[PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Florent Fourcot]

With this option, the socket will reply with the flow label value read
on received packets.

The goal is to have a connection with the same flow label in both
direction of the communication.

Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
---
 include/linux/ipv6.h     |  1 +
 include/uapi/linux/in6.h |  1 +
 net/ipv6/ip6_flowlabel.c | 21 +++++++++++++++++++++
 net/ipv6/tcp_ipv6.c      | 10 ++++++++++
 4 files changed, 33 insertions(+)

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 7e1ded0..1084304 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -191,6 +191,7 @@ struct ipv6_pinfo {
 	/* sockopt flags */
 	__u16			recverr:1,
 	                        sndflow:1,
+				repflow:1,
 				pmtudisc:3,
 				ipv6only:1,
 				srcprefs:3,	/* 001: prefer temporary address
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
index f94f1d0..a4359b1 100644
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -85,6 +85,7 @@ struct in6_flowlabel_req {
 
 #define IPV6_FL_F_CREATE	1
 #define IPV6_FL_F_EXCL		2
+#define IPV6_FL_F_REFLECT 	4
 
 #define IPV6_FL_S_NONE		0
 #define IPV6_FL_S_EXCL		1
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index e7fb710..ba23643 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -486,6 +486,11 @@ int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq)
 	struct ipv6_pinfo *np = inet6_sk(sk);
 	struct ipv6_fl_socklist *sfl;
 
+	if (np->repflow) {
+		freq->flr_label = np->flow_label;
+		return 0;
+	}
+
 	rcu_read_lock_bh();
 
 	for_each_sk_fl_rcu(np, sfl) {
@@ -527,6 +532,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 
 	switch (freq.flr_action) {
 	case IPV6_FL_A_PUT:
+		if (freq.flr_flags & IPV6_FL_F_REFLECT) {
+			if (sk->sk_protocol != IPPROTO_TCP)
+				return -ENOPROTOOPT;
+			if (!np->repflow)
+				return -ESRCH;
+			np->flow_label = 0;
+			np->repflow = 0;
+			return 0;
+		}
 		spin_lock_bh(&ip6_sk_fl_lock);
 		for (sflp = &np->ipv6_fl_list;
 		     (sfl = rcu_dereference(*sflp))!=NULL;
@@ -567,6 +581,13 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 		return -ESRCH;
 
 	case IPV6_FL_A_GET:
+		if (freq.flr_flags & IPV6_FL_F_REFLECT) {
+			if (sk->sk_protocol != IPPROTO_TCP)
+				return -ENOPROTOOPT;
+			np->repflow = 1;
+			return 0;
+		}
+
 		if (freq.flr_label & ~IPV6_FLOWLABEL_MASK)
 			return -EINVAL;
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index ffd5fa8..f61bedc 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -483,6 +483,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
 				    &ireq->ir_v6_rmt_addr);
 
 		fl6->daddr = ireq->ir_v6_rmt_addr;
+		if (np->repflow)
+			fl6->flowlabel = np->flow_label;
 		skb_set_queue_mapping(skb, queue_mapping);
 		err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
 		err = net_xmit_eval(err);
@@ -1000,6 +1002,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	ireq = inet_rsk(req);
 	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+	if (np->repflow)
+		np->flow_label = ip6_flowlabel(ipv6_hdr(skb));
 	if (!want_cookie || tmp_opt.tstamp_ok)
 		TCP_ECN_create_request(req, skb, sock_net(sk));
 
@@ -1138,6 +1142,8 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 		newnp->mcast_oif   = inet6_iif(skb);
 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
 		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
+		if (np->repflow)
+			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
 
 		/*
 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
@@ -1218,6 +1224,8 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
 	newnp->mcast_oif  = inet6_iif(skb);
 	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
 	newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
+	if (np->repflow)
+		newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
 
 	/* Clone native IPv6 options from listening socket (if any)
 
@@ -1429,6 +1437,8 @@ ipv6_pktoptions:
 			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
 		if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
 			np->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(opt_skb));
+		if (np->repflow)
+			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
 		if (ipv6_opt_accepted(sk, opt_skb)) {
 			skb_set_owner_r(opt_skb, sk);
 			opt_skb = xchg(&np->pktoptions, opt_skb);
-- 
1.8.5.2

[PATCH V2 net-next 2/3] ipv6: add a flag to get the flow label used remotly

[Florent Fourcot]

This information is already available via IPV6_FLOWINFO
of IPV6_2292PKTOPTIONS, and them a filtering to get the flow label
information. But it is probably logical and easier for users to add this
here, and to control both sent/received flow label values with the
IPV6_FLOWLABEL_MGR option.

Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
---
 include/net/ipv6.h       | 2 +-
 include/uapi/linux/in6.h | 1 +
 net/ipv6/ip6_flowlabel.c | 7 ++++++-
 net/ipv6/ipv6_sockglue.c | 5 ++++-
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 12079c6..54cb251 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -252,7 +252,7 @@ struct ipv6_txoptions *fl6_merge_options(struct ipv6_txoptions *opt_space,
 					 struct ipv6_txoptions *fopt);
 void fl6_free_socklist(struct sock *sk);
 int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen);
-int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq);
+int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq, int flags);
 int ip6_flowlabel_init(void);
 void ip6_flowlabel_cleanup(void);
 
diff --git a/include/uapi/linux/in6.h b/include/uapi/linux/in6.h
index a4359b1..2428b80 100644
--- a/include/uapi/linux/in6.h
+++ b/include/uapi/linux/in6.h
@@ -86,6 +86,7 @@ struct in6_flowlabel_req {
 #define IPV6_FL_F_CREATE	1
 #define IPV6_FL_F_EXCL		2
 #define IPV6_FL_F_REFLECT 	4
+#define IPV6_FL_F_REMOTE	8
 
 #define IPV6_FL_S_NONE		0
 #define IPV6_FL_S_EXCL		1
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index ba23643..2c0f9dc 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -481,11 +481,16 @@ static inline void fl_link(struct ipv6_pinfo *np, struct ipv6_fl_socklist *sfl,
 	spin_unlock_bh(&ip6_sk_fl_lock);
 }
 
-int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq)
+int ipv6_flowlabel_opt_get(struct sock *sk, struct in6_flowlabel_req *freq, int flags)
 {
 	struct ipv6_pinfo *np = inet6_sk(sk);
 	struct ipv6_fl_socklist *sfl;
 
+	if (flags & IPV6_FL_F_REMOTE) {
+		freq->flr_label = np->rcv_flowinfo & IPV6_FLOWLABEL_MASK;
+		return 0;
+	}
+
 	if (np->repflow) {
 		freq->flr_label = np->flow_label;
 		return 0;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index af0ecb9..a47653a 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -1220,6 +1220,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
 	case IPV6_FLOWLABEL_MGR:
 	{
 		struct in6_flowlabel_req freq;
+		int flags;
 
 		if (len < sizeof(freq))
 			return -EINVAL;
@@ -1231,9 +1232,11 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
 			return -EINVAL;
 
 		len = sizeof(freq);
+		flags = freq.flr_flags;
+
 		memset(&freq, 0, sizeof(freq));
 
-		val = ipv6_flowlabel_opt_get(sk, &freq);
+		val = ipv6_flowlabel_opt_get(sk, &freq, flags);
 		if (val < 0)
 			return val;
 
-- 
1.8.5.2

[PATCH V2 net-next 3/3] ipv6: add ip6_flowlabel_consistency sysctl

[Florent Fourcot]

With the introduction of IPV6_FL_F_REFLECT, there is no guarantee of
flow label unicity. This patch introduces a new sysctl to protect the old
behaviour, enable by default.

Changelog of the V2:
	* Remove useless hunk in sysctl_binary.c
	* Rebase on net-next

Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
---
 Documentation/networking/ip-sysctl.txt | 8 ++++++++
 include/net/netns/ipv6.h               | 1 +
 net/ipv6/af_inet6.c                    | 1 +
 net/ipv6/ip6_flowlabel.c               | 7 +++++++
 net/ipv6/sysctl_net_ipv6.c             | 8 ++++++++
 5 files changed, 25 insertions(+)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index c97932c..7453640 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1118,6 +1118,14 @@ bindv6only - BOOLEAN
 
 	Default: FALSE (as specified in RFC3493)
 
+ip6_flowlabel_consistency - BOOLEAN
+	Protect the consistency (and unicity) of flow label.
+	You have to disable it to use IPV6_FL_F_REFLECT flag on the
+	flow label manager.
+	TRUE: enabled
+	FALSE: disabled
+	Default: TRUE
+
 anycast_src_echo_reply - BOOLEAN
 	Controls the use of anycast addresses as source addresses for ICMPv6
 	echo reply
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 76fc7d1..3cc291b 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -27,6 +27,7 @@ struct netns_sysctl_ipv6 {
 	int ip6_rt_gc_elasticity;
 	int ip6_rt_mtu_expires;
 	int ip6_rt_min_advmss;
+	int ip6_flowlabel_consistency;
 	int icmpv6_time;
 };
 
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index c921d5d..943c796 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -775,6 +775,7 @@ static int __net_init inet6_net_init(struct net *net)
 
 	net->ipv6.sysctl.bindv6only = 0;
 	net->ipv6.sysctl.icmpv6_time = 1*HZ;
+	net->ipv6.sysctl.ip6_flowlabel_consistency = 1;
 	atomic_set(&net->ipv6.rt_genid, 0);
 
 	err = ipv6_init_mibs(net);
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 2c0f9dc..85f0453 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -587,8 +587,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 
 	case IPV6_FL_A_GET:
 		if (freq.flr_flags & IPV6_FL_F_REFLECT) {
+			struct net *net = sock_net(sk);
+			if (net->ipv6.sysctl.ip6_flowlabel_consistency) {
+				pr_info("Can not set IPV6_FL_F_REFLECT if ip6_flowlabel_consistency sysctl is enable \n");
+				return -EPERM;
+			}
+
 			if (sk->sk_protocol != IPPROTO_TCP)
 				return -ENOPROTOOPT;
+
 			np->repflow = 1;
 			return 0;
 		}
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index 6b6a2c8..8c99cf0 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -31,6 +31,13 @@ static struct ctl_table ipv6_table_template[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "ip6_flowlabel_consistency",
+		.data		= &init_net.ipv6.sysctl.ip6_flowlabel_consistency,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{ }
 };
 
@@ -59,6 +66,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
 		goto out;
 	ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;
 	ipv6_table[1].data = &net->ipv6.anycast_src_echo_reply;
+	ipv6_table[2].data = &net->ipv6.sysctl.ip6_flowlabel_consistency;
 
 	ipv6_route_table = ipv6_route_sysctl_init(net);
 	if (!ipv6_route_table)
-- 
1.8.5.2

Re: [PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Hannes Frederic Sowa]

On Wed, Jan 15, 2014 at 12:30:01PM +0100, Florent Fourcot wrote:
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index ffd5fa8..f61bedc 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -483,6 +483,8 @@ static int tcp_v6_send_synack(struct sock *sk, struct dst_entry *dst,
>  				    &ireq->ir_v6_rmt_addr);
>  
>  		fl6->daddr = ireq->ir_v6_rmt_addr;
> +		if (np->repflow)
> +			fl6->flowlabel = np->flow_label;
>  		skb_set_queue_mapping(skb, queue_mapping);
>  		err = ip6_xmit(sk, skb, fl6, np->opt, np->tclass);
>  		err = net_xmit_eval(err);
> @@ -1000,6 +1002,8 @@ static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
>  	ireq = inet_rsk(req);
>  	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
>  	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
> +	if (np->repflow)
> +		np->flow_label = ip6_flowlabel(ipv6_hdr(skb));
>  	if (!want_cookie || tmp_opt.tstamp_ok)
>  		TCP_ECN_create_request(req, skb, sock_net(sk));
>  
> @@ -1138,6 +1142,8 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  		newnp->mcast_oif   = inet6_iif(skb);
>  		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
>  		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
> +		if (np->repflow)
> +			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));

Just asking:

Was there a specific reason you did not use np->flow_label here and just
mirroring the flowlabel from the first packet of the connection for the
whole connection?

I don't know if it makes a difference, but maybe it was done on purpose?

Otherwise looks good.

>  		/*
>  		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
> @@ -1218,6 +1224,8 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
>  	newnp->mcast_oif  = inet6_iif(skb);
>  	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
>  	newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
> +	if (np->repflow)
> +		newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
>  
>  	/* Clone native IPv6 options from listening socket (if any)
>  
> @@ -1429,6 +1437,8 @@ ipv6_pktoptions:
>  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
>  		if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
>  			np->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(opt_skb));
> +		if (np->repflow)
> +			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
>  		if (ipv6_opt_accepted(sk, opt_skb)) {
>  			skb_set_owner_r(opt_skb, sk);
>  			opt_skb = xchg(&np->pktoptions, opt_skb);
> -- 
> 1.8.5.2

Re: [PATCH V2 net-next 3/3] ipv6: add ip6_flowlabel_consistency sysctl

[Hannes Frederic Sowa]

On Wed, Jan 15, 2014 at 12:30:03PM +0100, Florent Fourcot wrote:
> With the introduction of IPV6_FL_F_REFLECT, there is no guarantee of
> flow label unicity. This patch introduces a new sysctl to protect the old
> behaviour, enable by default.
> 
> Changelog of the V2:
> 	* Remove useless hunk in sysctl_binary.c
> 	* Rebase on net-next

Seems still to generate conflicts on my branch. :/

The conflicts are simple to clean up, but if you decide to rebase, please
check the patches with ./scripts/checkpatch --strict and eliminate all those
small nitpicks.

> Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
> ---
>  Documentation/networking/ip-sysctl.txt | 8 ++++++++
>  include/net/netns/ipv6.h               | 1 +
>  net/ipv6/af_inet6.c                    | 1 +
>  net/ipv6/ip6_flowlabel.c               | 7 +++++++
>  net/ipv6/sysctl_net_ipv6.c             | 8 ++++++++
>  5 files changed, 25 insertions(+)
> 
> diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
> index c97932c..7453640 100644
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -1118,6 +1118,14 @@ bindv6only - BOOLEAN
>  
>  	Default: FALSE (as specified in RFC3493)
>  
> +ip6_flowlabel_consistency - BOOLEAN
> +	Protect the consistency (and unicity) of flow label.
> +	You have to disable it to use IPV6_FL_F_REFLECT flag on the
> +	flow label manager.
> +	TRUE: enabled
> +	FALSE: disabled
> +	Default: TRUE
> +
>  anycast_src_echo_reply - BOOLEAN
>  	Controls the use of anycast addresses as source addresses for ICMPv6
>  	echo reply
> diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
> index 76fc7d1..3cc291b 100644
> --- a/include/net/netns/ipv6.h
> +++ b/include/net/netns/ipv6.h
> @@ -27,6 +27,7 @@ struct netns_sysctl_ipv6 {
>  	int ip6_rt_gc_elasticity;
>  	int ip6_rt_mtu_expires;
>  	int ip6_rt_min_advmss;
> +	int ip6_flowlabel_consistency;
>  	int icmpv6_time;
>  };
>  
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index c921d5d..943c796 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -775,6 +775,7 @@ static int __net_init inet6_net_init(struct net *net)
>  
>  	net->ipv6.sysctl.bindv6only = 0;
>  	net->ipv6.sysctl.icmpv6_time = 1*HZ;
> +	net->ipv6.sysctl.ip6_flowlabel_consistency = 1;
>  	atomic_set(&net->ipv6.rt_genid, 0);
>  
>  	err = ipv6_init_mibs(net);
> diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
> index 2c0f9dc..85f0453 100644
> --- a/net/ipv6/ip6_flowlabel.c
> +++ b/net/ipv6/ip6_flowlabel.c
> @@ -587,8 +587,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
>  
>  	case IPV6_FL_A_GET:
>  		if (freq.flr_flags & IPV6_FL_F_REFLECT) {
> +			struct net *net = sock_net(sk);
> +			if (net->ipv6.sysctl.ip6_flowlabel_consistency) {
> +				pr_info("Can not set IPV6_FL_F_REFLECT if ip6_flowlabel_consistency sysctl is enable \n");

Maybe we should do rate-limiting here, so a user cannot spam kmsg.

> +				return -EPERM;
> +			}
> +
>  			if (sk->sk_protocol != IPPROTO_TCP)
>  				return -ENOPROTOOPT;
> +
>  			np->repflow = 1;
>  			return 0;
>  		}
> diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
> index 6b6a2c8..8c99cf0 100644
> --- a/net/ipv6/sysctl_net_ipv6.c
> +++ b/net/ipv6/sysctl_net_ipv6.c
> @@ -31,6 +31,13 @@ static struct ctl_table ipv6_table_template[] = {
>  		.mode		= 0644,
>  		.proc_handler	= proc_dointvec
>  	},
> +	{
> +		.procname	= "ip6_flowlabel_consistency",
> +		.data		= &init_net.ipv6.sysctl.ip6_flowlabel_consistency,
> +		.maxlen		= sizeof(int),
> +		.mode		= 0644,
> +		.proc_handler	= proc_dointvec
> +	},
>  	{ }
>  };
>  
> @@ -59,6 +66,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
>  		goto out;
>  	ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;
>  	ipv6_table[1].data = &net->ipv6.anycast_src_echo_reply;
> +	ipv6_table[2].data = &net->ipv6.sysctl.ip6_flowlabel_consistency;
>  
>  	ipv6_route_table = ipv6_route_sysctl_init(net);
>  	if (!ipv6_route_table)

Re: [PATCH V2 net-next 3/3] ipv6: add ip6_flowlabel_consistency sysctl

[David Miller]

From: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
Date: Wed, 15 Jan 2014 12:30:03 +0100

> +			if (net->ipv6.sysctl.ip6_flowlabel_consistency) {
> +				pr_info("Can not set IPV6_FL_F_REFLECT if ip6_flowlabel_consistency sysctl is enable \n");

As others have mentioned, please ratelimit this.

Re: [PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Hannes Frederic Sowa]

On Wed, Jan 15, 2014 at 11:47:26PM +0100, Hannes Frederic Sowa wrote:
> > @@ -1138,6 +1142,8 @@ static struct sock *tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
> >  		newnp->mcast_oif   = inet6_iif(skb);
> >  		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
> >  		newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
> > +		if (np->repflow)
> > +			newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
> 
> Just asking:
> 
> Was there a specific reason you did not use np->flow_label here and just
> mirroring the flowlabel from the first packet of the connection for the
> whole connection?
> 
> I don't know if it makes a difference, but maybe it was done on purpose?

I thought about it and am actually in favor of reusing the flowid from the syn
packet so userspace does report correct outgoing flowlabel even in case of
strange tcp peer changing it mid-stream.

Thanks,

  Hannes

Re: [PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Florent Fourcot]

>> Was there a specific reason you did not use np->flow_label here and just
>> mirroring the flowlabel from the first packet of the connection for the
>> whole connection?
>>
>> I don't know if it makes a difference, but maybe it was done on purpose?
> 
> I thought about it and am actually in favor of reusing the flowid from the syn
> packet so userspace does report correct outgoing flowlabel even in case of
> strange tcp peer changing it mid-stream.
> 

Actually, the idea was that the remote could changed the flow label
during the lifetime of a connection.
I do not have a strong opinion on that, but in a "reflect" mode, I
except that the last received value will be in used.

Second, in case of SYN cookie, is the SYN flow label stored somewhere?

Thanks,

Florent.

Re: [PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Hannes Frederic Sowa]

On Thu, Jan 16, 2014 at 01:45:18PM +0100, Florent Fourcot wrote:
> 
> >> Was there a specific reason you did not use np->flow_label here and just
> >> mirroring the flowlabel from the first packet of the connection for the
> >> whole connection?
> >>
> >> I don't know if it makes a difference, but maybe it was done on purpose?
> > 
> > I thought about it and am actually in favor of reusing the flowid from the syn
> > packet so userspace does report correct outgoing flowlabel even in case of
> > strange tcp peer changing it mid-stream.
> > 
> 
> Actually, the idea was that the remote could changed the flow label
> during the lifetime of a connection.
> I do not have a strong opinion on that, but in a "reflect" mode, I
> except that the last received value will be in used.

Would it make sense to sync the flowlabel if it changes with the socket, so
user space can query the label really used? Otherwise I wouldn't even report
it.

> Second, in case of SYN cookie, is the SYN flow label stored somewhere?

Should then be synced as soon as the cookie is validated. You can test it by
setting tcp_syncookies to 2. It uses syncookies unconditionally then.

Greetings,

  Hannes

Re: [PATCH V2 net-next 1/3] ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET

[Florent Fourcot]

Le 16/01/2014 14:07, Hannes Frederic Sowa a écrit :
> Would it make sense to sync the flowlabel if it changes with the socket, so
> user space can query the label really used? Otherwise I wouldn't even report
> it.

I see at least one use case. In the same way that openssh sets the
tclass field after the SSH session initialization, a software could set
the label after the beginning of the L7 session (and ignoring QoS
priority for non-interactive packet at the beginning).