From: Paolo Abeni <pabeni@redhat.com>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Florian Westphal <fw@strlen.de>,
Eric Dumazet <edumazet@google.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
Subject: Re: [PATCH net-next 2/5] net: allow early demux to fetch noref socket
Date: Thu, 21 Sep 2017 11:13:11 +0200 [thread overview]
Message-ID: <1505985191.2560.38.camel@redhat.com> (raw)
In-Reply-To: <db75c6a6872040712a9ab97b0bac04b697c42a4c.1505926196.git.pabeni@redhat.com>
On Wed, 2017-09-20 at 18:54 +0200, Paolo Abeni wrote:
> We must be careful to avoid leaking such sockets outside
> the RCU section containing the early demux call; we clear
> them on nonlocal delivery.
>
> For ipv4 we must take care of local mcast delivery, too,
> since udp early demux works also for mcast addresses.
>
> Also update all iptables/nftables extension that can
> happen in the input chain and can transmit the skb outside
> such patch, namely TEE, nft_dup and nfqueue.
>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> net/ipv4/ip_input.c | 12 ++++++++++++
> net/ipv4/ipmr.c | 18 ++++++++++++++----
> net/ipv4/netfilter/nf_dup_ipv4.c | 3 +++
> net/ipv6/ip6_input.c | 7 ++++++-
> net/ipv6/netfilter/nf_dup_ipv6.c | 3 +++
> net/netfilter/nf_queue.c | 3 +++
> 6 files changed, 41 insertions(+), 5 deletions(-)
>
> diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
> index fa2dc8f692c6..e71abc8b698c 100644
> --- a/net/ipv4/ip_input.c
> +++ b/net/ipv4/ip_input.c
> @@ -349,6 +349,18 @@ static int ip_rcv_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
> __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER);
> goto drop;
> }
> +
> + /* Since the sk has no reference to the socket, we must
> + * clear it before escaping this RCU section.
> + * The sk is just an hint and we know we are not going to use
> + * it outside the input path.
> + */
> + if (skb_dst(skb)->input != ip_local_deliver
> +#ifdef CONFIG_IP_MROUTE
> + && skb_dst(skb)->input != ip_mr_input
> +#endif
> + )
> + skb_clear_noref_sk(skb);
> }
The above is to allow early demux for multicast sockets even on hosts
acting as multicast router. This is probably overkill: an host will
probably act as a multicast router or receive large amount of locally
terminate mcast traffic.
We can instead preserve the sknoref only for ip_local_deliver(),
dropping the early demux optimization in the above scenario, which
should not be very relevant. Will simplify the above chunk and drop the
need for the ipmr.c changes below; overall this patch will become much
simpler.
Paolo
next prev parent reply other threads:[~2017-09-21 9:13 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-20 16:54 [PATCH net-next 0/5] net: introduce noref sk Paolo Abeni
2017-09-20 16:54 ` [PATCH net-next 1/5] net: add support for noref skb->sk Paolo Abeni
2017-09-20 17:41 ` Eric Dumazet
2017-09-21 9:14 ` Paolo Abeni
2017-09-21 10:35 ` Eric Dumazet
2017-09-20 16:54 ` [PATCH net-next 2/5] net: allow early demux to fetch noref socket Paolo Abeni
2017-09-21 9:13 ` Paolo Abeni [this message]
2017-09-20 16:54 ` [PATCH net-next 3/5] udp: do not touch socket refcount in early demux Paolo Abeni
2017-09-20 16:54 ` [PATCH net-next 4/5] net: add simple socket-like dst cache helpers Paolo Abeni
2017-09-20 16:54 ` [PATCH net-next 5/5] udp: perform full socket lookup in early demux Paolo Abeni
2017-09-21 3:20 ` [PATCH net-next 0/5] net: introduce noref sk David Miller
2017-09-21 9:42 ` Paolo Abeni
2017-09-21 10:37 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1505985191.2560.38.camel@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.