From: Lorenz Bauer <lmb@cloudflare.com>
To: Petar Penkov <ppenkov.kernel@gmail.com>
Cc: Networking <netdev@vger.kernel.org>, bpf <bpf@vger.kernel.org>,
davem@davemloft.net, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Eric Dumazet <edumazet@google.com>,
sdf@google.com, Petar Penkov <ppenkov@google.com>
Subject: Re: [bpf-next RFC 2/6] tcp: add skb-less helpers to retrieve SYN cookie
Date: Tue, 16 Jul 2019 12:34:52 +0100 [thread overview]
Message-ID: <CACAyw99Umy6gaAu1DFTgemRXpZWmxeTSeCZDwdHWzLWeG8Ur3Q@mail.gmail.com> (raw)
In-Reply-To: <20190716002650.154729-3-ppenkov.kernel@gmail.com>
On Tue, 16 Jul 2019 at 01:27, Petar Penkov <ppenkov.kernel@gmail.com> wrote:
>
> From: Petar Penkov <ppenkov@google.com>
>
> This patch allows generation of a SYN cookie before an SKB has been
> allocated, as is the case at XDP.
>
> Signed-off-by: Petar Penkov <ppenkov@google.com>
> ---
> include/net/tcp.h | 11 ++++++
> net/ipv4/tcp_input.c | 79 ++++++++++++++++++++++++++++++++++++++++++++
> net/ipv4/tcp_ipv4.c | 8 +++++
> net/ipv6/tcp_ipv6.c | 8 +++++
> 4 files changed, 106 insertions(+)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index cca3c59b98bf..a128e22c0d5d 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -414,6 +414,17 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb,
> int estab, struct tcp_fastopen_cookie *foc);
> const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);
>
> +/*
> + * BPF SKB-less helpers
> + */
> +u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
> + struct tcphdr *tch, u32 *cookie);
> +u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
> + struct tcphdr *tch, u32 *cookie);
> +u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops,
> + const struct tcp_request_sock_ops *af_ops,
> + struct sock *sk, void *iph, struct tcphdr *tch,
> + u32 *cookie);
> /*
> * TCP v4 functions exported for the inet6 API
> */
> diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
> index 8892df6de1d4..1406d7e0953c 100644
> --- a/net/ipv4/tcp_input.c
> +++ b/net/ipv4/tcp_input.c
> @@ -3782,6 +3782,52 @@ static void smc_parse_options(const struct tcphdr *th,
> #endif
> }
>
> +/* Try to parse the MSS option from the TCP header. Return 0 on failure, clamped
> + * value on success.
> + *
> + * Invoked for BPF SYN cookie generation, so th should be a SYN.
> + */
> +static u16 tcp_parse_mss_option(const struct net *net, const struct tcphdr *th,
> + u16 user_mss)
net seems unused?
> +{
> + const unsigned char *ptr = (const unsigned char *)(th + 1);
> + int length = (th->doff * 4) - sizeof(struct tcphdr);
> + u16 mss = 0;
> +
> + while (length > 0) {
> + int opcode = *ptr++;
> + int opsize;
> +
> + switch (opcode) {
> + case TCPOPT_EOL:
> + return mss;
> + case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
> + length--;
> + continue;
> + default:
> + if (length < 2)
> + return mss;
> + opsize = *ptr++;
> + if (opsize < 2) /* "silly options" */
> + return mss;
> + if (opsize > length)
> + return mss; /* fail on partial options */
> + if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) {
> + u16 in_mss = get_unaligned_be16(ptr);
> +
> + if (in_mss) {
> + if (user_mss && user_mss < in_mss)
> + in_mss = user_mss;
> + mss = in_mss;
> + }
> + }
> + ptr += opsize - 2;
> + length -= opsize;
> + }
> + }
> + return mss;
> +}
> +
> /* Look for tcp options. Normally only called on SYN and SYNACK packets.
> * But, this can also be called on packets in the established flow when
> * the fast version below fails.
> @@ -6464,6 +6510,39 @@ static void tcp_reqsk_record_syn(const struct sock *sk,
> }
> }
>
> +u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops,
> + const struct tcp_request_sock_ops *af_ops,
> + struct sock *sk, void *iph, struct tcphdr *th,
> + u32 *cookie)
> +{
> + u16 mss = 0;
> +#ifdef CONFIG_SYN_COOKIES
> + bool is_v4 = rsk_ops->family == AF_INET;
> + struct tcp_sock *tp = tcp_sk(sk);
> +
> + if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 &&
> + !inet_csk_reqsk_queue_is_full(sk))
> + return 0;
> +
> + if (!tcp_syn_flood_action(sk, rsk_ops->slab_name))
> + return 0;
> +
> + if (sk_acceptq_is_full(sk)) {
> + NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
> + return 0;
> + }
> +
> + mss = tcp_parse_mss_option(sock_net(sk), th, tp->rx_opt.user_mss);
> + if (!mss)
> + mss = af_ops->mss_clamp;
> +
> + tcp_synq_overflow(sk);
> + *cookie = is_v4 ? __cookie_v4_init_sequence(iph, th, &mss)
> + : __cookie_v6_init_sequence(iph, th, &mss);
> +#endif
> + return mss;
> +}
> +
> int tcp_conn_request(struct request_sock_ops *rsk_ops,
> const struct tcp_request_sock_ops *af_ops,
> struct sock *sk, struct sk_buff *skb)
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index d57641cb3477..0e06e59784bd 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1515,6 +1515,14 @@ static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
> return sk;
> }
>
> +u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
> + struct tcphdr *tch, u32 *cookie)
> +{
> + return tcp_get_syncookie(&tcp_request_sock_ops,
> + &tcp_request_sock_ipv4_ops, sk, iph, tch,
> + cookie);
> +}
> +
> /* The socket must have it's spinlock held when we get
> * here, unless it is a TCP_LISTEN socket.
> *
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index d56a9019a0fe..ce46cdba54bc 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1058,6 +1058,14 @@ static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb)
> return sk;
> }
>
> +u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
> + struct tcphdr *tch, u32 *cookie)
> +{
> + return tcp_get_syncookie(&tcp6_request_sock_ops,
> + &tcp_request_sock_ipv6_ops, sk, iph, tch,
> + cookie);
> +}
> +
> static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
> {
> if (skb->protocol == htons(ETH_P_IP))
> --
> 2.22.0.510.g264f2c817a-goog
>
--
Lorenz Bauer | Systems Engineer
6th Floor, County Hall/The Riverside Building, SE1 7PB, UK
www.cloudflare.com
next prev parent reply other threads:[~2019-07-16 11:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 0:26 [bpf-next RFC 0/6] Introduce a BPF helper to generate SYN cookies Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 1/6] tcp: tcp_syn_flood_action read port from socket Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 2/6] tcp: add skb-less helpers to retrieve SYN cookie Petar Penkov
2019-07-16 11:34 ` Lorenz Bauer [this message]
2019-07-17 0:23 ` Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 3/6] bpf: add bpf_tcp_gen_syncookie helper Petar Penkov
2019-07-16 7:59 ` Eric Dumazet
2019-07-16 11:56 ` Lorenz Bauer
2019-07-17 0:27 ` Petar Penkov
2019-07-17 2:26 ` Alexei Starovoitov
2019-07-17 3:33 ` Petar Penkov
2019-07-16 11:54 ` Lorenz Bauer
2019-07-16 0:26 ` [bpf-next RFC 4/6] bpf: sync bpf.h to tools/ Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie Petar Penkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CACAyw99Umy6gaAu1DFTgemRXpZWmxeTSeCZDwdHWzLWeG8Ur3Q@mail.gmail.com \
--to=lmb@cloudflare.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=ppenkov.kernel@gmail.com \
--cc=ppenkov@google.com \
--cc=sdf@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).