All of lore.kernel.org
 help / color / mirror / Atom feed
From: Christoph Paasch <cpaasch@apple.com>
To: Yuchung Cheng <ycheng@google.com>
Cc: David Miller <davem@davemloft.net>,
	netdev <netdev@vger.kernel.org>,
	Eric Dumazet <edumazet@google.com>
Subject: Re: [PATCH v2 net-next] tcp: Enable TFO without a cookie on a per-socket basis
Date: Mon, 23 Oct 2017 09:17:00 -0700	[thread overview]
Message-ID: <20171023161700.GB25570@da0602a-dhcp113.apple.com> (raw)
In-Reply-To: <CAK6E8=da6_xi6fGGXKFE=adhHiRtZHBTZcJOm-9Ac5oa6ufFVw@mail.gmail.com>

Hello,

On 20/10/17 - 17:46:06, Yuchung Cheng wrote:
> On Fri, Oct 20, 2017 at 2:13 PM, Christoph Paasch <cpaasch@apple.com> wrote:
> >
> > We already allow to enable TFO without a cookie by using the
> > fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200).
> > This is safe to do in certain environments where we know that there
> > isn't a malicous host (aka., data-centers).
> >
> > A server however might be talking to both sides (public Internet and
> > data-center). So, this server would want to enable cookie-less TFO for
> > the connections that go to the data-center while enforcing cookies for
> > the traffic from the Internet.
> >
> > This patch exposes a socket-option to enable this (protected by
> > CAP_NET_ADMIN).
> the protection is removed in this version?

yes, removed it upon suggestion by Eric. I missed to update the commit log.
Will do so in the v3.

> 
> >
> > Signed-off-by: Christoph Paasch <cpaasch@apple.com>
> > ---
> >
> > Notes:
> >     v2: * Rename to fastopen_no_cookie and TCP_FASTOPEN_NO_COOKIE
> >         * Add per-route attribute for fastopen_no_cookie
> >         * Get rid of the capability check
> >
> >  include/linux/tcp.h            |  3 ++-
> >  include/net/tcp.h              |  3 ++-
> >  include/uapi/linux/rtnetlink.h |  2 ++
> >  include/uapi/linux/tcp.h       |  1 +
> >  net/ipv4/tcp.c                 | 12 ++++++++++++
> >  net/ipv4/tcp_fastopen.c        | 14 +++++++++++---
> >  net/ipv4/tcp_input.c           |  2 +-
> >  7 files changed, 31 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/linux/tcp.h b/include/linux/tcp.h
> > index 1d2c44e09e31..173a7c2f9636 100644
> > --- a/include/linux/tcp.h
> > +++ b/include/linux/tcp.h
> > @@ -215,7 +215,8 @@ struct tcp_sock {
> >         u8      chrono_type:2,  /* current chronograph type */
> >                 rate_app_limited:1,  /* rate_{delivered,interval_us} limited? */
> >                 fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */
> > -               unused:4;
> > +               fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */
> > +               unused:3;
> >         u8      nonagle     : 4,/* Disable Nagle algorithm?             */
> >                 thin_lto    : 1,/* Use linear timeouts for thin streams */
> >                 unused1     : 1,
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index 1efe8365cb28..020b20c3f50a 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -1562,7 +1562,8 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
> >  void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
> >  struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> >                               struct request_sock *req,
> > -                             struct tcp_fastopen_cookie *foc);
> > +                             struct tcp_fastopen_cookie *foc,
> > +                             const struct dst_entry *dst);
> >  void tcp_fastopen_init_key_once(struct net *net);
> >  bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> >                              struct tcp_fastopen_cookie *cookie);
> > diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
> > index dab7dad9e01a..fe6679268901 100644
> > --- a/include/uapi/linux/rtnetlink.h
> > +++ b/include/uapi/linux/rtnetlink.h
> > @@ -430,6 +430,8 @@ enum {
> >  #define RTAX_QUICKACK RTAX_QUICKACK
> >         RTAX_CC_ALGO,
> >  #define RTAX_CC_ALGO RTAX_CC_ALGO
> > +       RTAX_FASTOPEN_NO_COOKIE,
> > +#define RTAX_FASTOPEN_NO_COOKIE RTAX_FASTOPEN_NO_COOKIE
> >         __RTAX_MAX
> >  };
> >
> > diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
> > index 69c7493e42f8..d67e1d40c6d6 100644
> > --- a/include/uapi/linux/tcp.h
> > +++ b/include/uapi/linux/tcp.h
> > @@ -120,6 +120,7 @@ enum {
> >  #define TCP_ULP                        31      /* Attach a ULP to a TCP connection */
> >  #define TCP_MD5SIG_EXT         32      /* TCP MD5 Signature with extensions */
> >  #define TCP_FASTOPEN_KEY       33      /* Set the key for Fast Open (cookie) */
> > +#define TCP_FASTOPEN_NO_COOKIE 34      /* Enable TFO without a TFO cookie */
> >
> >  struct tcp_repair_opt {
> >         __u32   opt_code;
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index 8b1fa4dd4538..a3d46a781abd 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -2832,6 +2832,14 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
> >                         err = -EOPNOTSUPP;
> >                 }
> >                 break;
> > +       case TCP_FASTOPEN_NO_COOKIE:
> > +               if (val > 1 || val < 0)
> > +                       err = -EINVAL;
> > +               else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
> > +                       err = -EINVAL;
> > +               else
> > +                       tp->fastopen_no_cookie = 1;
> > +               break;
> >         case TCP_TIMESTAMP:
> >                 if (!tp->repair)
> >                         err = -EPERM;
> > @@ -3252,6 +3260,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
> >                 val = tp->fastopen_connect;
> >                 break;
> >
> > +       case TCP_FASTOPEN_NO_COOKIE:
> > +               val = tp->fastopen_no_cookie;
> > +               break;
> > +
> >         case TCP_TIMESTAMP:
> >                 val = tcp_time_stamp_raw() + tp->tsoffset;
> >                 break;
> > diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
> > index 21075ce19cb6..e704bd86fdf9 100644
> > --- a/net/ipv4/tcp_fastopen.c
> > +++ b/net/ipv4/tcp_fastopen.c
> > @@ -316,7 +316,8 @@ static bool tcp_fastopen_queue_check(struct sock *sk)
> >   */
> >  struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> >                               struct request_sock *req,
> > -                             struct tcp_fastopen_cookie *foc)
> > +                             struct tcp_fastopen_cookie *foc,
> > +                             const struct dst_entry *dst)
> >  {
> >         bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
> >         int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
> > @@ -333,7 +334,9 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> >                 return NULL;
> >         }
> >
> > -       if (syn_data && (tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD))
> > +       if (syn_data && ((tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD) ||
> > +                        tcp_sk(sk)->fastopen_no_cookie ||
> > +                        (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))))
> >                 goto fastopen;
> >
> >         if (foc->len >= 0 &&  /* Client presents or requests a cookie */
> > @@ -370,6 +373,7 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> >                                struct tcp_fastopen_cookie *cookie)
> >  {
> >         unsigned long last_syn_loss = 0;
> > +       const struct dst_entry *dst;
> >         int syn_loss = 0;
> >
> >         tcp_fastopen_cache_get(sk, mss, cookie, &syn_loss, &last_syn_loss);
> > @@ -387,7 +391,11 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> >                 return false;
> >         }
> >
> > -       if (sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) {
> > +       dst = __sk_dst_get(sk);
> > +
> > +       if ((sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) ||
> > +           tcp_sk(sk)->fastopen_no_cookie ||
> > +           (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))) {
> perhaps a helper e.g. tcp_fastopen_needs_cookie(syscl_flag) for this
> function and tcp_try_fastopen() to tidy the code a bit?

Sure, I will create a helper.


Thanks,
Christoph

      reply	other threads:[~2017-10-23 16:16 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-20 21:13 [PATCH v2 net-next] tcp: Enable TFO without a cookie on a per-socket basis Christoph Paasch
2017-10-21  0:46 ` Yuchung Cheng
2017-10-23 16:17   ` Christoph Paasch [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171023161700.GB25570@da0602a-dhcp113.apple.com \
    --to=cpaasch@apple.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=ycheng@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.