Re: [PATCH net-next v3 3/6] tcp: add dropreasons in tcp_rcv_state_process()

[Kuniyuki Iwashima <kuniyu@amazon.com>]

From: Jason Xing <kerneljasonxing@gmail.com>
Date: Tue, 13 Feb 2024 09:48:04 +0800
> On Mon, Feb 12, 2024 at 11:33 PM Eric Dumazet <edumazet@google.com> wrote:
> >
> > On Mon, Feb 12, 2024 at 10:29 AM Jason Xing <kerneljasonxing@gmail.com> wrote:
> > >
> > > From: Jason Xing <kernelxing@tencent.com>
> >
> >
> > >                         if (!acceptable)
> > > -                               return 1;
> > > +                               /* This reason isn't clear. We can refine it in the future */
> > > +                               return SKB_DROP_REASON_TCP_CONNREQNOTACCEPTABLE;
> >
> > tcp_conn_request() might return 0 when a syncookie has been generated.
> >
> > Technically speaking, the incoming SYN was not dropped :)
> 
> Hi Eric, Kuniyuki
> 
> Sorry, I should have checked tcp_conn_request() carefully last night.
> Today, I checked tcp_conn_request() over and over again.
> 
> I didn't find there is any chance to return a negative/positive value,
> only 0. It means @acceptable is always true and it should never return
> TCP_CONNREQNOTACCEPTABLE for TCP ipv4/6 protocol and never trigger a
> reset in this way.

Ah right, I remember I digged the same thing before and even in the
initial commit, conn_request() always returned 0 and tcp_rcv_state_process()
tested it with if (retval < 0).

I think we can clean up the leftover with some comments above
->conn_request() definition so that we can convert it to void
when we deprecate DCCP in the near future.


> 
> For DCCP, there are chances to return -1 in dccp_v4_conn_request().
> But I don't think we've already added drop reasons in DCCP before.
> 
> If I understand correctly, there is no need to do any refinement or
> even introduce TCP_CONNREQNOTACCEPTABLE new dropreason about the
> .conn_request() for TCP.
> 
> Should I add a NEW kfree_skb_reason() in tcp_conn_request() for those
> labels, like drop_and_release, drop_and_free, drop, and not return a
> drop reason to its caller tcp_rcv_state_process()?

Most interested reasons will be covered by

  - reqsk q : net_info_ratelimited() in tcp_syn_flood_action() or
              net_dbg_ratelimited() in pr_drop_req() or
              __NET_INC_STATS(net, LINUX_MIB_LISTENDROPS) in tcp_listendrop()
  - accept q: NET_INC_STATS(net, LINUX_MIB_LISTENOVERFLOWS) or
              __NET_INC_STATS(net, LINUX_MIB_LISTENDROPS) in tcp_listendrop()

and could be refined by drop reason, but I'm not sure if drop reason
is used under such a pressured situation.

Also, these failures are now treated with consume_skb().

Whichever is fine to me, no strong preference.


> 
> Please correct me if I'm wrong...
> 
> Thanks,
> Jason
> 
> >
> > I think you need to have a patch to change tcp_conn_request() and its
> > friends to return a 'refined' drop_reason
> > to avoid future questions / patches.