From: Stanislav Fomichev <sdf@google.com>
To: Kuniyuki Iwashima <kuniyu@amazon.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>, David Ahern <dsahern@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Mykola Lysenko <mykolal@fb.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH v1 bpf-next 06/11] bpf: tcp: Add SYN Cookie validation SOCK_OPS hook.
Date: Mon, 16 Oct 2023 13:38:25 -0700 [thread overview]
Message-ID: <ZS2fQXqhjRlG64kZ@google.com> (raw)
In-Reply-To: <20231013220433.70792-7-kuniyu@amazon.com>
On 10/13, Kuniyuki Iwashima wrote:
> This patch adds a new SOCK_OPS hook to validate arbitrary SYN Cookie.
>
> When the kernel receives ACK for SYN Cookie, the hook is invoked with
> bpf_sock_ops.op == BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB if the listener has
> BPF_SOCK_OPS_SYNCOOKIE_CB_FLAG set by bpf_sock_ops_cb_flags_set().
>
> The BPF program can access the following information to validate ISN:
>
> bpf_sock_ops.sk : 4-tuple
> bpf_sock_ops.skb : TCP header
> bpf_sock_ops.args[0] : ISN
>
> The program must decode MSS and set it to bpf_sock_ops.replylong[0].
>
> By default, the kernel validates SYN Cookie before allocating reqsk, but
> the hook is invoked after allocating reqsk to keep the user interface
> consistent with BPF_SOCK_OPS_GEN_SYNCOOKIE_CB.
>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> ---
> include/net/tcp.h | 12 ++++++
> include/uapi/linux/bpf.h | 20 +++++++---
> net/ipv4/syncookies.c | 73 +++++++++++++++++++++++++++-------
> net/ipv6/syncookies.c | 44 +++++++++++++-------
> tools/include/uapi/linux/bpf.h | 20 +++++++---
> 5 files changed, 130 insertions(+), 39 deletions(-)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index 676618c89bb7..90d95acdc34a 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -2158,6 +2158,18 @@ static inline __u32 cookie_init_sequence(const struct tcp_request_sock_ops *ops,
> __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT);
> return ops->cookie_init_seq(skb, mss);
> }
> +
> +#ifdef CONFIG_CGROUP_BPF
> +int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req,
> + struct sk_buff *skb);
> +#else
> +static inline int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req,
> + struct sk_buff *skb)
> +{
> + return 0;
> +}
> +#endif
> +
> #else
> static inline __u32 cookie_init_sequence(const struct tcp_request_sock_ops *ops,
> const struct sock *sk, struct sk_buff *skb,
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index d3cc530613c0..e6f1507d7895 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -6738,13 +6738,16 @@ enum {
> * options first before the BPF program does.
> */
> BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG = (1<<6),
> - /* Call bpf when the kernel generates SYN Cookie (ISN) for SYN+ACK.
> + /* Call bpf when the kernel generates SYN Cookie (ISN) for SYN+ACK
> + * and validates ACK for SYN Cookie.
> *
> - * The bpf prog will be called to encode MSS into SYN Cookie with
> - * sock_ops->op == BPF_SOCK_OPS_GEN_SYNCOOKIE_CB.
> + * The bpf prog will be first called to encode MSS into SYN Cookie
> + * with sock_ops->op == BPF_SOCK_OPS_GEN_SYNCOOKIE_CB. Then, the
> + * bpf prog will be called to decode MSS from SYN Cookie with
> + * sock_ops->op == BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB.
> *
> - * Please refer to the comment in BPF_SOCK_OPS_GEN_SYNCOOKIE_CB for
> - * input and output.
> + * Please refer to the comment in BPF_SOCK_OPS_GEN_SYNCOOKIE_CB and
> + * BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB for input and output.
> */
> BPF_SOCK_OPS_SYNCOOKIE_CB_FLAG = (1<<7),
> /* Mask of all currently supported cb flags */
> @@ -6868,6 +6871,13 @@ enum {
> *
> * replylong[0]: ISN
> */
> + BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB,/* Validate SYN Cookie and set
> + * MSS.
> + *
> + * args[0]: ISN
> + *
> + * replylong[0]: MSS
> + */
> };
>
> /* List of TCP states. There is a build check in net/ipv4/tcp.c to detect
> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
> index 514f1a4abdee..b1dd415863ff 100644
> --- a/net/ipv4/syncookies.c
> +++ b/net/ipv4/syncookies.c
> @@ -317,6 +317,37 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
> }
> EXPORT_SYMBOL_GPL(cookie_tcp_reqsk_alloc);
>
> +#if IS_ENABLED(CONFIG_CGROUP_BPF) && IS_ENABLED(CONFIG_SYN_COOKIES)
> +int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req, struct sk_buff *skb)
> +{
> + struct bpf_sock_ops_kern sock_ops;
> +
> + memset(&sock_ops, 0, offsetof(struct bpf_sock_ops_kern, temp));
> +
> + sock_ops.op = BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB;
> + sock_ops.sk = req_to_sk(req);
> + sock_ops.args[0] = tcp_rsk(req)->snt_isn;
> +
> + bpf_skops_init_skb(&sock_ops, skb, tcp_hdrlen(skb));
> +
> + if (BPF_CGROUP_RUN_PROG_SOCK_OPS_SK(&sock_ops, sk))
> + goto err;
> +
> + if (!sock_ops.replylong[0])
> + goto err;
> +
> + __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESRECV);
I don't see LINUX_MIB_SYNCOOKIESSENT being incremented in the
previous patch, so maybe also don't touch the mib here? The bpf
program can do the counting if needed?
Or, alternatively, add LINUX_MIB_SYNCOOKIESSENT to
the BPF_SOCK_OPS_GEN_SYNCOOKIE_CB path?
next prev parent reply other threads:[~2023-10-16 20:38 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-13 22:04 [PATCH v1 bpf-next 00/11] bpf: tcp: Add SYN Cookie generation/validation SOCK_OPS hooks Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 01/11] tcp: Clean up reverse xmas tree in cookie_v[46]_check() Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 02/11] tcp: Cache sock_net(sk) " Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 03/11] tcp: Clean up goto labels " Kuniyuki Iwashima
2023-10-17 0:00 ` Kui-Feng Lee
2023-10-17 0:30 ` Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 04/11] tcp: Don't initialise tp->tsoffset in tcp_get_cookie_sock() Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 05/11] bpf: tcp: Add SYN Cookie generation SOCK_OPS hook Kuniyuki Iwashima
2023-10-18 0:54 ` Martin KaFai Lau
2023-10-18 17:00 ` Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 06/11] bpf: tcp: Add SYN Cookie validation " Kuniyuki Iwashima
2023-10-16 20:38 ` Stanislav Fomichev [this message]
2023-10-16 22:02 ` Kuniyuki Iwashima
2023-10-17 16:52 ` Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 07/11] bpf: Make bpf_sock_ops.replylong[1] writable Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 08/11] bpf: tcp: Make TS available for SYN Cookie storage Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 09/11] tcp: Split cookie_ecn_ok() Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 10/11] bpf: tcp: Make WS, SACK, ECN configurable from BPF SYN Cookie Kuniyuki Iwashima
2023-10-18 1:08 ` Martin KaFai Lau
2023-10-18 17:02 ` Kuniyuki Iwashima
2023-10-13 22:04 ` [PATCH v1 bpf-next 11/11] selftest: bpf: Test BPF_SOCK_OPS_(GEN|CHECK)_SYNCOOKIE_CB Kuniyuki Iwashima
2023-10-17 5:50 ` Martin KaFai Lau
2023-10-17 16:29 ` Kuniyuki Iwashima
2023-10-16 13:05 ` [PATCH v1 bpf-next 00/11] bpf: tcp: Add SYN Cookie generation/validation SOCK_OPS hooks Daniel Borkmann
2023-10-16 16:11 ` Kuniyuki Iwashima
2023-10-16 14:19 ` Willem de Bruijn
2023-10-16 16:46 ` Kuniyuki Iwashima
2023-10-16 18:41 ` Willem de Bruijn
2023-10-17 5:53 ` Martin KaFai Lau
2023-10-17 16:48 ` Kuniyuki Iwashima
2023-10-18 6:19 ` Martin KaFai Lau
2023-10-18 8:02 ` Eric Dumazet
2023-10-18 17:20 ` Kuniyuki Iwashima
2023-10-18 21:47 ` Kui-Feng Lee
2023-10-18 22:31 ` Kuniyuki Iwashima
2023-10-19 7:25 ` Martin KaFai Lau
2023-10-19 18:01 ` Kuniyuki Iwashima
2023-10-20 19:59 ` Martin KaFai Lau
2023-10-20 23:10 ` Kuniyuki Iwashima
2023-10-21 6:48 ` Kuniyuki Iwashima
2023-10-23 21:35 ` Martin KaFai Lau
2023-10-24 0:37 ` Kui-Feng Lee
2023-10-24 1:22 ` Kuniyuki Iwashima
2023-10-24 17:55 ` Kui-Feng Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZS2fQXqhjRlG64kZ@google.com \
--to=sdf@google.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@amazon.com \
--cc=martin.lau@linux.dev \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.