bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 0/6] Introduce a BPF helper to generate SYN cookies
Date: Mon, 22 Jul 2019 17:20:36 -0700	[thread overview]
Message-ID: <20190723002042.105927-1-ppenkov.kernel@gmail.com> (raw)

From: Petar Penkov <ppenkov@google.com>

This patch series introduces a BPF helper function that allows generating SYN
cookies from BPF. Currently, this helper is enabled at both the TC hook and the
XDP hook.

The first two patches in the series add/modify several TCP helper functions to
allow for SKB-less operation, as is the case at the XDP hook.

The third patch introduces the bpf_tcp_gen_syncookie helper function which
generates a SYN cookie for either XDP or TC programs. The return value of
this function contains both the MSS value, encoded in the cookie, and the
cookie itself.

The last three patches sync tools/ and add a test. 

Changes since RFC:
1/ Cookie is returned in host order at Alexei's suggestion
2/ If cookies are not enabled via a sysctl, the helper function returns
   -ENOENT instead of -EINVAL at Lorenz's suggestion
3/ Fixed documentation to properly reflect that MSS is 16 bits at
   Lorenz's suggestion
4/ BPF helper requires TCP length to match ->doff field, rather than to simply
   be no more than 20 bytes at Eric and Alexei's suggestion
5/ Packet type is looked up from the packet version field, rather than from the
   socket. v4 packets are rejected on v6-only sockets but should work with
   dual stack listeners at Eric's suggestion
6/ Removed unnecessary `net` argument from helper function in patch 2 at
   Lorenz's suggestion 
7/ Changed test to only pass MSS option so we can convince the verifier that the
   memory access is not out of bounds

Note that 7/ below illustrates the verifier might need to be extended to allow
passing a variable tcph->doff to the helper function like below:

__u32 thlen = tcph->doff * 4;
if (thlen < sizeof(*tcph))
__s64 cookie = bpf_tcp_gen_syncookie(sk, ipv4h, 20, tcph, thlen);

Petar Penkov (6):
  tcp: tcp_syn_flood_action read port from socket
  tcp: add skb-less helpers to retrieve SYN cookie
  bpf: add bpf_tcp_gen_syncookie helper
  bpf: sync bpf.h to tools/
  selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers
  selftests/bpf: add test for bpf_tcp_gen_syncookie

 include/net/tcp.h                             | 11 +++
 include/uapi/linux/bpf.h                      | 30 ++++++-
 net/core/filter.c                             | 73 ++++++++++++++++
 net/ipv4/tcp_input.c                          | 84 +++++++++++++++++--
 net/ipv4/tcp_ipv4.c                           |  8 ++
 net/ipv6/tcp_ipv6.c                           |  8 ++
 tools/include/uapi/linux/bpf.h                | 37 +++++++-
 tools/testing/selftests/bpf/bpf_helpers.h     |  3 +
 .../bpf/progs/test_tcp_check_syncookie_kern.c | 48 +++++++++--
 .../selftests/bpf/test_tcp_check_syncookie.sh |  3 +
 .../bpf/test_tcp_check_syncookie_user.c       | 61 ++++++++++++--
 11 files changed, 344 insertions(+), 22 deletions(-)


             reply	other threads:[~2019-07-23  0:20 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-23  0:20 Petar Penkov [this message]
2019-07-23  0:20 ` [bpf-next 1/6] tcp: tcp_syn_flood_action read port from socket Petar Penkov
2019-07-23  0:20 ` [bpf-next 2/6] tcp: add skb-less helpers to retrieve SYN cookie Petar Penkov
2019-07-24  6:05   ` kbuild test robot
2019-07-24  6:19   ` kbuild test robot
2019-07-23  0:20 ` [bpf-next 3/6] bpf: add bpf_tcp_gen_syncookie helper Petar Penkov
2019-07-23 12:33   ` Toke Høiland-Jørgensen
2019-07-24  0:15     ` Petar Penkov
2019-07-23  0:20 ` [bpf-next 4/6] bpf: sync bpf.h to tools/ Petar Penkov
2019-07-23  0:20 ` [bpf-next 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers Petar Penkov
2019-07-23  0:20 ` [bpf-next 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie Petar Penkov
2019-07-23  9:37   ` Lorenz Bauer
2019-07-23 20:46     ` Alexei Starovoitov
2019-07-23  6:30 ` [bpf-next 0/6] Introduce a BPF helper to generate SYN cookies Eric Dumazet
2019-07-23 10:27 ` Lorenz Bauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190723002042.105927-1-ppenkov.kernel@gmail.com \
    --to=ppenkov.kernel@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=lmb@cloudflare.com \
    --cc=netdev@vger.kernel.org \
    --cc=ppenkov@google.com \
    --cc=sdf@google.com \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).