From: Dmitry Safonov <dima@arista.com>
To: linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>
Cc: Dmitry Safonov <dima@arista.com>,
Andy Lutomirski <luto@amacapital.net>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
David Laight <David.Laight@aculab.com>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Eric Biggers <ebiggers@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Francesco Ruggeri <fruggeri05@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ivan Delalande <colona@arista.com>,
Leonard Crestez <cdleonard@gmail.com>,
Salam Noureddine <noureddine@arista.com>,
netdev@vger.kernel.org
Subject: [PATCH v4 20/21] net/tcp-ao: Add static_key for TCP-AO
Date: Wed, 15 Feb 2023 18:33:34 +0000 [thread overview]
Message-ID: <20230215183335.800122-21-dima@arista.com> (raw)
In-Reply-To: <20230215183335.800122-1-dima@arista.com>
Similarly to TCP-MD5, add a static key to TCP-AO that is patched out
when there are no keys on a machine and dynamically enabled with the
first setsockopt(TCP_AO) adds a key on any socket. The static key is as
well dynamically disabled later when the socket is destructed.
The lifetime of enabled static key here is the same as ao_info: it is
enabled on allocation, passed over from full socket to twsk and
destructed when ao_info is scheduled for destruction.
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
include/net/tcp_ao.h | 2 ++
net/ipv4/tcp_ao.c | 17 +++++++++++++++++
net/ipv4/tcp_input.c | 42 ++++++++++++++++++++++++++++--------------
3 files changed, 47 insertions(+), 14 deletions(-)
diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h
index 04e3bcee05f7..253cf2719aed 100644
--- a/include/net/tcp_ao.h
+++ b/include/net/tcp_ao.h
@@ -131,6 +131,8 @@ do { \
#ifdef CONFIG_TCP_AO
/* TCP-AO structures and functions */
+#include <linux/jump_label.h>
+extern struct static_key_false_deferred tcp_ao_needed;
struct tcp4_ao_context {
__be32 saddr;
diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c
index 2c38e991ecbd..adb25e42f64a 100644
--- a/net/ipv4/tcp_ao.c
+++ b/net/ipv4/tcp_ao.c
@@ -17,6 +17,9 @@
#include <net/ipv6.h>
#include <net/icmp.h>
+DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_ao_needed, HZ);
+EXPORT_SYMBOL(tcp_ao_needed);
+
int tcp_ao_calc_traffic_key(struct tcp_ao_key *mkt, u8 *key, void *ctx,
unsigned int len)
{
@@ -58,6 +61,9 @@ bool tcp_ao_ignore_icmp(struct sock *sk, int type, int code)
struct tcp_ao_info *ao;
bool ignore_icmp = false;
+ if (!static_branch_unlikely(&tcp_ao_needed.key))
+ return false;
+
/* RFC5925, 7.8:
* >> A TCP-AO implementation MUST default to ignore incoming ICMPv4
* messages of Type 3 (destination unreachable), Codes 2-4 (protocol
@@ -196,6 +202,9 @@ struct tcp_ao_key *tcp_ao_do_lookup(const struct sock *sk,
struct tcp_ao_key *key;
struct tcp_ao_info *ao;
+ if (!static_branch_unlikely(&tcp_ao_needed.key))
+ return NULL;
+
ao = rcu_dereference_check(tcp_sk(sk)->ao_info,
lockdep_sock_is_held(sk));
if (!ao)
@@ -283,6 +292,7 @@ void tcp_ao_destroy_sock(struct sock *sk, bool twsk)
}
kfree_rcu(ao, rcu);
+ static_branch_slow_dec_deferred(&tcp_ao_needed);
}
void tcp_ao_time_wait(struct tcp_timewait_sock *tcptw, struct tcp_sock *tp)
@@ -1052,6 +1062,11 @@ int tcp_ao_copy_all_matching(const struct sock *sk, struct sock *newsk,
goto free_and_exit;
}
+ if (!static_key_fast_inc_not_disabled(&tcp_ao_needed.key.key)) {
+ ret = -EUSERS;
+ goto free_and_exit;
+ }
+
key_head = rcu_dereference(hlist_first_rcu(&new_ao->head));
first_key = hlist_entry_safe(key_head, struct tcp_ao_key, node);
@@ -1607,6 +1622,8 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned short int family,
tcp_ao_link_mkt(ao_info, key);
if (first) {
+ if (!static_branch_inc(&tcp_ao_needed.key))
+ goto err_free_sock;
sk_gso_disable(sk);
rcu_assign_pointer(tcp_sk(sk)->ao_info, ao_info);
}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 9f23cab1e835..dd9ff507bbc9 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3524,17 +3524,14 @@ static inline bool tcp_may_update_window(const struct tcp_sock *tp,
(ack_seq == tp->snd_wl1 && nwin > tp->snd_wnd);
}
-/* If we update tp->snd_una, also update tp->bytes_acked */
-static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
+static void tcp_snd_sne_update(struct tcp_sock *tp, u32 ack)
{
- u32 delta = ack - tp->snd_una;
#ifdef CONFIG_TCP_AO
struct tcp_ao_info *ao;
-#endif
- sock_owned_by_me((struct sock *)tp);
- tp->bytes_acked += delta;
-#ifdef CONFIG_TCP_AO
+ if (!static_branch_unlikely(&tcp_ao_needed.key))
+ return;
+
ao = rcu_dereference_protected(tp->ao_info,
lockdep_sock_is_held((struct sock *)tp));
if (ao) {
@@ -3543,20 +3540,27 @@ static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
ao->snd_sne_seq = ack;
}
#endif
+}
+
+/* If we update tp->snd_una, also update tp->bytes_acked */
+static void tcp_snd_una_update(struct tcp_sock *tp, u32 ack)
+{
+ u32 delta = ack - tp->snd_una;
+
+ sock_owned_by_me((struct sock *)tp);
+ tp->bytes_acked += delta;
+ tcp_snd_sne_update(tp, ack);
tp->snd_una = ack;
}
-/* If we update tp->rcv_nxt, also update tp->bytes_received */
-static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
+static void tcp_rcv_sne_update(struct tcp_sock *tp, u32 seq)
{
- u32 delta = seq - tp->rcv_nxt;
#ifdef CONFIG_TCP_AO
struct tcp_ao_info *ao;
-#endif
- sock_owned_by_me((struct sock *)tp);
- tp->bytes_received += delta;
-#ifdef CONFIG_TCP_AO
+ if (!static_branch_unlikely(&tcp_ao_needed.key))
+ return;
+
ao = rcu_dereference_protected(tp->ao_info,
lockdep_sock_is_held((struct sock *)tp));
if (ao) {
@@ -3565,6 +3569,16 @@ static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
ao->rcv_sne_seq = seq;
}
#endif
+}
+
+/* If we update tp->rcv_nxt, also update tp->bytes_received */
+static void tcp_rcv_nxt_update(struct tcp_sock *tp, u32 seq)
+{
+ u32 delta = seq - tp->rcv_nxt;
+
+ sock_owned_by_me((struct sock *)tp);
+ tp->bytes_received += delta;
+ tcp_rcv_sne_update(tp, seq);
WRITE_ONCE(tp->rcv_nxt, seq);
}
--
2.39.1
next prev parent reply other threads:[~2023-02-15 18:36 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-15 18:33 [PATCH v4 00/21] net/tcp: Add TCP-AO support Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 01/21] net/tcp: Prepare tcp_md5sig_pool for TCP-AO Dmitry Safonov
2023-02-20 9:41 ` Herbert Xu
2023-02-20 16:57 ` Dmitry Safonov
2023-02-21 2:43 ` Herbert Xu
2023-02-21 14:52 ` Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 02/21] tcp: Add TCP-AO config and structures Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 03/21] net/tcp: Introduce TCP_AO setsockopt()s Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 04/21] net/tcp: Prevent TCP-MD5 with TCP-AO being set Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 05/21] net/tcp: Calculate TCP-AO traffic keys Dmitry Safonov
2023-02-15 22:50 ` kernel test robot
2023-02-15 18:33 ` [PATCH v4 06/21] net/tcp: Add TCP-AO sign to outgoing packets Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 07/21] net/tcp: Add tcp_parse_auth_options() Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 08/21] net/tcp: Add AO sign to RST packets Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 09/21] net/tcp: Add TCP-AO sign to twsk Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 10/21] net/tcp: Wire TCP-AO to request sockets Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 11/21] net/tcp: Sign SYN-ACK segments with TCP-AO Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 12/21] net/tcp: Verify inbound TCP-AO signed segments Dmitry Safonov
2023-02-16 0:22 ` kernel test robot
2023-02-15 18:33 ` [PATCH v4 13/21] net/tcp: Add TCP-AO segments counters Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 14/21] net/tcp: Add TCP-AO SNE support Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 15/21] net/tcp: Add tcp_hash_fail() ratelimited logs Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 16/21] net/tcp: Ignore specific ICMPs for TCP-AO connections Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 17/21] net/tcp: Add option for TCP-AO to (not) hash header Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 18/21] net/tcp: Add getsockopt(TCP_AO_GET) Dmitry Safonov
2023-02-15 18:33 ` [PATCH v4 19/21] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Dmitry Safonov
2023-02-15 18:33 ` Dmitry Safonov [this message]
2023-02-15 18:33 ` [PATCH v4 21/21] net/tcp-ao: Wire up l3index to TCP-AO Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230215183335.800122-21-dima@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=David.Laight@aculab.com \
--cc=ardb@kernel.org \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri05@gmail.com \
--cc=gilligan@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).