From: Jason Xing <kerneljasonxing@gmail.com>
To: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, dsahern@kernel.org
Cc: netdev@vger.kernel.org, kerneljasonxing@gmail.com,
Jason Xing <kernelxing@tencent.com>
Subject: [PATCH net-next 1/2] tcp: add more DROP REASONs in cookie check
Date: Sun, 4 Feb 2024 18:46:00 +0800 [thread overview]
Message-ID: <20240204104601.55760-3-kerneljasonxing@gmail.com> (raw)
In-Reply-To: <20240204104601.55760-1-kerneljasonxing@gmail.com>
From: Jason Xing <kernelxing@tencent.com>
Since the commit 8eba65fa5f06 ("net: tcp: use kfree_skb_reason() for tcp_v{4,6}_do_rcv()")
introduced the drop reason mechanism, this function is always using
NOT_SPECIFIED which is too general and unhelpful to us if we want to track
this part.
Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
include/net/dropreason-core.h | 12 ++++++++++++
include/net/tcp.h | 3 ++-
net/ipv4/syncookies.c | 18 ++++++++++++++----
net/ipv4/tcp_ipv4.c | 7 ++++---
4 files changed, 32 insertions(+), 8 deletions(-)
diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
index 6d3a20163260..85a19b883dee 100644
--- a/include/net/dropreason-core.h
+++ b/include/net/dropreason-core.h
@@ -6,6 +6,7 @@
#define DEFINE_DROP_REASON(FN, FNe) \
FN(NOT_SPECIFIED) \
FN(NO_SOCKET) \
+ FN(NO_REQSK_ALLOC) \
FN(PKT_TOO_SMALL) \
FN(TCP_CSUM) \
FN(SOCKET_FILTER) \
@@ -43,10 +44,12 @@
FN(TCP_FASTOPEN) \
FN(TCP_OLD_ACK) \
FN(TCP_TOO_OLD_ACK) \
+ FN(COOKIE_NOCHILD) \
FN(TCP_ACK_UNSENT_DATA) \
FN(TCP_OFO_QUEUE_PRUNE) \
FN(TCP_OFO_DROP) \
FN(IP_OUTNOROUTES) \
+ FN(IP_ROUTEOUTPUTKEY) \
FN(BPF_CGROUP_EGRESS) \
FN(IPV6DISABLED) \
FN(NEIGH_CREATEFAIL) \
@@ -54,6 +57,7 @@
FN(NEIGH_QUEUEFULL) \
FN(NEIGH_DEAD) \
FN(TC_EGRESS) \
+ FN(SECURITY_HOOK) \
FN(QDISC_DROP) \
FN(CPU_BACKLOG) \
FN(XDP) \
@@ -107,6 +111,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NOT_SPECIFIED,
/** @SKB_DROP_REASON_NO_SOCKET: socket not found */
SKB_DROP_REASON_NO_SOCKET,
+ /** @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed */
+ SKB_DROP_REASON_NO_REQSK_ALLOC,
/** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
SKB_DROP_REASON_PKT_TOO_SMALL,
/** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
@@ -243,6 +249,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OLD_ACK,
/** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
SKB_DROP_REASON_TCP_TOO_OLD_ACK,
+ /** @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode */
+ SKB_DROP_REASON_COOKIE_NOCHILD,
/**
* @SKB_DROP_REASON_TCP_ACK_UNSENT_DATA: TCP ACK for data we haven't
* sent yet
@@ -254,6 +262,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OFO_DROP,
/** @SKB_DROP_REASON_IP_OUTNOROUTES: route lookup failed */
SKB_DROP_REASON_IP_OUTNOROUTES,
+ /** @SKB_DROP_REASON_IP_ROUTEOUTPUTKEY: route output key failed */
+ SKB_DROP_REASON_IP_ROUTEOUTPUTKEY,
/**
* @SKB_DROP_REASON_BPF_CGROUP_EGRESS: dropped by BPF_PROG_TYPE_CGROUP_SKB
* eBPF program
@@ -271,6 +281,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NEIGH_DEAD,
/** @SKB_DROP_REASON_TC_EGRESS: dropped in TC egress HOOK */
SKB_DROP_REASON_TC_EGRESS,
+ /** @SKB_DROP_REASON_SECURITY_HOOK: dropped due to security HOOK */
+ SKB_DROP_REASON_SECURITY_HOOK,
/**
* @SKB_DROP_REASON_QDISC_DROP: dropped by qdisc when packet outputting (
* failed to enqueue to current qdisc)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 58e65af74ad1..e3b07d2790c4 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -492,7 +492,8 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb,
struct request_sock *req,
struct dst_entry *dst);
int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th);
-struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
+struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason);
struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
struct sock *sk, struct sk_buff *skb,
struct tcp_options_received *tcp_opt,
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index be88bf586ff9..9febad3a3150 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -395,7 +395,8 @@ static struct request_sock *cookie_tcp_check(struct net *net, struct sock *sk,
* Output is listener if incoming packet would not create a child
* NULL if memory could not be allocated.
*/
-struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
+struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason)
{
struct ip_options *opt = &TCP_SKB_CB(skb)->header.h4.opt;
const struct tcphdr *th = tcp_hdr(skb);
@@ -420,8 +421,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
if (IS_ERR(req))
goto out;
}
- if (!req)
+ if (!req) {
+ *reason = SKB_DROP_REASON_NO_REQSK_ALLOC;
goto out_drop;
+ }
ireq = inet_rsk(req);
@@ -433,8 +436,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
*/
RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
- if (security_inet_conn_request(sk, skb, req))
+ if (security_inet_conn_request(sk, skb, req)) {
+ *reason = SKB_DROP_REASON_SECURITY_HOOK;
goto out_free;
+ }
tcp_ao_syncookie(sk, skb, req, AF_INET);
@@ -451,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
rt = ip_route_output_key(net, &fl4);
- if (IS_ERR(rt))
+ if (IS_ERR(rt)) {
+ *reason = SKB_DROP_REASON_IP_ROUTEOUTPUTKEY;
goto out_free;
+ }
/* Try to redo what tcp_v4_send_synack did. */
req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
@@ -477,6 +484,9 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
*/
if (ret)
inet_sk(ret)->cork.fl.u.ip4 = fl4;
+ else
+ *reason = SKB_DROP_REASON_COOKIE_NOCHILD;
+
out:
return ret;
out_free:
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0c50c5a32b84..b63b0efa111d 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1846,13 +1846,14 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
}
EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
-static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
+static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason)
{
#ifdef CONFIG_SYN_COOKIES
const struct tcphdr *th = tcp_hdr(skb);
if (!th->syn)
- sk = cookie_v4_check(sk, skb);
+ sk = cookie_v4_check(sk, skb, reason);
#endif
return sk;
}
@@ -1912,7 +1913,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
goto csum_err;
if (sk->sk_state == TCP_LISTEN) {
- struct sock *nsk = tcp_v4_cookie_check(sk, skb);
+ struct sock *nsk = tcp_v4_cookie_check(sk, skb, &reason);
if (!nsk)
goto discard;
--
2.37.3
next prev parent reply other threads:[~2024-02-04 10:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-04 10:45 [PATCH net-next 0/2] add more drop reasons in tcp receive path Jason Xing
2024-02-04 10:45 ` [PATCH net-next 1/2] tcp: add more DROP REASONs in cookie check Jason Xing
2024-02-04 10:46 ` Jason Xing [this message]
2024-02-04 10:46 ` [PATCH net-next 2/2] tcp: add more DROP REASONS in child process Jason Xing
2024-02-07 2:23 ` [PATCH net-next 0/2] add more drop reasons in tcp receive path Jason Xing
2024-02-07 9:21 ` Eric Dumazet
2024-02-07 13:25 ` Jason Xing
2024-02-07 13:37 ` Eric Dumazet
2024-02-08 0:48 ` Jason Xing
2024-02-07 3:03 ` Jakub Kicinski
2024-02-07 13:17 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240204104601.55760-3-kerneljasonxing@gmail.com \
--to=kerneljasonxing@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kernelxing@tencent.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).