From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
Petar Penkov <ppenkov@google.com>
Subject: [bpf-next RFC 0/6] Introduce a BPF helper to generate SYN cookies
Date: Mon, 15 Jul 2019 17:26:44 -0700 [thread overview]
Message-ID: <20190716002650.154729-1-ppenkov.kernel@gmail.com> (raw)
From: Petar Penkov <ppenkov@google.com>
This patch series introduces a BPF helper function that allows generating SYN
cookies from BPF.
The first two patches in the series modify several TCP helper functions to
allow for SKB-less operation, as is the case with XDP.
The third patch introduces the bpf_tcp_gen_syncookie helper function which
generates a SYN cookie for either XDP or TC programs.
The last three patches sync tools/ and add a test.
The primary design consideration I see in the patch series is the return value
of the helper function. Currently bpf_tcp_gen_syncookie returns a 64-bit value
that contains both the 32-bit syncookie, and the 16-bit mss value which is
encoded in the cookie. On error, it would return a negative value instead. I
chose this over writing the cookie into the provided TCP packet to avoid writing
packet data as currently if a helper changes the packet data, the first argument
has to point to the context (can this be relaxed?).
To make the API cleaner we can instead return something like the struct below
though the return type would then not really be RET_INTEGER or any of the
currently existing return types.
struct bpf_syncookie {
u16 error; // or u8 error, u8 unused for future use
u16 mss;
u32 syncookie;
}
Petar Penkov (6):
tcp: tcp_syn_flood_action read port from socket
tcp: add skb-less helpers to retrieve SYN cookie
bpf: add bpf_tcp_gen_syncookie helper
bpf: sync bpf.h to tools/
selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers
selftests/bpf: add test for bpf_tcp_gen_syncookie
include/net/tcp.h | 11 +++
include/uapi/linux/bpf.h | 30 ++++++-
net/core/filter.c | 62 +++++++++++++
net/ipv4/tcp_input.c | 87 +++++++++++++++++--
net/ipv4/tcp_ipv4.c | 8 ++
net/ipv6/tcp_ipv6.c | 8 ++
tools/include/uapi/linux/bpf.h | 37 +++++++-
tools/testing/selftests/bpf/bpf_helpers.h | 3 +
.../bpf/progs/test_tcp_check_syncookie_kern.c | 28 ++++--
.../bpf/test_tcp_check_syncookie_user.c | 61 +++++++++++--
10 files changed, 313 insertions(+), 22 deletions(-)
--
2.22.0.510.g264f2c817a-goog
next reply other threads:[~2019-07-16 0:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 0:26 Petar Penkov [this message]
2019-07-16 0:26 ` [bpf-next RFC 1/6] tcp: tcp_syn_flood_action read port from socket Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 2/6] tcp: add skb-less helpers to retrieve SYN cookie Petar Penkov
2019-07-16 11:34 ` Lorenz Bauer
2019-07-17 0:23 ` Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 3/6] bpf: add bpf_tcp_gen_syncookie helper Petar Penkov
2019-07-16 7:59 ` Eric Dumazet
2019-07-16 11:56 ` Lorenz Bauer
2019-07-17 0:27 ` Petar Penkov
2019-07-17 2:26 ` Alexei Starovoitov
2019-07-17 3:33 ` Petar Penkov
2019-07-16 11:54 ` Lorenz Bauer
2019-07-16 0:26 ` [bpf-next RFC 4/6] bpf: sync bpf.h to tools/ Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers Petar Penkov
2019-07-16 0:26 ` [bpf-next RFC 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie Petar Penkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190716002650.154729-1-ppenkov.kernel@gmail.com \
--to=ppenkov.kernel@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=ppenkov@google.com \
--cc=sdf@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).