From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BE09C433F5 for ; Wed, 20 Oct 2021 15:57:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7171A60E74 for ; Wed, 20 Oct 2021 15:57:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230521AbhJTP7T (ORCPT ); Wed, 20 Oct 2021 11:59:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43698 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231195AbhJTP7N (ORCPT ); Wed, 20 Oct 2021 11:59:13 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CCA48C061749 for ; Wed, 20 Oct 2021 08:56:58 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id u21so16006831lff.8 for ; Wed, 20 Oct 2021 08:56:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TCZ683u99Jm41qEN6eWPpP1n8rGety/eAnHibS9A2GQ=; b=UoEY0usm5DXMVHSQsT6pMf14NgDa018KZ90Gl4MACFJB/bi0CXOzd28A8QyMTsyJjX 4IKnOSoPOSq9AM0rv4e32uiLrc+5g9MYyAjPd/vGaE/aaKhX5AhYcUwA5Cp7CiNXnWmd 6QtsxrBUM5dSQGECTjQn4oq7b/Y14Mg0dwoqk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TCZ683u99Jm41qEN6eWPpP1n8rGety/eAnHibS9A2GQ=; b=BMqWUsK2MyrKisOcVYlWooSOg9e9bKMFW37I7vnCc7f2mph2qmuei+2gRBJzzO4axG +IAwlseTsEYPZdXy0x2svM2XdcWiMqoJnje9sSZszDflhhb9F2K1ZLoFT0RGcZB5daUt E29bXc5G1p8YlBwb6b16tyvvw3lkHu0aGS//t2SdBq3C7yuLs67+HFsn1la3qJYbdWhK cv4+f74xDKRD4gxotgkp+WmYDQVSCHCrMTKN5lVIbWn9FIBMmiSOsCsVwpJT8zrNrSPq k/ffnqzZrUEhV/GxGNG4n5zdwrwkFzw5X+EQZeUNKfVztZQimbLwe2gD/aqu2tQekexr tEuw== X-Gm-Message-State: AOAM533DakY0a1i4HalqaLYFqso0mhgiXLoq+yqWxy402rpe120z2+Dl /RVt23EtlcOti59AIFrd0a0KlKXYA6t+XHowgnH4pQ== X-Google-Smtp-Source: ABdhPJy3PpTlDciRIIloIP1t/37pw5N/rZE7Pu5xGX4BiYf125qTL3TMpv58efY/EJzh8K1MSn2Wc8aIz4qA4iMEC3I= X-Received: by 2002:a05:6512:3bc:: with SMTP id v28mr152447lfp.102.1634745417053; Wed, 20 Oct 2021 08:56:57 -0700 (PDT) MIME-Version: 1.0 References: <20211019144655.3483197-1-maximmi@nvidia.com> <20211019144655.3483197-10-maximmi@nvidia.com> In-Reply-To: <20211019144655.3483197-10-maximmi@nvidia.com> From: Lorenz Bauer Date: Wed, 20 Oct 2021 16:56:46 +0100 Message-ID: Subject: Re: [PATCH bpf-next 09/10] bpf: Add a helper to issue timestamp cookies in XDP To: Maxim Mikityanskiy Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Eric Dumazet , "David S. Miller" , Jakub Kicinski , Hideaki YOSHIFUJI , David Ahern , Jesper Dangaard Brouer , Nathan Chancellor , Nick Desaulniers , Brendan Jackman , Florent Revest , Joe Stringer , Tariq Toukan , Networking , bpf , clang-built-linux@googlegroups.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Tue, 19 Oct 2021 at 15:49, Maxim Mikityanskiy wrote: > > The new helper bpf_tcp_raw_gen_tscookie allows an XDP program to > generate timestamp cookies (to be used together with SYN cookies) which > encode different options set by the client in the SYN packet: SACK > support, ECN support, window scale. These options are encoded in lower > bits of the timestamp, which will be returned by the client in a > subsequent ACK packet. The format is the same used by synproxy. > > Signed-off-by: Maxim Mikityanskiy > Reviewed-by: Tariq Toukan > --- > include/net/tcp.h | 1 + > include/uapi/linux/bpf.h | 27 +++++++++++++++ > net/core/filter.c | 38 +++++++++++++++++++++ > net/ipv4/syncookies.c | 60 ++++++++++++++++++++++++++++++++++ > tools/include/uapi/linux/bpf.h | 27 +++++++++++++++ > 5 files changed, 153 insertions(+) > > diff --git a/include/net/tcp.h b/include/net/tcp.h > index 1cc96a225848..651820bef6a2 100644 > --- a/include/net/tcp.h > +++ b/include/net/tcp.h > @@ -564,6 +564,7 @@ u32 __cookie_v4_init_sequence(const struct iphdr *iph, const struct tcphdr *th, > u16 *mssp); > __u32 cookie_v4_init_sequence(const struct sk_buff *skb, __u16 *mss); > u64 cookie_init_timestamp(struct request_sock *req, u64 now); > +bool cookie_init_timestamp_raw(struct tcphdr *th, __be32 *tsval, __be32 *tsecr); > bool cookie_timestamp_decode(const struct net *net, > struct tcp_options_received *opt); > bool cookie_ecn_ok(const struct tcp_options_received *opt, > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h > index e32f72077250..791790b41874 100644 > --- a/include/uapi/linux/bpf.h > +++ b/include/uapi/linux/bpf.h > @@ -5053,6 +5053,32 @@ union bpf_attr { > * > * **-EPROTONOSUPPORT** if the IP version is not 4 or 6 (or 6, but > * CONFIG_IPV6 is disabled). > + * > + * int bpf_tcp_raw_gen_tscookie(struct tcphdr *th, u32 th_len, __be32 *tsopt, u32 tsopt_len) flags which must be 0? > + * Description > + * Try to generate a timestamp cookie which encodes some of the > + * flags sent by the client in the SYN packet: SACK support, ECN > + * support, window scale. To be used with SYN cookies. > + * > + * *th* points to the start of the TCP header of the client's SYN > + * packet, while *th_len* contains the length of the TCP header (at > + * least **sizeof**\ (**struct tcphdr**)). > + * > + * *tsopt* points to the output location where to put the resulting > + * timestamp values: tsval and tsecr, in the format of the TCP > + * timestamp option. > + * > + * Return > + * On success, 0. > + * > + * On failure, the returned value is one of the following: > + * > + * **-EINVAL** if the input arguments are invalid. > + * > + * **-ENOENT** if the TCP header doesn't have the timestamp option. > + * > + * **-EOPNOTSUPP** if the kernel configuration does not enable SYN > + * cookies (CONFIG_SYN_COOKIES is off). > */ > #define __BPF_FUNC_MAPPER(FN) \ > FN(unspec), \ > @@ -5238,6 +5264,7 @@ union bpf_attr { > FN(ct_release), \ > FN(tcp_raw_gen_syncookie), \ > FN(tcp_raw_check_syncookie), \ > + FN(tcp_raw_gen_tscookie), \ > /* */ > > /* integer value in 'imm' field of BPF_CALL instruction selects which helper > diff --git a/net/core/filter.c b/net/core/filter.c > index 5f03d4a282a0..73fe20ef7442 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -7403,6 +7403,42 @@ static const struct bpf_func_proto bpf_tcp_raw_check_syncookie_proto = { > .arg4_type = ARG_CONST_SIZE, > }; > > +BPF_CALL_4(bpf_tcp_raw_gen_tscookie, struct tcphdr *, th, u32, th_len, > + __be32 *, tsopt, u32, tsopt_len) > +{ > + int err; Missing check for th_len? > + > +#ifdef CONFIG_SYN_COOKIES > + if (tsopt_len != sizeof(u64)) { sizeof(u32) * 2? That u64 isn't really relevant here. > + err = -EINVAL; > + goto err_out; > + } > + > + if (!cookie_init_timestamp_raw(th, &tsopt[0], &tsopt[1])) { > + err = -ENOENT; > + goto err_out; > + } > + > + return 0; > +err_out: > +#else > + err = -EOPNOTSUPP; > +#endif > + memset(tsopt, 0, tsopt_len); > + return err; > +} > + > +static const struct bpf_func_proto bpf_tcp_raw_gen_tscookie_proto = { > + .func = bpf_tcp_raw_gen_tscookie, > + .gpl_only = false, > + .pkt_access = true, > + .ret_type = RET_INTEGER, > + .arg1_type = ARG_PTR_TO_MEM, > + .arg2_type = ARG_CONST_SIZE, > + .arg3_type = ARG_PTR_TO_UNINIT_MEM, > + .arg4_type = ARG_CONST_SIZE, > +}; > + > #endif /* CONFIG_INET */ > > bool bpf_helper_changes_pkt_data(void *func) > @@ -7825,6 +7861,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) > return &bpf_tcp_raw_gen_syncookie_proto; > case BPF_FUNC_tcp_raw_check_syncookie: > return &bpf_tcp_raw_check_syncookie_proto; > + case BPF_FUNC_tcp_raw_gen_tscookie: > + return &bpf_tcp_raw_gen_tscookie_proto; > #endif > default: > return bpf_sk_base_func_proto(func_id); > diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c > index 8696dc343ad2..4dd2c7a096eb 100644 > --- a/net/ipv4/syncookies.c > +++ b/net/ipv4/syncookies.c > @@ -85,6 +85,66 @@ u64 cookie_init_timestamp(struct request_sock *req, u64 now) > return (u64)ts * (NSEC_PER_SEC / TCP_TS_HZ); > } > > +bool cookie_init_timestamp_raw(struct tcphdr *th, __be32 *tsval, __be32 *tsecr) I'm probably missing context, Is there something in this function that means you can't implement it in BPF? Lorenz -- Lorenz Bauer | Systems Engineer 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK www.cloudflare.com