From: Dmitry Safonov <dima@arista.com>
To: Eric Dumazet <edumazet@google.com>
Cc: David Ahern <dsahern@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
Dan Carpenter <error27@gmail.com>,
David Laight <David.Laight@aculab.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Donald Cassidy <dcassidy@redhat.com>,
Eric Biggers <ebiggers@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Francesco Ruggeri <fruggeri05@gmail.com>,
"Gaillardetz, Dominik" <dgaillar@ciena.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ivan Delalande <colona@arista.com>,
Leonard Crestez <cdleonard@gmail.com>,
"Nassiri, Mohammad" <mnassiri@ciena.com>,
Salam Noureddine <noureddine@arista.com>,
Simon Horman <simon.horman@corigine.com>,
"Tetreault, Francois" <ftetreau@ciena.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH v14 net-next 16/23] net/tcp: Ignore specific ICMPs for TCP-AO connections
Date: Wed, 11 Oct 2023 20:16:30 +0100 [thread overview]
Message-ID: <95bbc774-e527-4af4-b7b3-e49631069162@arista.com> (raw)
In-Reply-To: <CANn89i+LwYbzNd=mA8Hk0RTTy6siEUpGtJaRw7DdFQju_+4mjA@mail.gmail.com>
Hi Eric,
thanks once again for taking a look :)
On 10/11/23 18:53, Eric Dumazet wrote:
> On Tue, Oct 10, 2023 at 1:07 AM Dmitry Safonov <dima@arista.com> wrote:
[..]
>> +bool tcp_ao_ignore_icmp(const struct sock *sk, int type, int code)
>> +{
>> + bool ignore_icmp = false;
>> + struct tcp_ao_info *ao;
>> +
>> + /* RFC5925, 7.8:
>> + * >> A TCP-AO implementation MUST default to ignore incoming ICMPv4
>> + * messages of Type 3 (destination unreachable), Codes 2-4 (protocol
>> + * unreachable, port unreachable, and fragmentation needed -- ’hard
>> + * errors’), and ICMPv6 Type 1 (destination unreachable), Code 1
>> + * (administratively prohibited) and Code 4 (port unreachable) intended
>> + * for connections in synchronized states (ESTABLISHED, FIN-WAIT-1, FIN-
>> + * WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT) that match MKTs.
>> + */
>> + if (READ_ONCE(sk->sk_family) == AF_INET) {
>
> You can not use sk->sk_family to make this decision.
>
> It could be AF_INET6 and yet the flow could be IPv4. (dual stack)
>
> Let the caller pass this information ?
>
> tcp_ao_ignore_icmp(sk, AF_INET, type, code);
>
> tcp_ao_ignore_icmp(sk, AF_INET6, type, code);
Yes, I thought about it when added READ_ONCE(), but than probably got
distracted over possible IPV6_ADDRFORM races, rather than on correctness.
Looking at other places:
tcp_ao_prepare_reset() seems to do a proper thing for dual stack, but I
see it reads sk->sk_family twice, which needs to be addressed as well.
tcp_ao_connect_init() seems to do the right thing as well, but that is
hidden in tcp_ao_key_cmp().
Will fix in the next version.
Thanks,
Dmitry
next prev parent reply other threads:[~2023-10-11 19:16 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-09 23:06 [PATCH v14 net-next 00/23] net/tcp: Add TCP-AO support Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 01/23] net/tcp: Prepare tcp_md5sig_pool for TCP-AO Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 02/23] net/tcp: Add TCP-AO config and structures Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 03/23] net/tcp: Introduce TCP_AO setsockopt()s Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 04/23] net/tcp: Prevent TCP-MD5 with TCP-AO being set Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 05/23] net/tcp: Calculate TCP-AO traffic keys Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 06/23] net/tcp: Add TCP-AO sign to outgoing packets Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 07/23] net/tcp: Add tcp_parse_auth_options() Dmitry Safonov
2023-10-09 23:06 ` [PATCH v14 net-next 08/23] net/tcp: Add AO sign to RST packets Dmitry Safonov
2023-10-11 18:04 ` Eric Dumazet
2023-10-11 19:23 ` Dmitry Safonov
2023-10-17 8:37 ` kernel test robot
2023-10-17 23:19 ` Dmitry Safonov
2023-10-18 7:32 ` Oliver Sang
2023-10-18 15:44 ` Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 09/23] net/tcp: Add TCP-AO sign to twsk Dmitry Safonov
2023-10-11 18:10 ` Eric Dumazet
2023-10-11 19:26 ` Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 10/23] net/tcp: Wire TCP-AO to request sockets Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 11/23] net/tcp: Sign SYN-ACK segments with TCP-AO Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 12/23] net/tcp: Verify inbound TCP-AO signed segments Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 13/23] net/tcp: Add TCP-AO segments counters Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 14/23] net/tcp: Add TCP-AO SNE support Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 15/23] net/tcp: Add tcp_hash_fail() ratelimited logs Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 16/23] net/tcp: Ignore specific ICMPs for TCP-AO connections Dmitry Safonov
2023-10-11 17:53 ` Eric Dumazet
2023-10-11 19:16 ` Dmitry Safonov [this message]
2023-10-09 23:07 ` [PATCH v14 net-next 17/23] net/tcp: Add option for TCP-AO to (not) hash header Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 18/23] net/tcp: Add TCP-AO getsockopt()s Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 19/23] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 20/23] net/tcp: Add static_key for TCP-AO Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 21/23] net/tcp: Wire up l3index to TCP-AO Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 22/23] net/tcp: Add TCP_AO_REPAIR Dmitry Safonov
2023-10-09 23:07 ` [PATCH v14 net-next 23/23] Documentation/tcp: Add TCP-AO documentation Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=95bbc774-e527-4af4-b7b3-e49631069162@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=David.Laight@aculab.com \
--cc=ardb@kernel.org \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=davem@davemloft.net \
--cc=dcassidy@redhat.com \
--cc=dgaillar@ciena.com \
--cc=dsahern@kernel.org \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=error27@gmail.com \
--cc=fruggeri05@gmail.com \
--cc=ftetreau@ciena.com \
--cc=gilligan@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mnassiri@ciena.com \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=simon.horman@corigine.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.