All of lore.kernel.org
 help / color / mirror / Atom feed
* Query regarding sk_filter
@ 2015-01-09 11:23 Kumar Sanghvi
  2015-01-10  0:51 ` Alexei Starovoitov
  0 siblings, 1 reply; 5+ messages in thread
From: Kumar Sanghvi @ 2015-01-09 11:23 UTC (permalink / raw)
  To: netdev

Hi netdev team,

I have a query regarding sk_filter call in tcp receive path:

In 'tcp_v4_rcv' function, if sk is found by __inet_lookup_skb then,
down the line, there is a call to sk_filter to ensure if the incoming packet 
is allowed to be processed for that sk.

However, in 'tcp_v4_hnd_req' function, if nsk is found by inet_lookup_established 
then, later, there does not seem to be a sk_filter call for that nsk in the receive 
path processing.

I am wondering shouldn't there be a sk_filter call on nsk found in 'tcp_v4_hnd_req' 
function ? Or, probably I am missing something.
I am running some high rate syn-flood tests and trying to understand the sk_filter 
behaviour in this case.


Thanks,
Kumar.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Query regarding sk_filter
  2015-01-09 11:23 Query regarding sk_filter Kumar Sanghvi
@ 2015-01-10  0:51 ` Alexei Starovoitov
  2015-01-10 12:40   ` Kumar Sanghvi
  0 siblings, 1 reply; 5+ messages in thread
From: Alexei Starovoitov @ 2015-01-10  0:51 UTC (permalink / raw)
  To: Kumar Sanghvi; +Cc: netdev

On Fri, Jan 9, 2015 at 3:23 AM, Kumar Sanghvi <kumaras@chelsio.com> wrote:
> Hi netdev team,
>
> I have a query regarding sk_filter call in tcp receive path:
>
> In 'tcp_v4_rcv' function, if sk is found by __inet_lookup_skb then,
> down the line, there is a call to sk_filter to ensure if the incoming packet
> is allowed to be processed for that sk.
>
> However, in 'tcp_v4_hnd_req' function, if nsk is found by inet_lookup_established
> then, later, there does not seem to be a sk_filter call for that nsk in the receive
> path processing.
>
> I am wondering shouldn't there be a sk_filter call on nsk found in 'tcp_v4_hnd_req'
> function ? Or, probably I am missing something.

hmm. I'm not sure what you're seeing.
tcp_v4_hnd_req() is called from tcp_v4_do_rcv() which is called
after sk_filter() check is done in tcp_v4_rcv() (either directly
or via prequeue/backlog)

> I am running some high rate syn-flood tests and trying to understand
> the sk_filter behaviour in this case.

are you saying not all of syn packets are reaching filter?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Query regarding sk_filter
  2015-01-10  0:51 ` Alexei Starovoitov
@ 2015-01-10 12:40   ` Kumar Sanghvi
  0 siblings, 0 replies; 5+ messages in thread
From: Kumar Sanghvi @ 2015-01-10 12:40 UTC (permalink / raw)
  To: Alexei Starovoitov; +Cc: netdev

On Friday, January 01/09/15, 2015 at 16:51:46 -0800, Alexei Starovoitov wrote:
> On Fri, Jan 9, 2015 at 3:23 AM, Kumar Sanghvi <kumaras@chelsio.com> wrote:
> > Hi netdev team,
> >
> > I have a query regarding sk_filter call in tcp receive path:
> >
> > In 'tcp_v4_rcv' function, if sk is found by __inet_lookup_skb then,
> > down the line, there is a call to sk_filter to ensure if the incoming packet
> > is allowed to be processed for that sk.
> >
> > However, in 'tcp_v4_hnd_req' function, if nsk is found by inet_lookup_established
> > then, later, there does not seem to be a sk_filter call for that nsk in the receive
> > path processing.
> >
> > I am wondering shouldn't there be a sk_filter call on nsk found in 'tcp_v4_hnd_req'
> > function ? Or, probably I am missing something.
> 
> hmm. I'm not sure what you're seeing.

This is more of a question out of curiosity :)

> tcp_v4_hnd_req() is called from tcp_v4_do_rcv() which is called
> after sk_filter() check is done in tcp_v4_rcv() (either directly
> or via prequeue/backlog)

Ok.
> 
> > I am running some high rate syn-flood tests and trying to understand
> > the sk_filter behaviour in this case.
> 
> are you saying not all of syn packets are reaching filter?

No, not saying that.

I was thinking more in terms of below:-
(BTW, I am unsure if case B described below is actually possible.
I am describing it hypothetically.
So, please correct me if I am smoking cracks and my understanding is wrong)

One more thing I forgot to clarify is: the syn-flood test that I am running uses the 
same 4-tuple of actual clients establishing connections with server.

Lets say there is iperf TCP server running on DUT.
There are some short-lived iperf clients establishing connections.
The syn-flood uses the same 4-tuple which the iperf clients use.

The two cases that I was thinking of are:

A) Connection is established on DUT.
-------------------------------------
Now, if a SYN comes with same 4-tuple then, in tcp_v4_rcv, a child socket would be
found from __inet_lookup_skb and the subsequent sk_filter would run for that child socket.


B) Connection is in process of establishing.
-------------------------------------------
Here, lets say a SYN comes (using the same 4-tuple as iperf client whose connection is in process 
of establishing)  and in tcp_v4_rcv, there is no existing established connection
found yet. So, listen socket would be returned via __inet_lookup_skb and subsequent sk_filter
would run on listen socket.

Further, as this SYN packet is processed, a child socket is found in tcp_v4_hnd_req.
And then, tcp_child_process would then get called from tcp_v4_do_rcv.

So, unlike case A), here the sk_filter ran on listen socket rather than the child socket.
Or does the sk_filter would run on child socket from some other part ?

May be, the question that I should have asked is : do child socket and parent listening socket have the 
same sk_filter applied i.e. do child socket inherit sk_filter from parent listening socket ?


Thank you for your response.
-Kumar.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Query regarding sk_filter
@ 2015-01-12 18:17 Alexei Starovoitov
  2015-01-12 18:00 ` Kumar Sanghvi
  0 siblings, 1 reply; 5+ messages in thread
From: Alexei Starovoitov @ 2015-01-12 18:17 UTC (permalink / raw)
  To: Kumar Sanghvi; +Cc: netdev

On Sat, Jan 10, 2015 at 4:40 AM, Kumar Sanghvi <kumaras@chelsio.com> wrote:
>
> May be, the question that I should have asked is : do child socket and parent listening socket have the
> same sk_filter applied i.e. do child socket inherit sk_filter from parent listening socket ?

yes. socket returned from accept() inherits filter from parent socket.
if you're curious the path is:
tcp_check_req - tcp_v4_syn_recv_sock - tcp_create_openreq_child - sk_clone_lock

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Query regarding sk_filter
  2015-01-12 18:17 Alexei Starovoitov
@ 2015-01-12 18:00 ` Kumar Sanghvi
  0 siblings, 0 replies; 5+ messages in thread
From: Kumar Sanghvi @ 2015-01-12 18:00 UTC (permalink / raw)
  To: Alexei Starovoitov; +Cc: netdev

On Monday, January 01/12/15, 2015 at 10:17:16 -0800, Alexei Starovoitov wrote:
> On Sat, Jan 10, 2015 at 4:40 AM, Kumar Sanghvi <kumaras@chelsio.com> wrote:
> >
> > May be, the question that I should have asked is : do child socket and parent listening socket have the
> > same sk_filter applied i.e. do child socket inherit sk_filter from parent listening socket ?
> 
> yes. socket returned from accept() inherits filter from parent socket.
> if you're curious the path is:
> tcp_check_req - tcp_v4_syn_recv_sock - tcp_create_openreq_child - sk_clone_lock
>
Got it. Thanks! 

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-01-12 18:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-09 11:23 Query regarding sk_filter Kumar Sanghvi
2015-01-10  0:51 ` Alexei Starovoitov
2015-01-10 12:40   ` Kumar Sanghvi
2015-01-12 18:17 Alexei Starovoitov
2015-01-12 18:00 ` Kumar Sanghvi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.