[PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Jamal Hadi Salim]

From: Jamal Hadi Salim <hadi@mojatatu.com>

SYN-ACK responses on a server in response to a SYN from a client
did not get the injected skb mark that was tagged on the SYN packet.

Fixes: 84f39b08d786 ("net: support marking accepting TCP sockets")
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 net/ipv4/ip_output.c  | 3 ++-
 net/ipv4/tcp_output.c | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 7a3fd25..a8fd5f0 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -173,7 +173,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
 	}
 
 	skb->priority = sk->sk_priority;
-	skb->mark = sk->sk_mark;
+	if (!skb->mark)
+		skb->mark = sk->sk_mark;
 
 	/* Send it out. */
 	return ip_local_out(net, skb->sk, skb);
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 9a9c395..8c3661a 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3212,6 +3212,8 @@ struct sk_buff *tcp_make_synack(const struct sock *sk, struct dst_entry *dst,
 	tcp_ecn_make_synack(req, th);
 	th->source = htons(ireq->ir_num);
 	th->dest = ireq->ir_rmt_port;
+	if (sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
+		skb->mark = ireq->ir_mark;
 	/* Setting of flags are superfluous here for callers (and ECE is
 	 * not even correctly set)
 	 */
-- 
1.9.1

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[David Miller]

From: Jamal Hadi Salim <jhs@mojatatu.com>
Date: Sat, 10 Jun 2017 09:31:01 -0400

> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 7a3fd25..a8fd5f0 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -173,7 +173,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
>  	}
>  
>  	skb->priority = sk->sk_priority;
> -	skb->mark = sk->sk_mark;
> +	if (!skb->mark)
> +		skb->mark = sk->sk_mark;

Maybe this should both be "inet_request_mark()"?

Also, Lorenzo, please review.

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Jamal Hadi Salim]

On 17-06-10 07:02 PM, David Miller wrote:

>> @@ -173,7 +173,8 @@ int ip_build_and_send_pkt(struct sk_buff *skb, const struct sock *sk,
>>   	}
>>   
>>   	skb->priority = sk->sk_priority;
>> -	skb->mark = sk->sk_mark;
>> +	if (!skb->mark)
>> +		skb->mark = sk->sk_mark;
> 
> Maybe this should both be "inet_request_mark()"?
> 

Challenge is making of a synack requires a new allocated skb;
and sk is a listening socket - which should/has a mark of
0 meaning at ip_build_and_send_pkt() it overrides
the value already set on the skb->mark.

cheers,
jamal

> Also, Lorenzo, please review.
> 

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Lorenzo Colitti]

On Sun, Jun 11, 2017 at 8:58 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>> Maybe this should both be "inet_request_mark()"?
>>
>
> Challenge is making of a synack requires a new allocated skb;
> and sk is a listening socket - which should/has a mark of
> 0 meaning at ip_build_and_send_pkt() it overrides
> the value already set on the skb->mark.

As David says, the tcp_fwmark_accept sysctl is not really appropriate
for synack packets - what it does is ensure that when a connection is
accepted, sk->sk_mark is set to the mark of the incoming skb.

I think the correct behaviour here is to to honour the
ip_fwmark_reflect sysctl instead, and if it's enabled, make the synack
mark be the same as the the incoming syn mark.

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Jamal Hadi Salim]

On 17-06-12 08:34 PM, Lorenzo Colitti wrote:
> On Sun, Jun 11, 2017 at 8:58 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>>> Maybe this should both be "inet_request_mark()"?

> As David says, the tcp_fwmark_accept sysctl is not really appropriate
> for synack packets - what it does is ensure that when a connection is
> accepted, sk->sk_mark is set to the mark of the incoming skb.
> 
> I think the correct behaviour here is to to honour the
> ip_fwmark_reflect sysctl instead, and if it's enabled, make the synack
> mark be the same as the the incoming syn mark.
> 

Ok, so in the patch I sent then change this:

+       if (sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
+               skb->mark = ireq->ir_mark;

to:

+       if (sock_net(sk)->ipv4.fwmark_reflect)
+               skb->mark = ireq->ir_mark;

correct?

cheers,
jamal

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Lorenzo Colitti]

On Sat, Jun 10, 2017 at 10:31 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>         skb->priority = sk->sk_priority;
> -       skb->mark = sk->sk_mark;
> +       if (!skb->mark)
> +               skb->mark = sk->sk_mark;

It looks a bit iffy to take sk->sk_mark only if skb->mark is zero
instead of relying on the callers to tell this function what they
want. I think the patch is correct, but it might be better to fix the
other callers (dccp_make_response and dccp_ctl_make_reset) to set
skb->mark to what they want. Either way.

>         tcp_ecn_make_synack(req, th);
>         th->source = htons(ireq->ir_num);
>         th->dest = ireq->ir_rmt_port;
> +       if (sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
> +               skb->mark = ireq->ir_mark;

I think checking the sysctl here is unnecessary. It seems to me that
ir_mark already takes that into account. Its semantics (see
inet_request_mark) are:

- If listen socket has a nonzero mark, use that
- Else if sysctl_tcp_fwmark_accept is set and inbound SYN packet has
mark, use that
- Else zero.

which is what you want.

Other than that,

Reviewed-By: Lorenzo Colitti <lorenzo@google.com>

Please disregard my earlier comment about fwmark_reflect - I didn't
notice that the code sets ir_mark based on tcp_fwmark_accept, and
doesn't look at fwmark_reflect at all.

Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets

[Jamal Hadi Salim]

Sorry for the latency.

On 17-06-13 09:58 AM, Lorenzo Colitti wrote:
> On Sat, Jun 10, 2017 at 10:31 PM, Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>>          skb->priority = sk->sk_priority;
>> -       skb->mark = sk->sk_mark;
>> +       if (!skb->mark)
>> +               skb->mark = sk->sk_mark;
> 
> It looks a bit iffy to take sk->sk_mark only if skb->mark is zero
> instead of relying on the callers to tell this function what they
> want. I think the patch is correct, but it might be better to fix the
> other callers (dccp_make_response and dccp_ctl_make_reset) to set
> skb->mark to what they want. Either way. 
>

I saw the DCCP call - but the systcl says "tcp" on it and the feature
is not used by dccp currently. i.e it looked like an unreasonably large
change to update ip_build_and_send_pkt() params in particular when
the skb already had the mark.

>>          tcp_ecn_make_synack(req, th);
>>          th->source = htons(ireq->ir_num);
>>          th->dest = ireq->ir_rmt_port;
>> +       if (sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
>> +               skb->mark = ireq->ir_mark;
> 
> I think checking the sysctl here is unnecessary. It seems to me that
> ir_mark already takes that into account. Its semantics (see
> inet_request_mark) are:
> 
> - If listen socket has a nonzero mark, use that
> - Else if sysctl_tcp_fwmark_accept is set and inbound SYN packet has
> mark, use that
> - Else zero.
> 
> which is what you want.

I see it. I'll fix this part in next version.


> 
> Other than that,
> 
> Reviewed-By: Lorenzo Colitti <lorenzo@google.com>
> 
> Please disregard my earlier comment about fwmark_reflect - I didn't
> notice that the code sets ir_mark based on tcp_fwmark_accept, and
> doesn't look at fwmark_reflect at all.
> 

np.

cheers,
jamal