From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,UNPARSEABLE_RELAY,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1346BC4741F for ; Mon, 9 Nov 2020 10:12:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C26D52076E for ; Mon, 9 Nov 2020 10:12:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729081AbgKIKMp (ORCPT ); Mon, 9 Nov 2020 05:12:45 -0500 Received: from out30-131.freemail.mail.aliyun.com ([115.124.30.131]:53982 "EHLO out30-131.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726176AbgKIKMp (ORCPT ); Mon, 9 Nov 2020 05:12:45 -0500 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R231e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01e04400;MF=wenan.mao@linux.alibaba.com;NM=1;PH=DS;RN=8;SR=0;TI=SMTPD_---0UEhrQpj_1604916760; Received: from B-44NBMD6M-0121.local(mailfrom:wenan.mao@linux.alibaba.com fp:SMTPD_---0UEhrQpj_1604916760) by smtp.aliyun-inc.com(127.0.0.1); Mon, 09 Nov 2020 18:12:40 +0800 Subject: Re: [PATCH net v2] net: Update window_clamp if SOCK_RCVBUF is set To: Eric Dumazet Cc: David Miller , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , netdev , LKML , kernel-janitors@vger.kernel.org References: <1604913614-19432-1-git-send-email-wenan.mao@linux.alibaba.com> <1604914417-24578-1-git-send-email-wenan.mao@linux.alibaba.com> From: Mao Wenan Message-ID: <3b92167c-201c-e85d-822d-06f0c9ac508c@linux.alibaba.com> Date: Mon, 9 Nov 2020 18:12:40 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.3.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2020/11/9 下午5:56, Eric Dumazet 写道: > On Mon, Nov 9, 2020 at 10:33 AM Mao Wenan wrote: >> >> When net.ipv4.tcp_syncookies=1 and syn flood is happened, >> cookie_v4_check or cookie_v6_check tries to redo what >> tcp_v4_send_synack or tcp_v6_send_synack did, >> rsk_window_clamp will be changed if SOCK_RCVBUF is set, >> which will make rcv_wscale is different, the client >> still operates with initial window scale and can overshot >> granted window, the client use the initial scale but local >> server use new scale to advertise window value, and session >> work abnormally. > > What is not working exactly ? > > Sending a 'big wscale' should not really matter, unless perhaps there > is a buggy stack at the remote end ? 1)in tcp_v4_send_synack, if SO_RCVBUF is set and tcp_full_space(sk)=65535, pass req->rsk_window_clamp=65535 to tcp_select_initial_window, rcv_wscale will be zero, and send to client, the client consider wscale is 0; 2)when ack is back from client, if there is no this patch, req->rsk_window_clamp is 0, and pass to tcp_select_initial_window, wscale will be 7, this new rcv_wscale is no way to advertise to client. 3)if server send rcv_wind to client with window=63, it consider the real window is 63*2^7=8064, but client consider the server window is only 63*2^0=63, it can't send big packet to server, and the send-q of client is full. > >> >> Signed-off-by: Mao Wenan >> --- >> v2: fix for ipv6. >> net/ipv4/syncookies.c | 4 ++++ >> net/ipv6/syncookies.c | 5 +++++ >> 2 files changed, 9 insertions(+) >> >> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c >> index 6ac473b..57ce317 100644 >> --- a/net/ipv4/syncookies.c >> +++ b/net/ipv4/syncookies.c >> @@ -427,6 +427,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) >> >> /* Try to redo what tcp_v4_send_synack did. */ >> req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW); >> + /* limit the window selection if the user enforce a smaller rx buffer */ >> + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK && >> + (req->rsk_window_clamp > tcp_full_space(sk) || req->rsk_window_clamp == 0)) >> + req->rsk_window_clamp = tcp_full_space(sk); > > This seems not needed to me. > > We call tcp_select_initial_window() with tcp_full_space(sk) passed as > the 2nd parameter. > > tcp_full_space(sk) will then apply : > > space = min(*window_clamp, space); if cookie_v4_check pass window_clamp=0 to tcp_select_initial_window, it will set window_clamp to max value. (*window_clamp) = (U16_MAX << TCP_MAX_WSCALE); but space will fetch from sysctl_rmem_max and sysctl_tcp_rmem[2] which is also big value. space = max_t(u32, space, sock_net(sk)->ipv4.sysctl_tcp_rmem[2]); space = max_t(u32, space, sysctl_rmem_max); Then,space = min(*window_clamp, space) is a big value, lead wscale to 7, is different from tcp_v4_send_synack. > > Please cook a packetdrill test to demonstrate what you are seeing ? > I have real environment and reproduce this case, this patch can fix that, i will try to use packetdrill with syn cookies and syn flood happen. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mao Wenan Date: Mon, 09 Nov 2020 10:12:40 +0000 Subject: Re: [PATCH net v2] net: Update window_clamp if SOCK_RCVBUF is set Message-Id: <3b92167c-201c-e85d-822d-06f0c9ac508c@linux.alibaba.com> List-Id: References: <1604913614-19432-1-git-send-email-wenan.mao@linux.alibaba.com> <1604914417-24578-1-git-send-email-wenan.mao@linux.alibaba.com> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1254" Content-Transfer-Encoding: base64 To: Eric Dumazet Cc: David Miller , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , netdev , LKML , kernel-janitors@vger.kernel.org CgrlnKggMjAyMC8xMS85IOS4i+WNiDU6NTYsIEVyaWMgRHVtYXpldCDlhpnpgZM6Cj4gT24gTW9u LCBOb3YgOSwgMjAyMCBhdCAxMDozMyBBTSBNYW8gV2VuYW4gPHdlbmFuLm1hb0BsaW51eC5hbGli YWJhLmNvbT4gd3JvdGU6Cj4+Cj4+IFdoZW4gbmV0LmlwdjQudGNwX3N5bmNvb2tpZXM9MSBhbmQg c3luIGZsb29kIGlzIGhhcHBlbmVkLAo+PiBjb29raWVfdjRfY2hlY2sgb3IgY29va2llX3Y2X2No ZWNrIHRyaWVzIHRvIHJlZG8gd2hhdAo+PiB0Y3BfdjRfc2VuZF9zeW5hY2sgb3IgdGNwX3Y2X3Nl bmRfc3luYWNrIGRpZCwKPj4gcnNrX3dpbmRvd19jbGFtcCB3aWxsIGJlIGNoYW5nZWQgaWYgU09D S19SQ1ZCVUYgaXMgc2V0LAo+PiB3aGljaCB3aWxsIG1ha2UgcmN2X3dzY2FsZSBpcyBkaWZmZXJl bnQsIHRoZSBjbGllbnQKPj4gc3RpbGwgb3BlcmF0ZXMgd2l0aCBpbml0aWFsIHdpbmRvdyBzY2Fs ZSBhbmQgY2FuIG92ZXJzaG90Cj4+IGdyYW50ZWQgd2luZG93LCB0aGUgY2xpZW50IHVzZSB0aGUg aW5pdGlhbCBzY2FsZSBidXQgbG9jYWwKPj4gc2VydmVyIHVzZSBuZXcgc2NhbGUgdG8gYWR2ZXJ0 aXNlIHdpbmRvdyB2YWx1ZSwgYW5kIHNlc3Npb24KPj4gd29yayBhYm5vcm1hbGx5Lgo+IAo+IFdo YXQgaXMgbm90IHdvcmtpbmcgZXhhY3RseSA/Cj4gCj4gU2VuZGluZyBhICdiaWcgd3NjYWxlJyBz aG91bGQgbm90IHJlYWxseSBtYXR0ZXIsIHVubGVzcyBwZXJoYXBzIHRoZXJlCj4gaXMgYSBidWdn eSBzdGFjayBhdCB0aGUgcmVtb3RlIGVuZCA/CjEpaW4gdGNwX3Y0X3NlbmRfc3luYWNrLCBpZiBT T19SQ1ZCVUYgaXMgc2V0IGFuZCAKdGNwX2Z1bGxfc3BhY2Uoc2spZTUzNSwgcGFzcyByZXEtPnJz a193aW5kb3dfY2xhbXBlNTM1IHRvIAp0Y3Bfc2VsZWN0X2luaXRpYWxfd2luZG93LCByY3Zfd3Nj YWxlIHdpbGwgYmUgemVybywgYW5kIHNlbmQgdG8gY2xpZW50LCAKdGhlIGNsaWVudCBjb25zaWRl ciB3c2NhbGUgaXMgMDsKMil3aGVuIGFjayBpcyBiYWNrIGZyb20gY2xpZW50LCBpZiB0aGVyZSBp cyBubyB0aGlzIHBhdGNoLCAKcmVxLT5yc2tfd2luZG93X2NsYW1wIGlzIDAsIGFuZCBwYXNzIHRv IHRjcF9zZWxlY3RfaW5pdGlhbF93aW5kb3csIAp3c2NhbGUgd2lsbCBiZSA3LCB0aGlzIG5ldyBy Y3Zfd3NjYWxlIGlzIG5vIHdheSB0byBhZHZlcnRpc2UgdG8gY2xpZW50LgozKWlmIHNlcnZlciBz ZW5kIHJjdl93aW5kIHRvIGNsaWVudCB3aXRoIHdpbmRvd2MsIGl0IGNvbnNpZGVyIHRoZSByZWFs CndpbmRvdyBpcyA2MyoyXjeANjQsIGJ1dCBjbGllbnQgY29uc2lkZXIgdGhlIHNlcnZlciB3aW5k b3cgaXMgb25seSAKNjMqMl4wYywgaXQgY2FuJ3Qgc2VuZCBiaWcgcGFja2V0IHRvIHNlcnZlciwg YW5kIHRoZSBzZW5kLXEgb2YgY2xpZW50CmlzIGZ1bGwuCgoKPiAKPj4KPj4gU2lnbmVkLW9mZi1i eTogTWFvIFdlbmFuIDx3ZW5hbi5tYW9AbGludXguYWxpYmFiYS5jb20+Cj4+IC0tLQo+PiAgIHYy OiBmaXggZm9yIGlwdjYuCj4+ICAgbmV0L2lwdjQvc3luY29va2llcy5jIHwgNCArKysrCj4+ICAg bmV0L2lwdjYvc3luY29va2llcy5jIHwgNSArKysrKwo+PiAgIDIgZmlsZXMgY2hhbmdlZCwgOSBp bnNlcnRpb25zKCspCj4+Cj4+IGRpZmYgLS1naXQgYS9uZXQvaXB2NC9zeW5jb29raWVzLmMgYi9u ZXQvaXB2NC9zeW5jb29raWVzLmMKPj4gaW5kZXggNmFjNDczYi4uNTdjZTMxNyAxMDA2NDQKPj4g LS0tIGEvbmV0L2lwdjQvc3luY29va2llcy5jCj4+ICsrKyBiL25ldC9pcHY0L3N5bmNvb2tpZXMu Ywo+PiBAQCAtNDI3LDYgKzQyNywxMCBAQCBzdHJ1Y3Qgc29jayAqY29va2llX3Y0X2NoZWNrKHN0 cnVjdCBzb2NrICpzaywgc3RydWN0IHNrX2J1ZmYgKnNrYikKPj4KPj4gICAgICAgICAgLyogVHJ5 IHRvIHJlZG8gd2hhdCB0Y3BfdjRfc2VuZF9zeW5hY2sgZGlkLiAqLwo+PiAgICAgICAgICByZXEt PnJza193aW5kb3dfY2xhbXAgPSB0cC0+d2luZG93X2NsYW1wID8gOmRzdF9tZXRyaWMoJnJ0LT5k c3QsIFJUQVhfV0lORE9XKTsKPj4gKyAgICAgICAvKiBsaW1pdCB0aGUgd2luZG93IHNlbGVjdGlv biBpZiB0aGUgdXNlciBlbmZvcmNlIGEgc21hbGxlciByeCBidWZmZXIgKi8KPj4gKyAgICAgICBp ZiAoc2stPnNrX3VzZXJsb2NrcyAmIFNPQ0tfUkNWQlVGX0xPQ0sgJiYKPj4gKyAgICAgICAgICAg KHJlcS0+cnNrX3dpbmRvd19jbGFtcCA+IHRjcF9mdWxsX3NwYWNlKHNrKSB8fCByZXEtPnJza193 aW5kb3dfY2xhbXAgPSAwKSkKPj4gKyAgICAgICAgICAgICAgIHJlcS0+cnNrX3dpbmRvd19jbGFt cCA9IHRjcF9mdWxsX3NwYWNlKHNrKTsKPiAKPiBUaGlzIHNlZW1zIG5vdCBuZWVkZWQgdG8gbWUu Cj4gCj4gV2UgY2FsbCB0Y3Bfc2VsZWN0X2luaXRpYWxfd2luZG93KCkgd2l0aCB0Y3BfZnVsbF9z cGFjZShzaykgcGFzc2VkIGFzCj4gdGhlIDJuZCBwYXJhbWV0ZXIuCj4gCj4gdGNwX2Z1bGxfc3Bh Y2Uoc2spIHdpbGwgdGhlbiBhcHBseSA6Cj4gCj4gc3BhY2UgPSBtaW4oKndpbmRvd19jbGFtcCwg c3BhY2UpOwoKaWYgY29va2llX3Y0X2NoZWNrIHBhc3Mgd2luZG93X2NsYW1wPTAgdG8gdGNwX3Nl bGVjdF9pbml0aWFsX3dpbmRvdywgaXQgCndpbGwgc2V0IHdpbmRvd19jbGFtcCB0byBtYXggdmFs dWUuCigqd2luZG93X2NsYW1wKSA9IChVMTZfTUFYIDw8IFRDUF9NQVhfV1NDQUxFKTsKCmJ1dCBz cGFjZSB3aWxsIGZldGNoIGZyb20gc3lzY3RsX3JtZW1fbWF4IGFuZCBzeXNjdGxfdGNwX3JtZW1b Ml0gd2hpY2ggCmlzIGFsc28gYmlnIHZhbHVlLgpzcGFjZSA9IG1heF90KHUzMiwgc3BhY2UsIHNv Y2tfbmV0KHNrKS0+aXB2NC5zeXNjdGxfdGNwX3JtZW1bMl0pOwpzcGFjZSA9IG1heF90KHUzMiwg c3BhY2UsIHN5c2N0bF9ybWVtX21heCk7CgpUaGVuLHNwYWNlID0gbWluKCp3aW5kb3dfY2xhbXAs IHNwYWNlKSBpcyBhIGJpZyB2YWx1ZSwgbGVhZCB3c2NhbGUgdG8gNywKaXMgZGlmZmVyZW50IGZy b20gdGNwX3Y0X3NlbmRfc3luYWNrLgoKCj4gCj4gUGxlYXNlIGNvb2sgYSBwYWNrZXRkcmlsbCB0 ZXN0IHRvIGRlbW9uc3RyYXRlIHdoYXQgeW91IGFyZSBzZWVpbmcgPwo+IApJIGhhdmUgcmVhbCBl bnZpcm9ubWVudCBhbmQgcmVwcm9kdWNlIHRoaXMgY2FzZSwgdGhpcyBwYXRjaCBjYW4gZml4IAp0 aGF0LCBpIHdpbGwgdHJ5IHRvIHVzZSBwYWNrZXRkcmlsbCB3aXRoIHN5biBjb29raWVzIGFuZCBz eW4gZmxvb2QgaGFwcGVuLgo=