From patchwork Tue Jul 16 00:26:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132358 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Px/FQsa3"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6Z0MJhz9s4Y for ; Tue, 16 Jul 2019 10:27:02 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733009AbfGPA1B (ORCPT ); Mon, 15 Jul 2019 20:27:01 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:32797 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731522AbfGPA1A (ORCPT ); Mon, 15 Jul 2019 20:27:00 -0400 Received: by mail-pg1-f195.google.com with SMTP id m4so8513033pgk.0; Mon, 15 Jul 2019 17:27:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=LqcoMtaNS2RyrNWMcSC9GoOqSA0YEyg/awjs8A8RAME=; b=Px/FQsa3tSQJxXoLMUjaU9OndIbOBbnGY6k/SM58InTW8lafOP8SVcbAO7TzsH8RcD 4ZzyahnvMOzpTO4W4QvpZZ3B+qN6v6Efo84vfHRO+O/3SImibsE1ilVILwq3Qr0gdeyy JjBWS1itZDaZakY9twJ7M5lN3meT12Lp+djeRthA0fnjVMnPCwj5ktMAeidgljSGerGm 5edeyV8t4uLoBgsIj4KmlZfeT8h4YSzBS9lcB05USYszMM3YX4MS6T+/BqndAqjqwOyT VjDKTOihYwQ/iqp/dDL/9zjJoWHE0qJo7mvLmE3Fg4kDTWIDLZkbksNOYf2V5mcc/kiZ XwNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=LqcoMtaNS2RyrNWMcSC9GoOqSA0YEyg/awjs8A8RAME=; b=WHtSFBKnNLM7FURJvXRU40cXEf9b0kOC3OvFlDKl6E4Nemm+Xle1qMe6fzvcoEnJOz cv2BFnehW617WffBKFz7fsT5cS1fhA/LDcDfcxByAbcX59lgoNA2fuOV/kQA7QREuSht dBQpwOV/xyXjmFSp6+BMRYW9dpDnwGpltZVg7byw7um5DvEK5FyQWDPqmb8NWbtOz3a1 QB4jDQNnqnoUo6Fu6iUVUhwQ4td0PjlDZNJFTsOvMD5fGGw8cBj0D33achjQ+Z9u6vG7 AsrKSoJ6qOzh4JmWGJ+Y99/moWAJCyDmRp3W/6r2RxQ3TbaNDuVvGtipBIGW5aCow8h5 uVFg== X-Gm-Message-State: APjAAAXx9TJ9Zm1FxiFw5+fgW9HIFz2WJc1QkiuKCOJkUabbfrSKSIoJ h4XhE5KzuzdolAJgQTiPBBxMtcN6 X-Google-Smtp-Source: APXvYqwidKBy4tABnC017nexDQQeED0DnsOUQX/Ksqw0wUmKNC4joiiHAkqklDoV3FEEOsVN4cNitg== X-Received: by 2002:a17:90a:d14a:: with SMTP id t10mr32657581pjw.85.1563236819862; Mon, 15 Jul 2019 17:26:59 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.26.59 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:26:59 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 1/6] tcp: tcp_syn_flood_action read port from socket Date: Mon, 15 Jul 2019 17:26:45 -0700 Message-Id: <20190716002650.154729-2-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Petar Penkov This allows us to call this function before an SKB has been allocated. Signed-off-by: Petar Penkov --- net/ipv4/tcp_input.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index c21e8a22fb3b..8892df6de1d4 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6422,9 +6422,7 @@ EXPORT_SYMBOL(inet_reqsk_alloc); /* * Return true if a syncookie should be sent */ -static bool tcp_syn_flood_action(const struct sock *sk, - const struct sk_buff *skb, - const char *proto) +static bool tcp_syn_flood_action(const struct sock *sk, const char *proto) { struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue; const char *msg = "Dropping request"; @@ -6444,7 +6442,7 @@ static bool tcp_syn_flood_action(const struct sock *sk, net->ipv4.sysctl_tcp_syncookies != 2 && xchg(&queue->synflood_warned, 1) == 0) net_info_ratelimited("%s: Possible SYN flooding on port %d. %s. Check SNMP counters.\n", - proto, ntohs(tcp_hdr(skb)->dest), msg); + proto, sk->sk_num, msg); return want_cookie; } @@ -6487,7 +6485,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, */ if ((net->ipv4.sysctl_tcp_syncookies == 2 || inet_csk_reqsk_queue_is_full(sk)) && !isn) { - want_cookie = tcp_syn_flood_action(sk, skb, rsk_ops->slab_name); + want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name); if (!want_cookie) goto drop; } From patchwork Tue Jul 16 00:26:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132361 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ikecxLh6"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6c48VXz9s4Y for ; Tue, 16 Jul 2019 10:27:04 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732317AbfGPA1D (ORCPT ); Mon, 15 Jul 2019 20:27:03 -0400 Received: from mail-pf1-f172.google.com ([209.85.210.172]:40322 "EHLO mail-pf1-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731522AbfGPA1C (ORCPT ); Mon, 15 Jul 2019 20:27:02 -0400 Received: by mail-pf1-f172.google.com with SMTP id p184so8191814pfp.7; Mon, 15 Jul 2019 17:27:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=kR0eAk9Wpb9hrd+QvnzWqDUYGA359kOAWHMIgTlrfl0=; b=ikecxLh6YgezZpx821yjNnkCUY2J8h3Y9mOmJ7FcANanV6x+x8pz1q8MiLYqyAXHwo BeDp1pNRy25Xf0zLu/96gNq+Tvgr7gO0fsM2scDGWlep6I5zWMIKXBCmwhtmz4e4TfgQ ZwiQDP1DSaRpaIBRWPONF9Ko0IXlOPsgmr9IM3Y/2iLjiRHxqghWa1QNutRJz05OytbN KqeiJEghP4yg8eq65cZL4A5nGZhBmGYeQi8e6+8l3+fKjQhOuLaBaPbD9+Xnhpxxyhn6 Q64ijDT8f1JTHyJCE7mE88z1TKXp6P73KCDwGKDGQUhCKUQNKMvcCwrsJHC/qcSuiiFy LDQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=kR0eAk9Wpb9hrd+QvnzWqDUYGA359kOAWHMIgTlrfl0=; b=n8wyG7CyTDCGf7Mxp7nf/7YzLKl08IGXu8W259MhG8xhgjlfPQHOeGViNeuuZOAPWh XKTUo0sB0gpJQKyq9RYAivtRSsWT/1UlxCnWQsqmW5G2/0kILqFHNnK3UpbmzTnvRxlQ uYFycvdd3Q4AZs7k0+kVIhxAgTRizK+RQiqDdbkhahV09ahC2z2axiBKWU6SGKlAyZbw 9jrJJBg+4xLW0LhUU9UO32/qGHTnQXyeeuh6A/wihcajFie2YpP60jiJ9i1EAHVQUd1a IYG2uT3NanP82jLkvAcVZqZyDUUqlOZl+QsD+mzNJqiP1oc6uAWx2H8lT6nPnZzvFpXa 2AUg== X-Gm-Message-State: APjAAAVxne0pczIuJe4Uqin+Viz8rXKdAIn962uQggqVfUfcwlY4Q99n SHBUHzzJQxvNpVMCUOTbowNmQ7zQ X-Google-Smtp-Source: APXvYqyGiP3cVnXztZpXcNV75aLBJE8CAzbtVrRHtZc9LLPmYlEh2cdc52FohHmbe3SnuNHeplsDfg== X-Received: by 2002:a17:90a:cb87:: with SMTP id a7mr33388106pju.130.1563236821242; Mon, 15 Jul 2019 17:27:01 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.27.00 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:27:00 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 2/6] tcp: add skb-less helpers to retrieve SYN cookie Date: Mon, 15 Jul 2019 17:26:46 -0700 Message-Id: <20190716002650.154729-3-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Petar Penkov This patch allows generation of a SYN cookie before an SKB has been allocated, as is the case at XDP. Signed-off-by: Petar Penkov --- include/net/tcp.h | 11 ++++++ net/ipv4/tcp_input.c | 79 ++++++++++++++++++++++++++++++++++++++++++++ net/ipv4/tcp_ipv4.c | 8 +++++ net/ipv6/tcp_ipv6.c | 8 +++++ 4 files changed, 106 insertions(+) diff --git a/include/net/tcp.h b/include/net/tcp.h index cca3c59b98bf..a128e22c0d5d 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -414,6 +414,17 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb, int estab, struct tcp_fastopen_cookie *foc); const u8 *tcp_parse_md5sig_option(const struct tcphdr *th); +/* + * BPF SKB-less helpers + */ +u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph, + struct tcphdr *tch, u32 *cookie); +u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph, + struct tcphdr *tch, u32 *cookie); +u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops, + const struct tcp_request_sock_ops *af_ops, + struct sock *sk, void *iph, struct tcphdr *tch, + u32 *cookie); /* * TCP v4 functions exported for the inet6 API */ diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 8892df6de1d4..1406d7e0953c 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3782,6 +3782,52 @@ static void smc_parse_options(const struct tcphdr *th, #endif } +/* Try to parse the MSS option from the TCP header. Return 0 on failure, clamped + * value on success. + * + * Invoked for BPF SYN cookie generation, so th should be a SYN. + */ +static u16 tcp_parse_mss_option(const struct net *net, const struct tcphdr *th, + u16 user_mss) +{ + const unsigned char *ptr = (const unsigned char *)(th + 1); + int length = (th->doff * 4) - sizeof(struct tcphdr); + u16 mss = 0; + + while (length > 0) { + int opcode = *ptr++; + int opsize; + + switch (opcode) { + case TCPOPT_EOL: + return mss; + case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ + length--; + continue; + default: + if (length < 2) + return mss; + opsize = *ptr++; + if (opsize < 2) /* "silly options" */ + return mss; + if (opsize > length) + return mss; /* fail on partial options */ + if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) { + u16 in_mss = get_unaligned_be16(ptr); + + if (in_mss) { + if (user_mss && user_mss < in_mss) + in_mss = user_mss; + mss = in_mss; + } + } + ptr += opsize - 2; + length -= opsize; + } + } + return mss; +} + /* Look for tcp options. Normally only called on SYN and SYNACK packets. * But, this can also be called on packets in the established flow when * the fast version below fails. @@ -6464,6 +6510,39 @@ static void tcp_reqsk_record_syn(const struct sock *sk, } } +u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops, + const struct tcp_request_sock_ops *af_ops, + struct sock *sk, void *iph, struct tcphdr *th, + u32 *cookie) +{ + u16 mss = 0; +#ifdef CONFIG_SYN_COOKIES + bool is_v4 = rsk_ops->family == AF_INET; + struct tcp_sock *tp = tcp_sk(sk); + + if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 && + !inet_csk_reqsk_queue_is_full(sk)) + return 0; + + if (!tcp_syn_flood_action(sk, rsk_ops->slab_name)) + return 0; + + if (sk_acceptq_is_full(sk)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); + return 0; + } + + mss = tcp_parse_mss_option(sock_net(sk), th, tp->rx_opt.user_mss); + if (!mss) + mss = af_ops->mss_clamp; + + tcp_synq_overflow(sk); + *cookie = is_v4 ? __cookie_v4_init_sequence(iph, th, &mss) + : __cookie_v6_init_sequence(iph, th, &mss); +#endif + return mss; +} + int tcp_conn_request(struct request_sock_ops *rsk_ops, const struct tcp_request_sock_ops *af_ops, struct sock *sk, struct sk_buff *skb) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index d57641cb3477..0e06e59784bd 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1515,6 +1515,14 @@ static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb) return sk; } +u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph, + struct tcphdr *tch, u32 *cookie) +{ + return tcp_get_syncookie(&tcp_request_sock_ops, + &tcp_request_sock_ipv4_ops, sk, iph, tch, + cookie); +} + /* The socket must have it's spinlock held when we get * here, unless it is a TCP_LISTEN socket. * diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index d56a9019a0fe..ce46cdba54bc 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1058,6 +1058,14 @@ static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb) return sk; } +u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph, + struct tcphdr *tch, u32 *cookie) +{ + return tcp_get_syncookie(&tcp6_request_sock_ops, + &tcp_request_sock_ipv6_ops, sk, iph, tch, + cookie); +} + static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb) { if (skb->protocol == htons(ETH_P_IP)) From patchwork Tue Jul 16 00:26:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132363 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="V3gvjWUw"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6g3HK4z9s4Y for ; Tue, 16 Jul 2019 10:27:07 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733055AbfGPA1F (ORCPT ); Mon, 15 Jul 2019 20:27:05 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:36476 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731009AbfGPA1D (ORCPT ); Mon, 15 Jul 2019 20:27:03 -0400 Received: by mail-pg1-f194.google.com with SMTP id l21so8507105pgm.3; Mon, 15 Jul 2019 17:27:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=+/EwL7Q5l4U6k3tjN3kXQVZrpS1BmiE9Ulp1kUWWVbY=; b=V3gvjWUwOg9SJgtHTlKTfTEfp3hTtaAQ4t0ClckL6i3qOHuNmY/qaL7qAw5CeLykG1 Nr0Q5g08kV/ADS7tAdUXNDr++P/sm7iDqe0dd4ZTdi8KxTGL6MVexQKqCCwkvRqKOzQ5 072OtbUcl4uAnlCZXkfZrdK+EGUFuuj4k18Z461UTuJuMPYzIfWqPKjrm67B9MS7wQlu ZbBHQN0hAaagC55wLOONHHJhW4uF2b8Bq8tTCUGjkg6oJwauKaBiRFvNxBoS/yxhlAW8 wX2x+BAf6z8IJPBJjWQZf2oGfnf2zM974u1kuLyK6dDpxXuPx0LxIpX3/eEeAyvq60mk AQvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=+/EwL7Q5l4U6k3tjN3kXQVZrpS1BmiE9Ulp1kUWWVbY=; b=ppp/1GymqKo6jyrttUVehtCfn4EoXpksVzv7clQqVJnOt6kW4jtNviwCjdfli1j078 YS6xU1RrcdN5k0PSQldOS0kWkNeWaP2jcDhEGwLe/KuB6IJtCgFeL1WzoJzKJ1I0TOkT IJsJKQBn+R7NvYDkLAHvoX345ybKi/+EVDJp3rKW52azDrC79i9sgyo7SxJRY8C+zrvx OuWotqJ16FdmJ/zIohe9Mg0gJEE6iy3m0I/ZVWZViD0bBkEkMBWKMLWXAp1qtkqHe/EY sTj5dembaP1D31Z7YMbuezHSXGYJA+SrpTxMYMjJY+RBnQfS4LiGi/8aJd1LTHuBoOkG 41Wg== X-Gm-Message-State: APjAAAUbx0xY4POm2zCqL0KkTUvbvuDVh6h02tP+6/80hf3PJAfPmrsz QTNsKt/uzl7DHxW/vzysBQu4xbra X-Google-Smtp-Source: APXvYqxOTUULmZglveq3jY9uKF++8mkrfvrgC3avQPcb1eF9LcT0kbSvS1v+qXAK83e1ZecRmREfWg== X-Received: by 2002:a63:6904:: with SMTP id e4mr2507358pgc.321.1563236822388; Mon, 15 Jul 2019 17:27:02 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.27.01 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:27:02 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 3/6] bpf: add bpf_tcp_gen_syncookie helper Date: Mon, 15 Jul 2019 17:26:47 -0700 Message-Id: <20190716002650.154729-4-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Petar Penkov This helper function allows BPF programs to try to generate SYN cookies, given a reference to a listener socket. The function works from XDP and with an skb context since bpf_skc_lookup_tcp can lookup a socket in both cases. Signed-off-by: Petar Penkov Suggested-by: Eric Dumazet --- include/uapi/linux/bpf.h | 30 ++++++++++++++++++- net/core/filter.c | 62 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 6f68438aa4ed..abf4a85c76d1 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -2713,6 +2713,33 @@ union bpf_attr { * **-EPERM** if no permission to send the *sig*. * * **-EAGAIN** if bpf program can try again. + * + * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len) + * Description + * Try to issue a SYN cookie for the packet with corresponding + * IP/TCP headers, *iph* and *th*, on the listening socket in *sk*. + * + * *iph* points to the start of the IPv4 or IPv6 header, while + * *iph_len* contains **sizeof**\ (**struct iphdr**) or + * **sizeof**\ (**struct ip6hdr**). + * + * *th* points to the start of the TCP header, while *th_len* + * contains **sizeof**\ (**struct tcphdr**). + * + * Return + * On success, lower 32 bits hold the generated SYN cookie in + * network order and the higher 32 bits hold the MSS value for that + * cookie. + * + * On failure, the returned value is one of the following: + * + * **-EINVAL** SYN cookie cannot be issued due to error + * + * **-ENOENT** SYN cookie should not be issued (no SYN flood) + * + * **-ENOTSUPP** kernel configuration does not enable SYN cookies + * + * **-EPROTONOSUPPORT** *sk* family is not AF_INET/AF_INET6 */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -2824,7 +2851,8 @@ union bpf_attr { FN(strtoul), \ FN(sk_storage_get), \ FN(sk_storage_delete), \ - FN(send_signal), + FN(send_signal), \ + FN(tcp_gen_syncookie), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call diff --git a/net/core/filter.c b/net/core/filter.c index 47f6386fb17a..109fd1e286f4 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5850,6 +5850,64 @@ static const struct bpf_func_proto bpf_tcp_check_syncookie_proto = { .arg5_type = ARG_CONST_SIZE, }; +BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len, + struct tcphdr *, th, u32, th_len) +{ +#ifdef CONFIG_SYN_COOKIES + u32 cookie; + u16 mss; + + if (unlikely(th_len < sizeof(*th))) + return -EINVAL; + + if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN) + return -EINVAL; + + if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies) + return -EINVAL; + + if (!th->syn || th->ack || th->fin || th->rst) + return -EINVAL; + + switch (sk->sk_family) { + case AF_INET: + if (unlikely(iph_len < sizeof(struct iphdr))) + return -EINVAL; + mss = tcp_v4_get_syncookie(sk, iph, th, &cookie); + break; + +#if IS_BUILTIN(CONFIG_IPV6) + case AF_INET6: + if (unlikely(iph_len < sizeof(struct ipv6hdr))) + return -EINVAL; + mss = tcp_v6_get_syncookie(sk, iph, th, &cookie); + break; +#endif /* CONFIG_IPV6 */ + + default: + return -EPROTONOSUPPORT; + } + if (mss <= 0) + return -ENOENT; + + return htonl(cookie) | ((u64)mss << 32); +#else + return -ENOTSUPP; +#endif /* CONFIG_SYN_COOKIES */ +} + +static const struct bpf_func_proto bpf_tcp_gen_syncookie_proto = { + .func = bpf_tcp_gen_syncookie, + .gpl_only = true, /* __cookie_v*_init_sequence() is GPL */ + .pkt_access = true, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_SOCK_COMMON, + .arg2_type = ARG_PTR_TO_MEM, + .arg3_type = ARG_CONST_SIZE, + .arg4_type = ARG_PTR_TO_MEM, + .arg5_type = ARG_CONST_SIZE, +}; + #endif /* CONFIG_INET */ bool bpf_helper_changes_pkt_data(void *func) @@ -6135,6 +6193,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_tcp_check_syncookie_proto; case BPF_FUNC_skb_ecn_set_ce: return &bpf_skb_ecn_set_ce_proto; + case BPF_FUNC_tcp_gen_syncookie: + return &bpf_tcp_gen_syncookie_proto; #endif default: return bpf_base_func_proto(func_id); @@ -6174,6 +6234,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_xdp_skc_lookup_tcp_proto; case BPF_FUNC_tcp_check_syncookie: return &bpf_tcp_check_syncookie_proto; + case BPF_FUNC_tcp_gen_syncookie: + return &bpf_tcp_gen_syncookie_proto; #endif default: return bpf_base_func_proto(func_id); From patchwork Tue Jul 16 00:26:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132367 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="V4fQaBp2"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6j40Rxz9s4Y for ; Tue, 16 Jul 2019 10:27:09 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733067AbfGPA1H (ORCPT ); Mon, 15 Jul 2019 20:27:07 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:34902 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733037AbfGPA1E (ORCPT ); Mon, 15 Jul 2019 20:27:04 -0400 Received: by mail-pg1-f195.google.com with SMTP id s1so2194758pgr.2; Mon, 15 Jul 2019 17:27:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=Ujlozc7sfrUxPeKUrm0S8Clxvqj73QFe27MPPNoJ9z0=; b=V4fQaBp2BNjJfZExrLgIjteX7MQEvK8i5QWUGNgKriuNUAFLRng+2XtIinfyg4r+Qf IW/QDw0PtLJlPgsSnxQwkuYqSLz36DJ4lE2CuOGfFn1bfUgfZXc1lN2qzd62c2+w4afe YOiFTwa2xKp0buuN8snFH7POVzRovwxDDiG63WI0nkUJptKBH+Y/uSmM1Y5poCppPDJ0 5C8vVl3qKdOpVlCsM3Mibi+UPbeyrXCphuhVswQA2neO90ROF87ENA3g+n0x/1mLut+K zuSAdRVIEuPxwp5RhZkmYRsdtEjF309CwhuuuLDGXhRs1Y/kCvCCT93/DTo3Ww+a/0Qq yppw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Ujlozc7sfrUxPeKUrm0S8Clxvqj73QFe27MPPNoJ9z0=; b=XYFB3tU4Aj3mKVBCfGatAAQmMUKqM/gboR4IfVxYdY+nmmOIKHuAVI5B/yS3LaGX7w utmjPjcZPXGdnjce2YaeEDVSTj3PcpjXlOr6rjtjpOKj07egOS/DH8j4jyu0PSNntrOx B9kKvV7GcCXhpAgdbNO1jOTeg7Rg9Txfixsl1sIRVlWOw8fJppynKHnk6y3VAPYHtqI6 ZrhGnNzrTZs2/V6QEs4sg+JPvHU4AHsPTNOt/aRTa9egfdbSwWBMHWxxY8ONKY2j7MP3 BrXWntNwLt+dsblsQk9DVJkPk4kdSiIRua8tiFG4ro5nOc+3Nz5mimXh/UF+ndhB0LUO s1ug== X-Gm-Message-State: APjAAAXk4aJxZEx4phx7ajCuTcrZ2B0LDY/1l8dbn/YXEvb0/b6hD1fZ lEyk8OMQxSHknE4VY5xO2ydbc5jo X-Google-Smtp-Source: APXvYqyh6wjBRMRLEySaYZ8fBh9munKSRxCWqsdsbNlw+b/Uk+2hN0a/E5fvDsVRCOmMeKGi7izc2g== X-Received: by 2002:a63:24a:: with SMTP id 71mr5371246pgc.273.1563236823622; Mon, 15 Jul 2019 17:27:03 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.27.02 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:27:03 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 4/6] bpf: sync bpf.h to tools/ Date: Mon, 15 Jul 2019 17:26:48 -0700 Message-Id: <20190716002650.154729-5-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Petar Penkov Sync updated documentation for bpf_redirect_map. Sync the bpf_tcp_gen_syncookie helper function definition with the one in tools/uapi. Signed-off-by: Petar Penkov --- tools/include/uapi/linux/bpf.h | 37 +++++++++++++++++++++++++++++++--- 1 file changed, 34 insertions(+), 3 deletions(-) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index f506c68b2612..abf4a85c76d1 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -1571,8 +1571,11 @@ union bpf_attr { * but this is only implemented for native XDP (with driver * support) as of this writing). * - * All values for *flags* are reserved for future usage, and must - * be left at zero. + * The lower two bits of *flags* are used as the return code if + * the map lookup fails. This is so that the return value can be + * one of the XDP program return codes up to XDP_TX, as chosen by + * the caller. Any higher bits in the *flags* argument must be + * unset. * * When used to redirect packets to net devices, this helper * provides a high performance increase over **bpf_redirect**\ (). @@ -2710,6 +2713,33 @@ union bpf_attr { * **-EPERM** if no permission to send the *sig*. * * **-EAGAIN** if bpf program can try again. + * + * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len) + * Description + * Try to issue a SYN cookie for the packet with corresponding + * IP/TCP headers, *iph* and *th*, on the listening socket in *sk*. + * + * *iph* points to the start of the IPv4 or IPv6 header, while + * *iph_len* contains **sizeof**\ (**struct iphdr**) or + * **sizeof**\ (**struct ip6hdr**). + * + * *th* points to the start of the TCP header, while *th_len* + * contains **sizeof**\ (**struct tcphdr**). + * + * Return + * On success, lower 32 bits hold the generated SYN cookie in + * network order and the higher 32 bits hold the MSS value for that + * cookie. + * + * On failure, the returned value is one of the following: + * + * **-EINVAL** SYN cookie cannot be issued due to error + * + * **-ENOENT** SYN cookie should not be issued (no SYN flood) + * + * **-ENOTSUPP** kernel configuration does not enable SYN cookies + * + * **-EPROTONOSUPPORT** *sk* family is not AF_INET/AF_INET6 */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -2821,7 +2851,8 @@ union bpf_attr { FN(strtoul), \ FN(sk_storage_get), \ FN(sk_storage_delete), \ - FN(send_signal), + FN(send_signal), \ + FN(tcp_gen_syncookie), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call From patchwork Tue Jul 16 00:26:49 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132365 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="py0mACJL"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6h1lrkz9sNC for ; Tue, 16 Jul 2019 10:27:08 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733058AbfGPA1G (ORCPT ); Mon, 15 Jul 2019 20:27:06 -0400 Received: from mail-pf1-f193.google.com ([209.85.210.193]:40521 "EHLO mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733050AbfGPA1F (ORCPT ); Mon, 15 Jul 2019 20:27:05 -0400 Received: by mail-pf1-f193.google.com with SMTP id p184so8191890pfp.7; Mon, 15 Jul 2019 17:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lHXwXU0/ATDXmjadbsFTu4ODiT77+7Iga+kAcGBhKe8=; b=py0mACJL7L5TTVvR42E0xxYfnzpz2EGuQQr5T+gcVzTLF4nqKwdD2WLsUT6gst3yiu iJQo/19c4/WLUSvv/zogI1KKGBuMgCcKX7uPYZi85G6VIBpjo/BXz9oApZ+yqeT/9zZ8 BOLGqUo0XXng+de6ud9esooAR0dZ6pDiRxbNc45/F3TdovriKvKzidr9yNIXZt4DeZoO RevnTjW8RSmQRMSlDMUCZW93N/4mXz1NJEvjwDUBPr8l894U+qVIy+qD0ScKnhl7CXWv 5X/KlvDERr+P25reui3d7FE5y/DuZowtJKvaACY0l17Jqw1tEsy8qbyXLNmwrHLM+juK 8dTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lHXwXU0/ATDXmjadbsFTu4ODiT77+7Iga+kAcGBhKe8=; b=k3VbUZnRplpJwYYf7uFGtyk21e/xeUSijDN1FyOKLbSv/e3LikhkWLZxN3NhZ9zjHI r5tWAfKGLBh9oW8SJIWduQJSg5ClbZiRvWZoPGIpORV5KsHePul/yQOzDRZSXSD3XnT1 PL7c0bXlD9Cr9uG/L5bV4jJEqOdgRq9DWVW4/by4vuFf++vgCT3tXAmZH0feAmj2dcqj Aw4eYzgH+hPOeskCtJJeCO428bv5UqVyEZSgvUHIUhENjp9DHdhfO46d7OB0xXzQftWz Scf474K2dcK2eAXgvO01l28KN8RZypnXsPiLVNU/jNTPzJe/TekkNV93U9sFcD/GkA0j /ecQ== X-Gm-Message-State: APjAAAU95KfdD9pKdHssGBunI+/22P4p9tEULZeTbVDhyAFLaAN0ASo0 inKIoYHFNZ9iDYSqTDy0l1NTmgTC X-Google-Smtp-Source: APXvYqzYrsOhiNM1Wy8qfXjjjihBJUOzXL14wazvbwQdbf3n5yfog9dMl52wP8tmOsuvuHv1/bUPKg== X-Received: by 2002:a17:90a:23ce:: with SMTP id g72mr1233726pje.77.1563236824783; Mon, 15 Jul 2019 17:27:04 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.27.04 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:27:04 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers Date: Mon, 15 Jul 2019 17:26:49 -0700 Message-Id: <20190716002650.154729-6-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Petar Penkov Expose bpf_tcp_gen_syncookie to selftests. Signed-off-by: Petar Penkov --- tools/testing/selftests/bpf/bpf_helpers.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h index 5a3d92c8bec8..19f01e967402 100644 --- a/tools/testing/selftests/bpf/bpf_helpers.h +++ b/tools/testing/selftests/bpf/bpf_helpers.h @@ -228,6 +228,9 @@ static void *(*bpf_sk_storage_get)(void *map, struct bpf_sock *sk, static int (*bpf_sk_storage_delete)(void *map, struct bpf_sock *sk) = (void *)BPF_FUNC_sk_storage_delete; static int (*bpf_send_signal)(unsigned sig) = (void *)BPF_FUNC_send_signal; +static long long (*bpf_tcp_gen_syncookie)(struct bpf_sock *sk, void *ip, + int ip_len, void *tcp, int tcp_len) = + (void *) BPF_FUNC_tcp_gen_syncookie; /* llvm builtin functions that eBPF C program may use to * emit BPF_LD_ABS and BPF_LD_IND instructions From patchwork Tue Jul 16 00:26:50 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petar Penkov X-Patchwork-Id: 1132369 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="lThVfbbI"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45nh6n2czwz9s4Y for ; Tue, 16 Jul 2019 10:27:13 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733080AbfGPA1N (ORCPT ); Mon, 15 Jul 2019 20:27:13 -0400 Received: from mail-pl1-f195.google.com ([209.85.214.195]:41161 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731009AbfGPA1G (ORCPT ); Mon, 15 Jul 2019 20:27:06 -0400 Received: by mail-pl1-f195.google.com with SMTP id m9so9093329pls.8; Mon, 15 Jul 2019 17:27:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=C5sbLTfe2RuDMOAfcQ0A+pj8yxLA1NP0/a7vJWI0Wyo=; b=lThVfbbIkbBkJC/o7jChzhRWnavVD4tkSg4EsqlIYGCyT6lXlQeG9kXrOFZIYIAX2a YEJ5s+r6h67ZodxP6MsNPH+btxrmkh+gwor7yDM4Nxhysq+iJGt8idRt0NTBxOf01W6l iNwBmgJRaoOxHAHy8dvUlybWpSJaLhZPLF3IUmfBcf/JRMVxouKzIpRfjPeBop4qIdOC SStdajmijPLO7HdXHj4Bf11pZiGa4Zr7lwhSVF1rkBdH5flxUi+rERTtCSQx7eTGcRK2 F7V3U6lJvNSIW5w2+/xaWfIXU71h+NpaX6RyXJj5Mbyu0QvhGViLl8tTZPq93Bd2J/DN NbxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=C5sbLTfe2RuDMOAfcQ0A+pj8yxLA1NP0/a7vJWI0Wyo=; b=VCAM7bWfowlQywnPYnPdoX1Pjs32gRLEJuoW1QL8VLz9FU0FX6TurgIYt/X0MYaW3c ZhPSUHvakAU+odnMMBWC7qu1chFHADIEh11VI27MHYIMaXLsaSEo+I1BZ3g1hVyRvlYC mS7fQZ3y6wxgujPsfJdwg6WvWz6rZIsyHpNavCGQYrQs6pn4yICrywBBP/Q02U7J2wM3 3Cc3/gGBcq0/WQS0pdJbkMMX7IyY+afFUgZAHyhHxN4oLsmQw4uX+vhrWrk34iahNo8j ElN30gcG1HOeWP+g1yxvNm5zg9vjrSh8TLbT4lDTbgViuk520xdM3BW1fH5Cq7BiVcWd WXZQ== X-Gm-Message-State: APjAAAV+qOk8PCIsSTwwx9QyiA3SaDOtdDU/Tn5nA2FYKUpTdx4Wdx7/ FVcG6mAhDNRvYXHFdJJ7fm+0BBBp X-Google-Smtp-Source: APXvYqyPE0Lnb9TFXHQrwXvyGBUnY1A6kdLxZQBspMaRdgK3pAlX11dWpLd9VJFydXWi4NjyXpf1MA== X-Received: by 2002:a17:902:968c:: with SMTP id n12mr33079468plp.59.1563236825956; Mon, 15 Jul 2019 17:27:05 -0700 (PDT) Received: from ppenkov.svl.corp.google.com ([2620:15c:2c4:201:7bd4:4f27:abe4:d695]) by smtp.gmail.com with ESMTPSA id q24sm16775444pjp.14.2019.07.15.17.27.05 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 17:27:05 -0700 (PDT) From: Petar Penkov To: netdev@vger.kernel.org, bpf@vger.kernel.org Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net, edumazet@google.com, lmb@cloudflare.com, sdf@google.com, Petar Penkov Subject: [bpf-next RFC 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie Date: Mon, 15 Jul 2019 17:26:50 -0700 Message-Id: <20190716002650.154729-7-ppenkov.kernel@gmail.com> X-Mailer: git-send-email 2.22.0.510.g264f2c817a-goog In-Reply-To: <20190716002650.154729-1-ppenkov.kernel@gmail.com> References: <20190716002650.154729-1-ppenkov.kernel@gmail.com> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Petar Penkov Modify the existing bpf_tcp_check_syncookie test to also generate a SYN cookie, pass the packet to the kernel, and verify that the two cookies are the same (and both valid). Since cloned SKBs are skipped during generic XDP, this test does not issue a SYN cookie when run in XDP mode. We therefore only check that a valid SYN cookie was issued at the TC hook. Additionally, verify that the MSS for that SYN cookie is within expected range. Signed-off-by: Petar Penkov --- .../bpf/progs/test_tcp_check_syncookie_kern.c | 28 +++++++-- .../bpf/test_tcp_check_syncookie_user.c | 61 ++++++++++++++++--- 2 files changed, 76 insertions(+), 13 deletions(-) diff --git a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c index 1ab095bcacd8..229832766f42 100644 --- a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c +++ b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c @@ -19,8 +19,8 @@ struct bpf_map_def SEC("maps") results = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(__u32), - .value_size = sizeof(__u64), - .max_entries = 1, + .value_size = sizeof(__u32), + .max_entries = 3, }; static __always_inline void check_syncookie(void *ctx, void *data, @@ -33,8 +33,10 @@ static __always_inline void check_syncookie(void *ctx, void *data, struct ipv6hdr *ipv6h; struct tcphdr *tcph; int ret; + __u32 key_mss = 2; + __u32 key_gen = 1; __u32 key = 0; - __u64 value = 1; + __s64 seq_mss; ethh = data; if (ethh + 1 > data_end) @@ -66,6 +68,8 @@ static __always_inline void check_syncookie(void *ctx, void *data, if (sk->state != BPF_TCP_LISTEN) goto release; + seq_mss = bpf_tcp_gen_syncookie(sk, ipv4h, sizeof(*ipv4h), + tcph, sizeof(*tcph)); ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h), tcph, sizeof(*tcph)); break; @@ -95,6 +99,9 @@ static __always_inline void check_syncookie(void *ctx, void *data, if (sk->state != BPF_TCP_LISTEN) goto release; + seq_mss = bpf_tcp_gen_syncookie(sk, ipv6h, sizeof(*ipv6h), + tcph, sizeof(*tcph)); + ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h), tcph, sizeof(*tcph)); break; @@ -103,8 +110,19 @@ static __always_inline void check_syncookie(void *ctx, void *data, return; } - if (ret == 0) - bpf_map_update_elem(&results, &key, &value, 0); + if (seq_mss > 0) { + __u32 cookie = bpf_ntohl((__u32)seq_mss); + __u32 mss = seq_mss >> 32; + + bpf_map_update_elem(&results, &key_gen, &cookie, 0); + bpf_map_update_elem(&results, &key_mss, &mss, 0); + } + + if (ret == 0) { + __u32 cookie = bpf_ntohl(tcph->ack_seq) - 1; + + bpf_map_update_elem(&results, &key, &cookie, 0); + } release: bpf_sk_release(sk); diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c index 87829c86c746..f3ff49ceb481 100644 --- a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c +++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c @@ -2,6 +2,7 @@ // Copyright (c) 2018 Facebook // Copyright (c) 2019 Cloudflare +#include #include #include #include @@ -77,7 +78,7 @@ static int connect_to_server(int server_fd) return fd; } -static int get_map_fd_by_prog_id(int prog_id) +static int get_map_fd_by_prog_id(int prog_id, bool *xdp) { struct bpf_prog_info info = {}; __u32 info_len = sizeof(info); @@ -104,6 +105,8 @@ static int get_map_fd_by_prog_id(int prog_id) goto err; } + *xdp = info.type == BPF_PROG_TYPE_XDP; + map_fd = bpf_map_get_fd_by_id(map_ids[0]); if (map_fd < 0) log_err("Failed to get fd by map id %d", map_ids[0]); @@ -113,18 +116,32 @@ static int get_map_fd_by_prog_id(int prog_id) return map_fd; } -static int run_test(int server_fd, int results_fd) +static int run_test(int server_fd, int results_fd, bool xdp) { int client = -1, srv_client = -1; int ret = 0; __u32 key = 0; - __u64 value = 0; + __u32 key_gen = 1; + __u32 key_mss = 2; + __u32 value = 0; + __u32 value_gen = 0; + __u32 value_mss = 0; if (bpf_map_update_elem(results_fd, &key, &value, 0) < 0) { log_err("Can't clear results"); goto err; } + if (bpf_map_update_elem(results_fd, &key_gen, &value_gen, 0) < 0) { + log_err("Can't clear results"); + goto err; + } + + if (bpf_map_update_elem(results_fd, &key_mss, &value_mss, 0) < 0) { + log_err("Can't clear results"); + goto err; + } + client = connect_to_server(server_fd); if (client == -1) goto err; @@ -140,8 +157,35 @@ static int run_test(int server_fd, int results_fd) goto err; } - if (value != 1) { - log_err("Didn't match syncookie: %llu", value); + if (value == 0) { + log_err("Didn't match syncookie: %u", value); + goto err; + } + + if (bpf_map_lookup_elem(results_fd, &key_gen, &value_gen) < 0) { + log_err("Can't lookup result"); + goto err; + } + + if (xdp && value_gen == 0) { + // SYN packets do not get passed through generic XDP, skip the + // rest of the test. + log_err("Did not find SYN cookie at XDP."); + goto out; + } + + if (bpf_map_lookup_elem(results_fd, &key_mss, &value_mss) < 0) { + log_err("Can't lookup result"); + goto err; + } + + if (value != value_gen) { + log_err("BPF generated cookie does not match kernel one"); + goto err; + } + + if (value_mss < 536 || value_mss > USHRT_MAX) { + log_err("Unexpected MSS retrieved"); goto err; } @@ -163,13 +207,14 @@ int main(int argc, char **argv) int server_v6 = -1; int results = -1; int err = 0; + bool xdp; if (argc < 2) { fprintf(stderr, "Usage: %s prog_id\n", argv[0]); exit(1); } - results = get_map_fd_by_prog_id(atoi(argv[1])); + results = get_map_fd_by_prog_id(atoi(argv[1]), &xdp); if (results < 0) { log_err("Can't get map"); goto err; @@ -194,10 +239,10 @@ int main(int argc, char **argv) if (server_v6 == -1) goto err; - if (run_test(server, results)) + if (run_test(server, results, xdp)) goto err; - if (run_test(server_v6, results)) + if (run_test(server_v6, results, xdp)) goto err; printf("ok\n");