From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
David Ahern <dsahern@kernel.org>,
"Jesper Dangaard Brouer" <hawk@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@chromium.org>,
Joe Stringer <joe@cilium.io>, Lorenz Bauer <lmb@cloudflare.com>,
Tariq Toukan <tariqt@nvidia.com>, <netdev@vger.kernel.org>,
<bpf@vger.kernel.org>, <clang-built-linux@googlegroups.com>
Subject: Re: [PATCH bpf-next 09/10] bpf: Add a helper to issue timestamp cookies in XDP
Date: Wed, 20 Oct 2021 16:16:10 +0300 [thread overview]
Message-ID: <6e7a3867-257e-6979-1d86-d6dd7764af2e@nvidia.com> (raw)
In-Reply-To: <834e92a4-8a4d-945f-c894-9730ff7d91dc@gmail.com>
On 2021-10-19 19:45, Eric Dumazet wrote:
>
>
> On 10/19/21 7:46 AM, Maxim Mikityanskiy wrote:
>> The new helper bpf_tcp_raw_gen_tscookie allows an XDP program to
>> generate timestamp cookies (to be used together with SYN cookies) which
>> encode different options set by the client in the SYN packet: SACK
>> support, ECN support, window scale. These options are encoded in lower
>> bits of the timestamp, which will be returned by the client in a
>> subsequent ACK packet. The format is the same used by synproxy.
>>
>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>> Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
>> ---
>> include/net/tcp.h | 1 +
>> include/uapi/linux/bpf.h | 27 +++++++++++++++
>> net/core/filter.c | 38 +++++++++++++++++++++
>> net/ipv4/syncookies.c | 60 ++++++++++++++++++++++++++++++++++
>> tools/include/uapi/linux/bpf.h | 27 +++++++++++++++
>> 5 files changed, 153 insertions(+)
>>
>> diff --git a/include/net/tcp.h b/include/net/tcp.h
>> index 1cc96a225848..651820bef6a2 100644
>> --- a/include/net/tcp.h
>> +++ b/include/net/tcp.h
>> @@ -564,6 +564,7 @@ u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th,
>> u16 *mssp);
>> __u32 cookie_v4_init_sequence(const struct sk_buff *skb, __u16 *mss);
>> u64 cookie_init_timestamp(struct request_sock *req, u64 now);
>> +bool cookie_init_timestamp_raw(struct tcphdr *th, __be32 *tsval, __be32 *tsecr);
>> bool cookie_timestamp_decode(const struct net *net,
>> struct tcp_options_received *opt);
>> bool cookie_ecn_ok(const struct tcp_options_received *opt,
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index e32f72077250..791790b41874 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -5053,6 +5053,32 @@ union bpf_attr {
>> *
>> * **-EPROTONOSUPPORT** if the IP version is not 4 or 6 (or 6, but
>> * CONFIG_IPV6 is disabled).
>> + *
>> + * int bpf_tcp_raw_gen_tscookie(struct tcphdr *th, u32 th_len, __be32 *tsopt, u32 tsopt_len)
>> + * Description
>> + * Try to generate a timestamp cookie which encodes some of the
>> + * flags sent by the client in the SYN packet: SACK support, ECN
>> + * support, window scale. To be used with SYN cookies.
>> + *
>> + * *th* points to the start of the TCP header of the client's SYN
>> + * packet, while *th_len* contains the length of the TCP header (at
>> + * least **sizeof**\ (**struct tcphdr**)).
>> + *
>> + * *tsopt* points to the output location where to put the resulting
>> + * timestamp values: tsval and tsecr, in the format of the TCP
>> + * timestamp option.
>> + *
>> + * Return
>> + * On success, 0.
>> + *
>> + * On failure, the returned value is one of the following:
>> + *
>> + * **-EINVAL** if the input arguments are invalid.
>> + *
>> + * **-ENOENT** if the TCP header doesn't have the timestamp option.
>> + *
>> + * **-EOPNOTSUPP** if the kernel configuration does not enable SYN
>> + * cookies (CONFIG_SYN_COOKIES is off).
>> */
>> #define __BPF_FUNC_MAPPER(FN) \
>> FN(unspec), \
>> @@ -5238,6 +5264,7 @@ union bpf_attr {
>> FN(ct_release), \
>> FN(tcp_raw_gen_syncookie), \
>> FN(tcp_raw_check_syncookie), \
>> + FN(tcp_raw_gen_tscookie), \
>> /* */
>>
>> /* integer value in 'imm' field of BPF_CALL instruction selects which helper
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 5f03d4a282a0..73fe20ef7442 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -7403,6 +7403,42 @@ static const struct bpf_func_proto bpf_tcp_raw_check_syncookie_proto = {
>> .arg4_type = ARG_CONST_SIZE,
>> };
>>
>> +BPF_CALL_4(bpf_tcp_raw_gen_tscookie, struct tcphdr *, th, u32, th_len,
>> + __be32 *, tsopt, u32, tsopt_len)
>> +{
>> + int err;
>> +
>> +#ifdef CONFIG_SYN_COOKIES
>> + if (tsopt_len != sizeof(u64)) {
>> + err = -EINVAL;
>> + goto err_out;
>> + }
>> +
>> + if (!cookie_init_timestamp_raw(th, &tsopt[0], &tsopt[1])) {
>> + err = -ENOENT;
>> + goto err_out;
>> + }
>> +
>> + return 0;
>> +err_out:
>> +#else
>> + err = -EOPNOTSUPP;
>> +#endif
>> + memset(tsopt, 0, tsopt_len);
>> + return err;
>> +}
>> +
>> +static const struct bpf_func_proto bpf_tcp_raw_gen_tscookie_proto = {
>> + .func = bpf_tcp_raw_gen_tscookie,
>> + .gpl_only = false,
>> + .pkt_access = true,
>> + .ret_type = RET_INTEGER,
>> + .arg1_type = ARG_PTR_TO_MEM,
>> + .arg2_type = ARG_CONST_SIZE,
>> + .arg3_type = ARG_PTR_TO_UNINIT_MEM,
>> + .arg4_type = ARG_CONST_SIZE,
>> +};
>> +
>> #endif /* CONFIG_INET */
>>
>> bool bpf_helper_changes_pkt_data(void *func)
>> @@ -7825,6 +7861,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>> return &bpf_tcp_raw_gen_syncookie_proto;
>> case BPF_FUNC_tcp_raw_check_syncookie:
>> return &bpf_tcp_raw_check_syncookie_proto;
>> + case BPF_FUNC_tcp_raw_gen_tscookie:
>> + return &bpf_tcp_raw_gen_tscookie_proto;
>> #endif
>> default:
>> return bpf_sk_base_func_proto(func_id);
>> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
>> index 8696dc343ad2..4dd2c7a096eb 100644
>> --- a/net/ipv4/syncookies.c
>> +++ b/net/ipv4/syncookies.c
>> @@ -85,6 +85,66 @@ u64 cookie_init_timestamp(struct request_sock *req, u64 now)
>> return (u64)ts * (NSEC_PER_SEC / TCP_TS_HZ);
>> }
>>
>> +bool cookie_init_timestamp_raw(struct tcphdr *th, __be32 *tsval, __be32 *tsecr)
>> +{
>> + int length = (th->doff * 4) - sizeof(*th);
>> + u8 wscale = TS_OPT_WSCALE_MASK;
>> + bool option_timestamp = false;
>> + bool option_sack = false;
>> + u32 cookie;
>> + u8 *ptr;
>> +
>> + ptr = (u8 *)(th + 1);
>> +
>> + while (length > 0) {
>> + u8 opcode = *ptr++;
>> + u8 opsize;
>> +
>> + if (opcode == TCPOPT_EOL)
>> + break;
>> + if (opcode == TCPOPT_NOP) {
>> + length--;
>> + continue;
>> + }
>> +
>> + if (length < 2)
>> + break;
>> + opsize = *ptr++;
>> + if (opsize < 2)
>> + break;
>> + if (opsize > length)
>> + break;
>> +
>> + switch (opcode) {
>> + case TCPOPT_WINDOW:
>
> You must check osize.
>
>> + wscale = min_t(u8, *ptr, TCP_MAX_WSCALE);
>> + break;
>> + case TCPOPT_TIMESTAMP:
>
> You must check opsize.
Ack.
>> + option_timestamp = true;
>> + /* Client's tsval becomes our tsecr. */
>> + *tsecr = cpu_to_be32(get_unaligned_be32(ptr));
>
> Please avoid useless ntohl/htonl dance (even if compiler probably optimizes this)
> No need to obfuscate :)
No obfuscation intended - I thought I was clearer this way. I can change it.
Thanks for reviewing!
>
> *tsecr = get_unaligned((__be32 *)ptr);
>
>> + break;
>> + case TCPOPT_SACK_PERM:
>> + option_sack = true;
>> + break;
>> + }
>> +
>> + ptr += opsize - 2;
>> + length -= opsize;
>> + }
>> +
>> + if (!option_timestamp)
>> + return false;
>> +
>> + cookie = tcp_time_stamp_raw() & ~TSMASK;
>> + cookie |= wscale & TS_OPT_WSCALE_MASK;
>> + if (option_sack)
>> + cookie |= TS_OPT_SACK;
>> + if (th->ece && th->cwr)
>> + cookie |= TS_OPT_ECN;
>> + *tsval = cpu_to_be32(cookie);
>> + return true;
>> +}
>>
>> static __u32 secure_tcp_syn_cookie(__be32 saddr, __be32 daddr, __be16 sport,
>> __be16 dport, __u32 sseq, __u32 data)
>> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
>> index e32f72077250..791790b41874 100644
>> --- a/tools/include/uapi/linux/bpf.h
>> +++ b/tools/include/uapi/linux/bpf.h
>> @@ -5053,6 +5053,32 @@ union bpf_attr {
>> *
>> * **-EPROTONOSUPPORT** if the IP version is not 4 or 6 (or 6, but
>> * CONFIG_IPV6 is disabled).
>> + *
>> + * int bpf_tcp_raw_gen_tscookie(struct tcphdr *th, u32 th_len, __be32 *tsopt, u32 tsopt_len)
>> + * Description
>> + * Try to generate a timestamp cookie which encodes some of the
>> + * flags sent by the client in the SYN packet: SACK support, ECN
>> + * support, window scale. To be used with SYN cookies.
>> + *
>> + * *th* points to the start of the TCP header of the client's SYN
>> + * packet, while *th_len* contains the length of the TCP header (at
>> + * least **sizeof**\ (**struct tcphdr**)).
>> + *
>> + * *tsopt* points to the output location where to put the resulting
>> + * timestamp values: tsval and tsecr, in the format of the TCP
>> + * timestamp option.
>> + *
>> + * Return
>> + * On success, 0.
>> + *
>> + * On failure, the returned value is one of the following:
>> + *
>> + * **-EINVAL** if the input arguments are invalid.
>> + *
>> + * **-ENOENT** if the TCP header doesn't have the timestamp option.
>> + *
>> + * **-EOPNOTSUPP** if the kernel configuration does not enable SYN
>> + * cookies (CONFIG_SYN_COOKIES is off).
>> */
>> #define __BPF_FUNC_MAPPER(FN) \
>> FN(unspec), \
>> @@ -5238,6 +5264,7 @@ union bpf_attr {
>> FN(ct_release), \
>> FN(tcp_raw_gen_syncookie), \
>> FN(tcp_raw_check_syncookie), \
>> + FN(tcp_raw_gen_tscookie), \
>> /* */
>>
>> /* integer value in 'imm' field of BPF_CALL instruction selects which helper
>>
next prev parent reply other threads:[~2021-10-20 13:16 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-19 14:46 [PATCH bpf-next 00/10] New BPF helpers to accelerate synproxy Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 01/10] bpf: Use ipv6_only_sock in bpf_tcp_gen_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 02/10] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 03/10] bpf: Use EOPNOTSUPP " Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 04/10] bpf: Make errors of bpf_tcp_check_syncookie distinguishable Maxim Mikityanskiy
2021-10-20 3:28 ` John Fastabend
2021-10-20 13:16 ` Maxim Mikityanskiy
2021-10-20 15:26 ` Lorenz Bauer
2021-10-19 14:46 ` [PATCH bpf-next 05/10] bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 06/10] bpf: Expose struct nf_conn to BPF Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 07/10] bpf: Add helpers to query conntrack info Maxim Mikityanskiy
2021-10-20 3:56 ` Kumar Kartikeya Dwivedi
2021-10-20 9:28 ` Florian Westphal
2021-10-20 9:48 ` Toke Høiland-Jørgensen
2021-10-20 9:58 ` Florian Westphal
2021-10-20 12:21 ` Toke Høiland-Jørgensen
2021-10-20 12:44 ` Florian Westphal
2021-10-20 20:54 ` Toke Høiland-Jørgensen
2021-10-20 22:55 ` David Ahern
2021-10-21 7:36 ` Florian Westphal
2021-10-20 13:18 ` Maxim Mikityanskiy
2021-10-20 19:17 ` Kumar Kartikeya Dwivedi
2021-10-20 9:46 ` Toke Høiland-Jørgensen
2021-10-19 14:46 ` [PATCH bpf-next 08/10] bpf: Add helpers to issue and check SYN cookies in XDP Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 09/10] bpf: Add a helper to issue timestamp " Maxim Mikityanskiy
2021-10-19 16:45 ` Eric Dumazet
2021-10-20 13:16 ` Maxim Mikityanskiy [this message]
2021-10-20 15:56 ` Lorenz Bauer
2021-10-20 16:16 ` Toke Høiland-Jørgensen
2021-10-22 16:56 ` Maxim Mikityanskiy
2021-10-27 8:34 ` Lorenz Bauer
2021-11-01 11:14 ` Maxim Mikityanskiy
2021-11-03 2:10 ` Yonghong Song
2021-11-03 14:02 ` Maxim Mikityanskiy
2021-11-09 7:11 ` Yonghong Song
2021-11-25 14:34 ` Maxim Mikityanskiy
2021-11-26 5:43 ` Yonghong Song
2021-11-26 16:50 ` Maxim Mikityanskiy
2021-11-26 17:07 ` Yonghong Song
2021-11-29 17:51 ` Maxim Mikityanskiy
2021-12-01 6:39 ` Yonghong Song
2021-12-01 18:06 ` Andrii Nakryiko
2021-10-19 14:46 ` [PATCH bpf-next 10/10] bpf: Add sample for raw syncookie helpers Maxim Mikityanskiy
2021-10-20 18:01 ` Joe Stringer
2021-10-21 17:19 ` Maxim Mikityanskiy
2021-10-21 1:06 ` Alexei Starovoitov
2021-10-21 17:31 ` Maxim Mikityanskiy
2021-10-21 18:50 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6e7a3867-257e-6979-1d86-d6dd7764af2e@nvidia.com \
--to=maximmi@nvidia.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=hawk@kernel.org \
--cc=jackmanb@google.com \
--cc=joe@cilium.io \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=lmb@cloudflare.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=songliubraving@fb.com \
--cc=tariqt@nvidia.com \
--cc=yhs@fb.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.