[PATCH net-next 03/10] tcp: add drop reason support to tcp_validate_incoming()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eric Dumazet <eric.dumazet@gmail.com>
To: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>
Cc: netdev <netdev@vger.kernel.org>,
	Eric Dumazet <edumazet@google.com>,
	Eric Dumazet <eric.dumazet@gmail.com>
Subject: [PATCH net-next 03/10] tcp: add drop reason support to tcp_validate_incoming()
Date: Fri, 15 Apr 2022 17:10:41 -0700	[thread overview]
Message-ID: <20220416001048.2218911-4-eric.dumazet@gmail.com> (raw)
In-Reply-To: <20220416001048.2218911-1-eric.dumazet@gmail.com>

From: Eric Dumazet <edumazet@google.com>

Creates four new drop reasons for the following cases:

1) packet being rejected by RFC 7323 PAWS check
2) packet being rejected by SEQUENCE check
3) Invalid RST packet
4) Invalid SYN packet

Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 include/linux/skbuff.h     | 6 ++++++
 include/trace/events/skb.h | 5 +++++
 net/ipv4/tcp_input.c       | 7 ++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 0ef11df1bc67f26a454a809396bd93299ce787ad..a903da1fa0ed897ba65a3edf6d74d7e5dc575b2e 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -381,6 +381,12 @@ enum skb_drop_reason {
 					 * the ofo queue, corresponding to
 					 * LINUX_MIB_TCPOFOMERGE
 					 */
+	SKB_DROP_REASON_TCP_RFC7323_PAWS, /* PAWS check, corresponding to
+					   * LINUX_MIB_PAWSESTABREJECTED
+					   */
+	SKB_DROP_REASON_TCP_INVALID_SEQUENCE, /* Not acceptable SEQ field */
+	SKB_DROP_REASON_TCP_RESET,	/* Invalid RST packet */
+	SKB_DROP_REASON_TCP_INVALID_SYN, /* Incoming packet has unexpected SYN flag */
 	SKB_DROP_REASON_IP_OUTNOROUTES,	/* route lookup failed */
 	SKB_DROP_REASON_BPF_CGROUP_EGRESS,	/* dropped by
 						 * BPF_PROG_TYPE_CGROUP_SKB
diff --git a/include/trace/events/skb.h b/include/trace/events/skb.h
index 2da72a9a576462bee9f3415141dfffd2eec8c258..820dacd14bad9ecb2b8ff6206cb33b392c0c442c 100644
--- a/include/trace/events/skb.h
+++ b/include/trace/events/skb.h
@@ -37,6 +37,11 @@
 	EM(SKB_DROP_REASON_TCP_OLD_DATA, TCP_OLD_DATA)		\
 	EM(SKB_DROP_REASON_TCP_OVERWINDOW, TCP_OVERWINDOW)	\
 	EM(SKB_DROP_REASON_TCP_OFOMERGE, TCP_OFOMERGE)		\
+	EM(SKB_DROP_REASON_TCP_RFC7323_PAWS, TCP_RFC7323_PAWS)	\
+	EM(SKB_DROP_REASON_TCP_INVALID_SEQUENCE,		\
+	   TCP_INVALID_SEQUENCE)				\
+	EM(SKB_DROP_REASON_TCP_RESET, TCP_RESET)		\
+	EM(SKB_DROP_REASON_TCP_INVALID_SYN, TCP_INVALID_SYN)	\
 	EM(SKB_DROP_REASON_IP_OUTNOROUTES, IP_OUTNOROUTES)	\
 	EM(SKB_DROP_REASON_BPF_CGROUP_EGRESS,			\
 	   BPF_CGROUP_EGRESS)					\
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b2d5fbef6ce3baa9426b3c9750002317a8915596..9a1cb3f48c3fb26beac4283001d38828ca15a4d9 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5667,6 +5667,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 				  const struct tcphdr *th, int syn_inerr)
 {
 	struct tcp_sock *tp = tcp_sk(sk);
+	SKB_DR(reason);
 
 	/* RFC1323: H1. Apply PAWS check first. */
 	if (tcp_fast_parse_options(sock_net(sk), skb, th, tp) &&
@@ -5678,6 +5679,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 						  LINUX_MIB_TCPACKSKIPPEDPAWS,
 						  &tp->last_oow_ack_time))
 				tcp_send_dupack(sk, skb);
+			SKB_DR_SET(reason, TCP_RFC7323_PAWS);
 			goto discard;
 		}
 		/* Reset is accepted even if it did not pass PAWS. */
@@ -5701,6 +5703,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 		} else if (tcp_reset_check(sk, skb)) {
 			goto reset;
 		}
+		SKB_DR_SET(reason, TCP_INVALID_SEQUENCE);
 		goto discard;
 	}
 
@@ -5743,6 +5746,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 		    sk->sk_state == TCP_ESTABLISHED)
 			tcp_fastopen_active_disable(sk);
 		tcp_send_challenge_ack(sk);
+		SKB_DR_SET(reason, TCP_RESET);
 		goto discard;
 	}
 
@@ -5757,6 +5761,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 			TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE);
 		tcp_send_challenge_ack(sk);
+		SKB_DR_SET(reason, TCP_INVALID_SYN);
 		goto discard;
 	}
 
@@ -5765,7 +5770,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb,
 	return true;
 
 discard:
-	tcp_drop(sk, skb);
+	tcp_drop_reason(sk, skb, reason);
 	return false;
 
 reset:
-- 
2.36.0.rc0.470.gd361397f0d-goog

next prev parent reply	other threads:[~2022-04-16  0:11 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-04-16  0:10 [PATCH net-next 00/10] tcp: drop reason additions Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 01/10] tcp: consume incoming skb leading to a reset Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 02/10] tcp: get rid of rst_seq_match Eric Dumazet
2022-04-16  0:10 ` Eric Dumazet [this message]
2022-04-16  0:10 ` [PATCH net-next 04/10] tcp: make tcp_rcv_state_process() drop monitor friendly Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 05/10] tcp: add drop reasons to tcp_rcv_state_process() Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 06/10] tcp: add two drop reasons for tcp_ack() Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 07/10] tcp: add drop reason support to tcp_prune_ofo_queue() Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 08/10] tcp: make tcp_rcv_synsent_state_process() drop monitor friend Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 09/10] tcp: add drop reasons to tcp_rcv_synsent_state_process() Eric Dumazet
2022-04-16  0:10 ` [PATCH net-next 10/10] tcp: add drop reason support to tcp_ofo_queue() Eric Dumazet
2022-04-17 12:40 ` [PATCH net-next 00/10] tcp: drop reason additions patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0ef11df1bc67f26a454a809396bd93299ce787a
dfblob:a903da1fa0ed897ba65a3edf6d74d7e5dc575b2
dfblob:2da72a9a576462bee9f3415141dfffd2eec8c25
dfblob:820dacd14bad9ecb2b8ff6206cb33b392c0c442
dfblob:b2d5fbef6ce3baa9426b3c9750002317a891559
dfblob:9a1cb3f48c3fb26beac4283001d38828ca15a4d )
 OR (
bs:"[PATCH net-next 03/10] tcp: add drop reason support to tcp_validate_incoming()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220416001048.2218911-4-eric.dumazet@gmail.com \
    --to=eric.dumazet@gmail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.