[PATCH net V2] net: always reevalulate autoflowlabel setting for reset packet

[PATCH net V2] net: always reevalulate autoflowlabel setting for reset packet

[Shaohua Li]

From: Shaohua Li <shli@fb.com>

ipv6_pinfo.autoflowlabel is set in sock creation. Later if we change
sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't changed,
so the sock will keep the old behavior in terms of auto flowlabel. Reset
packet is suffering from this problem, because reset packset is sent
from a special control socket, which is created at boot time. Since
sysctl.ipv6.auto_flowlabels is 2 by default, the control socket will
always have its ipv6_pinfo.autoflowlabel set, even after user set
sysctl.ipv6.auto_flowlabels to 1, so reset packset will always have
flowlabel.

To fix this, we always reevaluate autoflowlabel setting for reset
packet. Normal sock has the same issue too, but since the
sysctl.ipv6.auto_flowlabels is usually set at host startup, this isn't a
big issue for normal sock.

Cc: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Shaohua Li <shli@fb.com>
---
 net/ipv6/tcp_ipv6.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 7178476..5fba548 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -787,9 +787,11 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
 	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
 	struct sock *ctl_sk = net->ipv6.tcp_sk;
 	unsigned int tot_len = sizeof(struct tcphdr);
+	struct ipv6_pinfo *np = inet6_sk(ctl_sk);
 	struct dst_entry *dst;
 	__be32 *topt;
 
+	np->autoflowlabel = ip6_default_np_autolabel(net);
 	if (tsecr)
 		tot_len += TCPOLEN_TSTAMP_ALIGNED;
 #ifdef CONFIG_TCP_MD5SIG
-- 
2.9.5

Re: [PATCH net V2] net: always reevalulate autoflowlabel setting for reset packet

[Eric Dumazet]

On Tue, 2017-12-19 at 12:58 -0800, Shaohua Li wrote:
> From: Shaohua Li <shli@fb.com>
> 
> ipv6_pinfo.autoflowlabel is set in sock creation. Later if we change
> sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't changed,
> so the sock will keep the old behavior in terms of auto flowlabel. Reset
> packet is suffering from this problem, because reset packset is sent
> from a special control socket, which is created at boot time. Since
> sysctl.ipv6.auto_flowlabels is 2 by default, the control socket will
> always have its ipv6_pinfo.autoflowlabel set, even after user set
> sysctl.ipv6.auto_flowlabels to 1, so reset packset will always have
> flowlabel.
> 
> To fix this, we always reevaluate autoflowlabel setting for reset
> packet. Normal sock has the same issue too, but since the
> sysctl.ipv6.auto_flowlabels is usually set at host startup, this isn't a
> big issue for normal sock.
> 
> Cc: Martin KaFai Lau <kafai@fb.com>
> Signed-off-by: Shaohua Li <shli@fb.com>
> ---
>  net/ipv6/tcp_ipv6.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 7178476..5fba548 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -787,9 +787,11 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
>  	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
>  	struct sock *ctl_sk = net->ipv6.tcp_sk;
>  	unsigned int tot_len = sizeof(struct tcphdr);
> +	struct ipv6_pinfo *np = inet6_sk(ctl_sk);
>  	struct dst_entry *dst;
>  	__be32 *topt;
>  
> +	np->autoflowlabel = ip6_default_np_autolabel(net);


This looks unsafe to set a bitfield on a shared socket (one ctl_sk per
netns)

Compiler could play strange things here.

Re: [PATCH net V2] net: always reevalulate autoflowlabel setting for reset packet

[David Miller]

From: Shaohua Li <shli@kernel.org>
Date: Tue, 19 Dec 2017 12:58:21 -0800

> From: Shaohua Li <shli@fb.com>
> 
> ipv6_pinfo.autoflowlabel is set in sock creation. Later if we change
> sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't changed,
> so the sock will keep the old behavior in terms of auto flowlabel. Reset
> packet is suffering from this problem, because reset packset is sent
> from a special control socket, which is created at boot time. Since
> sysctl.ipv6.auto_flowlabels is 2 by default, the control socket will
> always have its ipv6_pinfo.autoflowlabel set, even after user set
> sysctl.ipv6.auto_flowlabels to 1, so reset packset will always have
> flowlabel.
> 
> To fix this, we always reevaluate autoflowlabel setting for reset
> packet. Normal sock has the same issue too, but since the
> sysctl.ipv6.auto_flowlabels is usually set at host startup, this isn't a
> big issue for normal sock.
> 
> Cc: Martin KaFai Lau <kafai@fb.com>
> Signed-off-by: Shaohua Li <shli@fb.com>

This definitely goes into the category of hack.

Special casing resets is not the answer.

What about normal user sockets openned before the sysctl setting is
modified?

No user is going to be happy about this nice little surprise.

What you're saying is that we should specially treat the kernel
sockets that emit resets, in response to this sysctl setting being
modified.

But that is not what you are doing.  You are treating all sockets
in the system in this way, and only for reset packets.  That's
really terrible.