 +395,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
subflow->ssn_offset = TCP_SKB_CB(skb)->seq;
pr_debug("subflow=%p synack seq=%x", subflow, subflow->ssn_offset);
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk, skb, &mp_opt);
if (subflow->request_mptcp) {
if (!mp_opt.mp_capable) {
MPTCP_INC_STATS(sock_net(sk),
@@ -640,7 +640,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
goto create_msk;
}
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk, skb, &mp_opt);
if (!mp_opt.mp_capable) {
fallback = true;
goto create_child;
@@ -651,7 +651,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
if (!new_msk)
fallback = true;
} else if (subflow_req->mp_join) {
- mptcp_get_options(skb, &mp_opt);
+ mptcp_get_options(sk, skb, &mp_opt);
if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) ||
!mptcp_can_accept_new_subflow(subflow_req->msk)) {
SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 3/5] mptcp: add sk parameter for mptcp_parse_option Geliang Tang
@ 2021-04-27 10:07 ` Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 5/5] selftests: mptcp: add join_denied testcases Geliang Tang
2021-04-27 23:50 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Mat Martineau
0 siblings, 2 replies; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch added a new flag join_denied in struct mptcp_sock,
initialized as false in __mptcp_init_sock.
When MP_CAPABLE with the flag MPTCP_CAP_JOIN_DENIED is received, set the
join_denied to true.
In mptcp_syn_options, if the join_denied flag is set, and the remote
address id is zero, stop sending the join.
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
---
net/mptcp/options.c | 8 ++++++++
net/mptcp/protocol.c | 1 +
net/mptcp/protocol.h | 1 +
3 files changed, 10 insertions(+)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 7b354125f33b..068b104d8ca9 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -25,6 +25,8 @@ static void mptcp_parse_option(const struct sock *sk,
const unsigned char *ptr, int opsize,
struct mptcp_options_received *mp_opt)
{
+ struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
+ struct mptcp_sock *msk = mptcp_sk(subflow->conn);
u8 subtype = *ptr >> 4;
int expected_opsize;
u8 version;
@@ -78,6 +80,9 @@ static void mptcp_parse_option(const struct sock *sk,
if (flags & MPTCP_CAP_CHECKSUM_REQD)
break;
+ if (flags & MPTCP_CAP_JOIN_DENIED)
+ WRITE_ONCE(msk->join_denied, true);
+
mp_opt->mp_capable = 1;
if (opsize >= TCPOLEN_MPTCP_MPC_SYNACK) {
mp_opt->sndr_key = get_unaligned_be64(ptr);
@@ -376,6 +381,7 @@ bool mptcp_syn_options(struct sock *sk, const struct sk_buff *skb,
unsigned int *size, struct mptcp_out_options *opts)
{
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
+ struct mptcp_sock *msk = mptcp_sk(subflow->conn);
/* we will use snd_isn to detect first pkt [re]transmission
* in mptcp_established_options_mp()
@@ -389,6 +395,8 @@ bool mptcp_syn_options(struct sock *sk, const struct sk_buff *skb,
} else if (subflow->request_join) {
pr_debug("remote_token=%u, nonce=%u", subflow->remote_token,
subflow->local_nonce);
+ if (!subflow->remote_id && READ_ONCE(msk->join_denied))
+ return false;
opts->suboptions = OPTION_MPTCP_MPJ_SYN;
opts->join_id = subflow->local_id;
opts->token = subflow->remote_token;
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index aec8e77b18e4..219455616f61 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2411,6 +2411,7 @@ static int __mptcp_init_sock(struct sock *sk)
msk->ack_hint = NULL;
msk->first = NULL;
inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;
+ WRITE_ONCE(msk->join_denied, false);
mptcp_pm_data_init(msk);
diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
index 1d828668b15a..dc20b4d956ea 100644
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -235,6 +235,7 @@ struct mptcp_sock {
bool snd_data_fin_enable;
bool rcv_fastclose;
bool use_64bit_ack; /* Set when we received a 64-bit DSN */
+ bool join_denied;
spinlock_t join_list_lock;
struct sock *ack_hint;
struct work_struct work;
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [MPTCP][PATCH mptcp-next 5/5] selftests: mptcp: add join_denied testcases
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Geliang Tang
@ 2021-04-27 10:07 ` Geliang Tang
2021-04-27 23:50 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Mat Martineau
1 sibling, 0 replies; 8+ messages in thread
From: Geliang Tang @ 2021-04-27 10:07 UTC (permalink / raw)
To: mptcp; +Cc: Geliang Tang
This patch added the testcases for join_denied.
Signed-off-by: Geliang Tang <geliangtang@gmail.com>
---
.../testing/selftests/net/mptcp/mptcp_join.sh | 45 +++++++++++++++++++
1 file changed, 45 insertions(+)
diff --git a/tools/testing/selftests/net/mptcp/mptcp_join.sh b/tools/testing/selftests/net/mptcp/mptcp_join.sh
index fd99485cf2a4..c70555a82418 100755
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -124,6 +124,17 @@ reset_with_add_addr_timeout()
-j DROP
}
+reset_with_join_denied()
+{
+ local ns1_enable=$1
+ local ns2_enable=$2
+
+ reset
+
+ ip netns exec $ns1 sysctl -q net.mptcp.join_denied=$ns1_enable
+ ip netns exec $ns2 sysctl -q net.mptcp.join_denied=$ns2_enable
+}
+
ip -Version > /dev/null 2>&1
if [ $? -ne 0 ];then
echo "SKIP: Could not run test without ip tool"
@@ -785,6 +796,22 @@ subflows_tests()
ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags subflow dev ns2eth3
run_tests $ns1 $ns2 10.0.1.1
chk_join_nr "single subflow, dev" 1 1 1
+
+ # subflow join denied
+ reset_with_join_denied 1 0
+ ip netns exec $ns1 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags subflow
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr "single subflow join denied ns1" 0 0 0
+
+ # subflow join denied
+ reset_with_join_denied 0 1
+ ip netns exec $ns1 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl add 10.0.3.2 flags subflow
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr "single subflow join denied ns2" 1 1 1
}
signal_address_tests()
@@ -850,6 +877,24 @@ signal_address_tests()
run_tests $ns1 $ns2 10.0.1.1
chk_join_nr "signal invalid addresses" 1 1 1
chk_add_nr 3 3
+
+ # signal address join denied
+ reset_with_join_denied 1 0
+ ip netns exec $ns1 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns1 ./pm_nl_ctl add 10.0.2.1 flags signal
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr "signal address join denied ns1" 1 1 1
+ chk_add_nr 1 1
+
+ # signal address join denied
+ reset_with_join_denied 0 1
+ ip netns exec $ns1 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns2 ./pm_nl_ctl limits 1 1
+ ip netns exec $ns1 ./pm_nl_ctl add 10.0.2.1 flags signal
+ run_tests $ns1 $ns2 10.0.1.1
+ chk_join_nr "signal address join denied ns2" 1 1 1
+ chk_add_nr 1 1
}
link_failure_tests()
--
2.30.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 2/5] mptcp: add join_denied in mptcp_out_options Geliang Tang
@ 2021-04-27 23:07 ` Mat Martineau
1 sibling, 0 replies; 8+ messages in thread
From: Mat Martineau @ 2021-04-27 23:07 UTC (permalink / raw)
To: Geliang Tang; +Cc: mptcp
On Tue, 27 Apr 2021, Geliang Tang wrote:
> This patch added a new sysctl, named join_denied, to control
> whether the joins can be denied.
>
> Signed-off-by: Geliang Tang <geliangtang@gmail.com>
> ---
> Documentation/networking/mptcp-sysctl.rst | 8 ++++++++
> net/mptcp/ctrl.c | 14 ++++++++++++++
> net/mptcp/protocol.h | 1 +
> 3 files changed, 23 insertions(+)
>
> diff --git a/Documentation/networking/mptcp-sysctl.rst b/Documentation/networking/mptcp-sysctl.rst
> index 6af0196c4297..dbf4df3e6950 100644
> --- a/Documentation/networking/mptcp-sysctl.rst
> +++ b/Documentation/networking/mptcp-sysctl.rst
> @@ -24,3 +24,11 @@ add_addr_timeout - INTEGER (seconds)
> sysctl.
>
> Default: 120
> +
> +join_denied - INTEGER
> + Control whether the joins can be denied.
> +
> + The joins can be denied if the value is nonzero. This is a
> + per-namespace sysctl.
> +
> + Default: 0
It should be clear that this setting only affects incoming join requests
for the local IP address and port used with the initial subflow. Maybe:
allow_join_initial_addr_port - INTEGER
Allow peers to send join requests to the IP address and port number used
by the initial subflow if the value is nonzero. This controls a flag that
is sent to the peer at connection time, and whether such join requests are
accepted or denied.
Joins to addresses advertised with ADD_ADDR are not affected by this
value.
This is a per-namespace sysctl.
Default: 1
My preference is to have the sysctl _enable_ these join requests, to
reduce confusion from double-negatives. Open to discussion on that, of
course.
> diff --git a/net/mptcp/ctrl.c b/net/mptcp/ctrl.c
> index 96ba616f59bf..4613bf42397d 100644
> --- a/net/mptcp/ctrl.c
> +++ b/net/mptcp/ctrl.c
> @@ -19,6 +19,7 @@ struct mptcp_pernet {
>
> int mptcp_enabled;
> unsigned int add_addr_timeout;
> + int join_denied;
> };
>
> static struct mptcp_pernet *mptcp_get_pernet(struct net *net)
> @@ -36,6 +37,11 @@ unsigned int mptcp_get_add_addr_timeout(struct net *net)
> return mptcp_get_pernet(net)->add_addr_timeout;
> }
>
> +int mptcp_is_join_denied(struct net *net)
> +{
> + return mptcp_get_pernet(net)->join_denied;
> +}
> +
> static struct ctl_table mptcp_sysctl_table[] = {
> {
> .procname = "enabled",
> @@ -52,6 +58,12 @@ static struct ctl_table mptcp_sysctl_table[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec_jiffies,
> },
> + {
> + .procname = "join_denied",
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec,
> + },
> {}
> };
>
> @@ -59,6 +71,7 @@ static void mptcp_pernet_set_defaults(struct mptcp_pernet *pernet)
> {
> pernet->mptcp_enabled = 1;
> pernet->add_addr_timeout = TCP_RTO_MAX;
> + pernet->join_denied = 0;
> }
>
> static int mptcp_pernet_new_table(struct net *net, struct mptcp_pernet *pernet)
> @@ -75,6 +88,7 @@ static int mptcp_pernet_new_table(struct net *net, struct mptcp_pernet *pernet)
>
> table[0].data = &pernet->mptcp_enabled;
> table[1].data = &pernet->add_addr_timeout;
> + table[2].data = &pernet->join_denied;
>
> hdr = register_net_sysctl(net, MPTCP_SYSCTL_PATH, table);
> if (!hdr)
> diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
> index d230a75af631..a14c1ba85212 100644
> --- a/net/mptcp/protocol.h
> +++ b/net/mptcp/protocol.h
> @@ -524,6 +524,7 @@ static inline void mptcp_subflow_delegated_done(struct mptcp_subflow_context *su
>
> int mptcp_is_enabled(struct net *net);
> unsigned int mptcp_get_add_addr_timeout(struct net *net);
> +int mptcp_is_join_denied(struct net *net);
> void mptcp_subflow_fully_established(struct mptcp_subflow_context *subflow,
> struct mptcp_options_received *mp_opt);
> bool mptcp_subflow_data_available(struct sock *sk);
> --
> 2.30.2
>
>
>
--
Mat Martineau
Intel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 5/5] selftests: mptcp: add join_denied testcases Geliang Tang
@ 2021-04-27 23:50 ` Mat Martineau
1 sibling, 0 replies; 8+ messages in thread
From: Mat Martineau @ 2021-04-27 23:50 UTC (permalink / raw)
To: Geliang Tang; +Cc: mptcp
On Tue, 27 Apr 2021, Geliang Tang wrote:
> This patch added a new flag join_denied in struct mptcp_sock,
> initialized as false in __mptcp_init_sock.
>
> When MP_CAPABLE with the flag MPTCP_CAP_JOIN_DENIED is received, set the
> join_denied to true.
>
> In mptcp_syn_options, if the join_denied flag is set, and the remote
> address id is zero, stop sending the join.
>
> Signed-off-by: Geliang Tang <geliangtang@gmail.com>
> ---
> net/mptcp/options.c | 8 ++++++++
> net/mptcp/protocol.c | 1 +
> net/mptcp/protocol.h | 1 +
> 3 files changed, 10 insertions(+)
>
> diff --git a/net/mptcp/options.c b/net/mptcp/options.c
> index 7b354125f33b..068b104d8ca9 100644
> --- a/net/mptcp/options.c
> +++ b/net/mptcp/options.c
> @@ -25,6 +25,8 @@ static void mptcp_parse_option(const struct sock *sk,
> const unsigned char *ptr, int opsize,
> struct mptcp_options_received *mp_opt)
> {
> + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
> + struct mptcp_sock *msk = mptcp_sk(subflow->conn);
> u8 subtype = *ptr >> 4;
> int expected_opsize;
> u8 version;
> @@ -78,6 +80,9 @@ static void mptcp_parse_option(const struct sock *sk,
> if (flags & MPTCP_CAP_CHECKSUM_REQD)
> break;
>
> + if (flags & MPTCP_CAP_JOIN_DENIED)
> + WRITE_ONCE(msk->join_denied, true);
> +
Rather than directly manipulate the mptcp_sock here, I think it would be
better to add something to mptcp_options_received and set that here. Then
that structure can be used to set up the mptcp_sock or path manager while
the appropriate lock is held.
> mp_opt->mp_capable = 1;
> if (opsize >= TCPOLEN_MPTCP_MPC_SYNACK) {
> mp_opt->sndr_key = get_unaligned_be64(ptr);
> @@ -376,6 +381,7 @@ bool mptcp_syn_options(struct sock *sk, const struct sk_buff *skb,
> unsigned int *size, struct mptcp_out_options *opts)
> {
> struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
> + struct mptcp_sock *msk = mptcp_sk(subflow->conn);
>
> /* we will use snd_isn to detect first pkt [re]transmission
> * in mptcp_established_options_mp()
> @@ -389,6 +395,8 @@ bool mptcp_syn_options(struct sock *sk, const struct sk_buff *skb,
> } else if (subflow->request_join) {
> pr_debug("remote_token=%u, nonce=%u", subflow->remote_token,
> subflow->local_nonce);
> + if (!subflow->remote_id && READ_ONCE(msk->join_denied))
> + return false;
I think this should be handled at a higher level, in the path manager. The
PM should make the decision to create (or not create) a new subflow using
the peer's subflow 0 address.
When everything is updated for userspace path management (not in scope for
this patch set!), the userspace path manager will also need the 'C' flag.
It's going to be simpler to make the best path management decisions in
both userspace and in-kernel PMs if the 'C' flag is treated similarly in
either case.
> opts->suboptions = OPTION_MPTCP_MPJ_SYN;
> opts->join_id = subflow->local_id;
> opts->token = subflow->remote_token;
> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> index aec8e77b18e4..219455616f61 100644
> --- a/net/mptcp/protocol.c
> +++ b/net/mptcp/protocol.c
> @@ -2411,6 +2411,7 @@ static int __mptcp_init_sock(struct sock *sk)
> msk->ack_hint = NULL;
> msk->first = NULL;
> inet_csk(sk)->icsk_sync_mss = mptcp_sync_mss;
> + WRITE_ONCE(msk->join_denied, false);
>
> mptcp_pm_data_init(msk);
>
> diff --git a/net/mptcp/protocol.h b/net/mptcp/protocol.h
> index 1d828668b15a..dc20b4d956ea 100644
> --- a/net/mptcp/protocol.h
> +++ b/net/mptcp/protocol.h
> @@ -235,6 +235,7 @@ struct mptcp_sock {
> bool snd_data_fin_enable;
> bool rcv_fastclose;
> bool use_64bit_ack; /* Set when we received a 64-bit DSN */
> + bool join_denied;
As I mentioned in some comments above, this may belong in mptcp_pm_data in
order to integrate with the PM better.
> spinlock_t join_list_lock;
> struct sock *ack_hint;
> struct work_struct work;
> --
> 2.30.2
>
>
>
--
Mat Martineau
Intel
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-04-27 23:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-27 10:07 [MPTCP][PATCH mptcp-next 0/5] add MP_CAPABLE 'C' flag Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 2/5] mptcp: add join_denied in mptcp_out_options Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 3/5] mptcp: add sk parameter for mptcp_parse_option Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Geliang Tang
2021-04-27 10:07 ` [MPTCP][PATCH mptcp-next 5/5] selftests: mptcp: add join_denied testcases Geliang Tang
2021-04-27 23:50 ` [MPTCP][PATCH mptcp-next 4/5] mptcp: add join_denied in mptcp_sock Mat Martineau
2021-04-27 23:07 ` [MPTCP][PATCH mptcp-next 1/5] mptcp: add a new sysctl join_denied Mat Martineau
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.