[PATCH net-next v4 0/5] introduce drop reasons for cookie check

[PATCH net-next v4 0/5] introduce drop reasons for cookie check

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

When I was debugging the reason about why the skb should be dropped in
syn cookie mode, I found out that this NOT_SPECIFIED reason is too
general. Thus I decided to refine it.

Previously I submitted one patch series which is too large/risky, so I
split that one series into two seires. For another one, I will submit
later.

Summary
1. introduce all the dropreasons we need, [1/5] patch.
2. use new dropreasons in ipv4 cookie check, [2/5],[3/5] patch.
3. use new dropreasons ipv6 cookie check, [4/5],[5/5] patch.

v4:
Link: https://lore.kernel.org/netdev/20240212172302.3f95e454@kernel.org/
1. Fix misspelled name in Kdoc as suggested by Jakub.

v3:
Link: https://lore.kernel.org/all/CANn89iK40SoyJ8fS2U5kp3pDruo=zfQNPL-ppOF+LYaS9z-MVA@mail.gmail.com/
1. Split that patch into some smaller ones as suggested by Eric.

v2:
Link: https://lore.kernel.org/all/20240204104601.55760-1-kerneljasonxing@gmail.com/
1. change the title of 2/2 patch.
2. fix some warnings checkpatch tool showed before.
3. use return value instead of adding more parameters suggested by Eric.


Jason Xing (5):
  tcp: add dropreasons definitions and prepare for cookie check
  tcp: directly drop skb in cookie check for ipv4
  tcp: use drop reasons in cookie check for ipv4
  tcp: directly drop skb in cookie check for ipv6
  tcp: use drop reasons in cookie check for ipv6

 include/net/dropreason-core.h | 21 +++++++++++++++++++++
 net/ipv4/syncookies.c         | 20 ++++++++++++++++----
 net/ipv4/tcp_ipv4.c           |  2 +-
 net/ipv6/syncookies.c         | 18 +++++++++++++++---
 net/ipv6/tcp_ipv6.c           |  7 +++++--
 5 files changed, 58 insertions(+), 10 deletions(-)

-- 
2.37.3

[PATCH net-next v4 1/5] tcp: add dropreasons definitions and prepare for cookie check

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Only add five drop reasons to detect the condition of skb dropped
in cookie check for later use.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
--
v2
Link: https://lore.kernel.org/netdev/20240212172302.3f95e454@kernel.org/
1. fix misspelled name in kdoc as Jakub said
---
 include/net/dropreason-core.h | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
index 6d3a20163260..065caba42b0b 100644
--- a/include/net/dropreason-core.h
+++ b/include/net/dropreason-core.h
@@ -6,6 +6,7 @@
 #define DEFINE_DROP_REASON(FN, FNe)	\
 	FN(NOT_SPECIFIED)		\
 	FN(NO_SOCKET)			\
+	FN(NO_REQSK_ALLOC)		\
 	FN(PKT_TOO_SMALL)		\
 	FN(TCP_CSUM)			\
 	FN(SOCKET_FILTER)		\
@@ -43,10 +44,12 @@
 	FN(TCP_FASTOPEN)		\
 	FN(TCP_OLD_ACK)			\
 	FN(TCP_TOO_OLD_ACK)		\
+	FN(COOKIE_NOCHILD)		\
 	FN(TCP_ACK_UNSENT_DATA)		\
 	FN(TCP_OFO_QUEUE_PRUNE)		\
 	FN(TCP_OFO_DROP)		\
 	FN(IP_OUTNOROUTES)		\
+	FN(IP_ROUTEOUTPUTKEY)		\
 	FN(BPF_CGROUP_EGRESS)		\
 	FN(IPV6DISABLED)		\
 	FN(NEIGH_CREATEFAIL)		\
@@ -54,6 +57,7 @@
 	FN(NEIGH_QUEUEFULL)		\
 	FN(NEIGH_DEAD)			\
 	FN(TC_EGRESS)			\
+	FN(SECURITY_HOOK)		\
 	FN(QDISC_DROP)			\
 	FN(CPU_BACKLOG)			\
 	FN(XDP)				\
@@ -71,6 +75,7 @@
 	FN(TAP_TXFILTER)		\
 	FN(ICMP_CSUM)			\
 	FN(INVALID_PROTO)		\
+	FN(INVALID_DST)			\
 	FN(IP_INADDRERRORS)		\
 	FN(IP_INNOROUTES)		\
 	FN(PKT_TOO_BIG)			\
@@ -107,6 +112,11 @@ enum skb_drop_reason {
 	SKB_DROP_REASON_NOT_SPECIFIED,
 	/** @SKB_DROP_REASON_NO_SOCKET: socket not found */
 	SKB_DROP_REASON_NO_SOCKET,
+	/**
+	 * @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed
+	 * probably because of no available memory for now
+	 */
+	SKB_DROP_REASON_NO_REQSK_ALLOC,
 	/** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
 	SKB_DROP_REASON_PKT_TOO_SMALL,
 	/** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
@@ -243,6 +253,11 @@ enum skb_drop_reason {
 	SKB_DROP_REASON_TCP_OLD_ACK,
 	/** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
 	SKB_DROP_REASON_TCP_TOO_OLD_ACK,
+	/**
+	 * @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode
+	 * reason could be the failure of child socket allocation
+	 */
+	SKB_DROP_REASON_COOKIE_NOCHILD,
 	/**
 	 * @SKB_DROP_REASON_TCP_ACK_UNSENT_DATA: TCP ACK for data we haven't
 	 * sent yet
@@ -254,6 +269,8 @@ enum skb_drop_reason {
 	SKB_DROP_REASON_TCP_OFO_DROP,
 	/** @SKB_DROP_REASON_IP_OUTNOROUTES: route lookup failed */
 	SKB_DROP_REASON_IP_OUTNOROUTES,
+	/** @SKB_DROP_REASON_IP_ROUTEOUTPUTKEY: route output key failed */
+	SKB_DROP_REASON_IP_ROUTEOUTPUTKEY,
 	/**
 	 * @SKB_DROP_REASON_BPF_CGROUP_EGRESS: dropped by BPF_PROG_TYPE_CGROUP_SKB
 	 * eBPF program
@@ -271,6 +288,8 @@ enum skb_drop_reason {
 	SKB_DROP_REASON_NEIGH_DEAD,
 	/** @SKB_DROP_REASON_TC_EGRESS: dropped in TC egress HOOK */
 	SKB_DROP_REASON_TC_EGRESS,
+	/** @SKB_DROP_REASON_SECURITY_HOOK: dropped due to security HOOK */
+	SKB_DROP_REASON_SECURITY_HOOK,
 	/**
 	 * @SKB_DROP_REASON_QDISC_DROP: dropped by qdisc when packet outputting (
 	 * failed to enqueue to current qdisc)
@@ -333,6 +352,8 @@ enum skb_drop_reason {
 	 * such as a broadcasts ICMP_TIMESTAMP
 	 */
 	SKB_DROP_REASON_INVALID_PROTO,
+	/** @SKB_DROP_REASON_INVALID_DST: look-up dst entry error */
+	SKB_DROP_REASON_INVALID_DST,
 	/**
 	 * @SKB_DROP_REASON_IP_INADDRERRORS: host unreachable, corresponding to
 	 * IPSTATS_MIB_INADDRERRORS
-- 
2.37.3

Re: [PATCH net-next v4 1/5] tcp: add dropreasons definitions and prepare for cookie check

[Eric Dumazet]

On Tue, Feb 13, 2024 at 2:42 PM Jason Xing <kerneljasonxing@gmail.com> wrote:
>
> From: Jason Xing <kernelxing@tencent.com>
>
> Only add five drop reasons to detect the condition of skb dropped
> in cookie check for later use.
>
> Signed-off-by: Jason Xing <kernelxing@tencent.com>
> --
> v2
> Link: https://lore.kernel.org/netdev/20240212172302.3f95e454@kernel.org/
> 1. fix misspelled name in kdoc as Jakub said
> ---
>  include/net/dropreason-core.h | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
> index 6d3a20163260..065caba42b0b 100644
> --- a/include/net/dropreason-core.h
> +++ b/include/net/dropreason-core.h
> @@ -6,6 +6,7 @@
>  #define DEFINE_DROP_REASON(FN, FNe)    \
>         FN(NOT_SPECIFIED)               \
>         FN(NO_SOCKET)                   \
> +       FN(NO_REQSK_ALLOC)              \
>         FN(PKT_TOO_SMALL)               \
>         FN(TCP_CSUM)                    \
>         FN(SOCKET_FILTER)               \
> @@ -43,10 +44,12 @@
>         FN(TCP_FASTOPEN)                \
>         FN(TCP_OLD_ACK)                 \
>         FN(TCP_TOO_OLD_ACK)             \
> +       FN(COOKIE_NOCHILD)              \
>         FN(TCP_ACK_UNSENT_DATA)         \
>         FN(TCP_OFO_QUEUE_PRUNE)         \
>         FN(TCP_OFO_DROP)                \
>         FN(IP_OUTNOROUTES)              \
> +       FN(IP_ROUTEOUTPUTKEY)           \
>         FN(BPF_CGROUP_EGRESS)           \
>         FN(IPV6DISABLED)                \
>         FN(NEIGH_CREATEFAIL)            \
> @@ -54,6 +57,7 @@
>         FN(NEIGH_QUEUEFULL)             \
>         FN(NEIGH_DEAD)                  \
>         FN(TC_EGRESS)                   \
> +       FN(SECURITY_HOOK)               \
>         FN(QDISC_DROP)                  \
>         FN(CPU_BACKLOG)                 \
>         FN(XDP)                         \
> @@ -71,6 +75,7 @@
>         FN(TAP_TXFILTER)                \
>         FN(ICMP_CSUM)                   \
>         FN(INVALID_PROTO)               \
> +       FN(INVALID_DST)                 \

We already have  SKB_DROP_REASON_IP_OUTNOROUTES ?

>         FN(IP_INADDRERRORS)             \
>         FN(IP_INNOROUTES)               \
>         FN(PKT_TOO_BIG)                 \
> @@ -107,6 +112,11 @@ enum skb_drop_reason {
>         SKB_DROP_REASON_NOT_SPECIFIED,
>         /** @SKB_DROP_REASON_NO_SOCKET: socket not found */
>         SKB_DROP_REASON_NO_SOCKET,
> +       /**
> +        * @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed
> +        * probably because of no available memory for now
> +        */

We have SKB_DROP_REASON_NOMEM, I do not think we need to be very precise.
REQSK are implementation details.

> +       SKB_DROP_REASON_NO_REQSK_ALLOC,
>         /** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
>         SKB_DROP_REASON_PKT_TOO_SMALL,
>         /** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
> @@ -243,6 +253,11 @@ enum skb_drop_reason {
>         SKB_DROP_REASON_TCP_OLD_ACK,
>         /** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
>         SKB_DROP_REASON_TCP_TOO_OLD_ACK,
> +       /**
> +        * @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode
> +        * reason could be the failure of child socket allocation

This makes no sense to me. There are many reasons for this.

Either the reason is deterministic, or just reuse a generic and
existing drop_reason that can be augmented later.

You are adding weak or duplicate drop_reasons, we already have them.

Re: [PATCH net-next v4 1/5] tcp: add dropreasons definitions and prepare for cookie check

[Jason Xing]

On Tue, Feb 13, 2024 at 11:24 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Tue, Feb 13, 2024 at 2:42 PM Jason Xing <kerneljasonxing@gmail.com> wrote:
> >
> > From: Jason Xing <kernelxing@tencent.com>
> >
> > Only add five drop reasons to detect the condition of skb dropped
> > in cookie check for later use.
> >
> > Signed-off-by: Jason Xing <kernelxing@tencent.com>
> > --
> > v2
> > Link: https://lore.kernel.org/netdev/20240212172302.3f95e454@kernel.org/
> > 1. fix misspelled name in kdoc as Jakub said
> > ---
> >  include/net/dropreason-core.h | 21 +++++++++++++++++++++
> >  1 file changed, 21 insertions(+)
> >
> > diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
> > index 6d3a20163260..065caba42b0b 100644
> > --- a/include/net/dropreason-core.h
> > +++ b/include/net/dropreason-core.h
> > @@ -6,6 +6,7 @@
> >  #define DEFINE_DROP_REASON(FN, FNe)    \
> >         FN(NOT_SPECIFIED)               \
> >         FN(NO_SOCKET)                   \
> > +       FN(NO_REQSK_ALLOC)              \
> >         FN(PKT_TOO_SMALL)               \
> >         FN(TCP_CSUM)                    \
> >         FN(SOCKET_FILTER)               \
> > @@ -43,10 +44,12 @@
> >         FN(TCP_FASTOPEN)                \
> >         FN(TCP_OLD_ACK)                 \
> >         FN(TCP_TOO_OLD_ACK)             \
> > +       FN(COOKIE_NOCHILD)              \
> >         FN(TCP_ACK_UNSENT_DATA)         \
> >         FN(TCP_OFO_QUEUE_PRUNE)         \
> >         FN(TCP_OFO_DROP)                \
> >         FN(IP_OUTNOROUTES)              \
> > +       FN(IP_ROUTEOUTPUTKEY)           \
> >         FN(BPF_CGROUP_EGRESS)           \
> >         FN(IPV6DISABLED)                \
> >         FN(NEIGH_CREATEFAIL)            \
> > @@ -54,6 +57,7 @@
> >         FN(NEIGH_QUEUEFULL)             \
> >         FN(NEIGH_DEAD)                  \
> >         FN(TC_EGRESS)                   \
> > +       FN(SECURITY_HOOK)               \
> >         FN(QDISC_DROP)                  \
> >         FN(CPU_BACKLOG)                 \
> >         FN(XDP)                         \
> > @@ -71,6 +75,7 @@
> >         FN(TAP_TXFILTER)                \
> >         FN(ICMP_CSUM)                   \
> >         FN(INVALID_PROTO)               \
> > +       FN(INVALID_DST)                 \
>
> We already have  SKB_DROP_REASON_IP_OUTNOROUTES ?

Oh right, I will reuse it.

>
> >         FN(IP_INADDRERRORS)             \
> >         FN(IP_INNOROUTES)               \
> >         FN(PKT_TOO_BIG)                 \
> > @@ -107,6 +112,11 @@ enum skb_drop_reason {
> >         SKB_DROP_REASON_NOT_SPECIFIED,
> >         /** @SKB_DROP_REASON_NO_SOCKET: socket not found */
> >         SKB_DROP_REASON_NO_SOCKET,
> > +       /**
> > +        * @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed
> > +        * probably because of no available memory for now
> > +        */
>
> We have SKB_DROP_REASON_NOMEM, I do not think we need to be very precise.
> REQSK are implementation details.

You're right about this.

>
> > +       SKB_DROP_REASON_NO_REQSK_ALLOC,
> >         /** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
> >         SKB_DROP_REASON_PKT_TOO_SMALL,
> >         /** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
> > @@ -243,6 +253,11 @@ enum skb_drop_reason {
> >         SKB_DROP_REASON_TCP_OLD_ACK,
> >         /** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
> >         SKB_DROP_REASON_TCP_TOO_OLD_ACK,
> > +       /**
> > +        * @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode
> > +        * reason could be the failure of child socket allocation
>
> This makes no sense to me. There are many reasons for this.

Let me think about a proper new name.

>
> Either the reason is deterministic, or just reuse a generic and
> existing drop_reason that can be augmented later.

I learned that.

Thanks,
Jason

>
> You are adding weak or duplicate drop_reasons, we already have them.

[PATCH net-next v4 2/5] tcp: directly drop skb in cookie check for ipv4

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Only move the skb drop from tcp_v4_do_rcv() to cookie_v4_check() itself,
no other changes made. It can help us refine the specific drop reasons
later.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv4/syncookies.c | 4 ++++
 net/ipv4/tcp_ipv4.c   | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index be88bf586ff9..38f331da6677 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -408,6 +408,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 	struct rtable *rt;
 	__u8 rcv_wscale;
 	int full_space;
+	SKB_DR(reason);
 
 	if (!READ_ONCE(net->ipv4.sysctl_tcp_syncookies) ||
 	    !th->ack || th->rst)
@@ -477,10 +478,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 	 */
 	if (ret)
 		inet_sk(ret)->cork.fl.u.ip4 = fl4;
+	else
+		goto out_drop;
 out:
 	return ret;
 out_free:
 	reqsk_free(req);
 out_drop:
+	kfree_skb_reason(skb, reason);
 	return NULL;
 }
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0c50c5a32b84..0a944e109088 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1915,7 +1915,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
 		struct sock *nsk = tcp_v4_cookie_check(sk, skb);
 
 		if (!nsk)
-			goto discard;
+			return 0;
 		if (nsk != sk) {
 			if (tcp_child_process(sk, nsk, skb)) {
 				rsk = nsk;
-- 
2.37.3

[PATCH net-next v4 3/5] tcp: use drop reasons in cookie check for ipv4

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Now it's time to use the prepared definitions to refine this part.
Four reasons used might enough for now, I think.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv4/syncookies.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index 38f331da6677..07e201cc3d6a 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -421,8 +421,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 		if (IS_ERR(req))
 			goto out;
 	}
-	if (!req)
+	if (!req) {
+		SKB_DR_SET(reason, NO_REQSK_ALLOC);
 		goto out_drop;
+	}
 
 	ireq = inet_rsk(req);
 
@@ -434,8 +436,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 	 */
 	RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
 
-	if (security_inet_conn_request(sk, skb, req))
+	if (security_inet_conn_request(sk, skb, req)) {
+		SKB_DR_SET(reason, SECURITY_HOOK);
 		goto out_free;
+	}
 
 	tcp_ao_syncookie(sk, skb, req, AF_INET);
 
@@ -452,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 			   ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
 	security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
 	rt = ip_route_output_key(net, &fl4);
-	if (IS_ERR(rt))
+	if (IS_ERR(rt)) {
+		SKB_DR_SET(reason, IP_ROUTEOUTPUTKEY);
 		goto out_free;
+	}
 
 	/* Try to redo what tcp_v4_send_synack did. */
 	req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
@@ -476,10 +482,12 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
 	/* ip_queue_xmit() depends on our flow being setup
 	 * Normal sockets get it right from inet_csk_route_child_sock()
 	 */
-	if (ret)
+	if (ret) {
 		inet_sk(ret)->cork.fl.u.ip4 = fl4;
-	else
+	} else {
+		SKB_DR_SET(reason, COOKIE_NOCHILD);
 		goto out_drop;
+	}
 out:
 	return ret;
 out_free:
-- 
2.37.3

Re: [PATCH net-next v4 3/5] tcp: use drop reasons in cookie check for ipv4

[David Ahern]

On 2/13/24 6:42 AM, Jason Xing wrote:
> diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
> index 38f331da6677..07e201cc3d6a 100644
> --- a/net/ipv4/syncookies.c
> +++ b/net/ipv4/syncookies.c
> @@ -452,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
>  			   ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
>  	security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
>  	rt = ip_route_output_key(net, &fl4);
> -	if (IS_ERR(rt))
> +	if (IS_ERR(rt)) {
> +		SKB_DR_SET(reason, IP_ROUTEOUTPUTKEY);

Reason names should be based on functional failures, not function names
which will change over time. In this case the failure is an output route
lookup which is basically SKB_DROP_REASON_IP_OUTNOROUTES

Re: [PATCH net-next v4 3/5] tcp: use drop reasons in cookie check for ipv4

[Jason Xing]

On Tue, Feb 13, 2024 at 11:56 PM David Ahern <dsahern@kernel.org> wrote:
>
> On 2/13/24 6:42 AM, Jason Xing wrote:
> > diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
> > index 38f331da6677..07e201cc3d6a 100644
> > --- a/net/ipv4/syncookies.c
> > +++ b/net/ipv4/syncookies.c
> > @@ -452,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
> >                          ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
> >       security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
> >       rt = ip_route_output_key(net, &fl4);
> > -     if (IS_ERR(rt))
> > +     if (IS_ERR(rt)) {
> > +             SKB_DR_SET(reason, IP_ROUTEOUTPUTKEY);
>
> Reason names should be based on functional failures, not function names
> which will change over time. In this case the failure is an output route
> lookup which is basically SKB_DROP_REASON_IP_OUTNOROUTES

You're right. I'll update it soon :)

Thanks,
Jason

>
>
>

[PATCH net-next v4 4/5] tcp: directly drop skb in cookie check for ipv6

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Like previous patch does, only moving skb drop logical code to
cookie_v6_check() for later refinement.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv6/syncookies.c | 4 ++++
 net/ipv6/tcp_ipv6.c   | 7 +++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 6b9c69278819..ea0d9954a29f 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -177,6 +177,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 	struct sock *ret = sk;
 	__u8 rcv_wscale;
 	int full_space;
+	SKB_DR(reason);
 
 	if (!READ_ONCE(net->ipv4.sysctl_tcp_syncookies) ||
 	    !th->ack || th->rst)
@@ -256,10 +257,13 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 	ireq->ecn_ok &= cookie_ecn_ok(net, dst);
 
 	ret = tcp_get_cookie_sock(sk, skb, req, dst);
+	if (!ret)
+		goto out_drop;
 out:
 	return ret;
 out_free:
 	reqsk_free(req);
 out_drop:
+	kfree_skb_reason(skb, reason);
 	return NULL;
 }
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 57b25b1fc9d9..27639ffcae2f 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1653,8 +1653,11 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
 	if (sk->sk_state == TCP_LISTEN) {
 		struct sock *nsk = tcp_v6_cookie_check(sk, skb);
 
-		if (!nsk)
-			goto discard;
+		if (!nsk) {
+			if (opt_skb)
+				__kfree_skb(opt_skb);
+			return 0;
+		}
 
 		if (nsk != sk) {
 			if (tcp_child_process(sk, nsk, skb))
-- 
2.37.3

Re: [PATCH net-next v4 4/5] tcp: directly drop skb in cookie check for ipv6

[Eric Dumazet]

On Tue, Feb 13, 2024 at 2:42 PM Jason Xing <kerneljasonxing@gmail.com> wrote:
>
> From: Jason Xing <kernelxing@tencent.com>
>
> Like previous patch does, only moving skb drop logical code to
> cookie_v6_check() for later refinement.
>
> Signed-off-by: Jason Xing <kernelxing@tencent.com>
> ---
>  net/ipv6/syncookies.c | 4 ++++
>  net/ipv6/tcp_ipv6.c   | 7 +++++--
>  2 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
> index 6b9c69278819..ea0d9954a29f 100644
> --- a/net/ipv6/syncookies.c
> +++ b/net/ipv6/syncookies.c
> @@ -177,6 +177,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
>         struct sock *ret = sk;
>         __u8 rcv_wscale;
>         int full_space;
> +       SKB_DR(reason);
>
>         if (!READ_ONCE(net->ipv4.sysctl_tcp_syncookies) ||
>             !th->ack || th->rst)
> @@ -256,10 +257,13 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
>         ireq->ecn_ok &= cookie_ecn_ok(net, dst);
>
>         ret = tcp_get_cookie_sock(sk, skb, req, dst);
> +       if (!ret)
> +               goto out_drop;
>  out:
>         return ret;
>  out_free:
>         reqsk_free(req);
>  out_drop:
> +       kfree_skb_reason(skb, reason);
>         return NULL;
>  }
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 57b25b1fc9d9..27639ffcae2f 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1653,8 +1653,11 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
>         if (sk->sk_state == TCP_LISTEN) {
>                 struct sock *nsk = tcp_v6_cookie_check(sk, skb);
>
> -               if (!nsk)
> -                       goto discard;
> +               if (!nsk) {
> +                       if (opt_skb)
> +                               __kfree_skb(opt_skb);
> +                       return 0;
> +               }
>
>                 if (nsk != sk) {
>                         if (tcp_child_process(sk, nsk, skb))
> --

or perhaps try to avoid duplication of these opt_skb tests/actions.

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 57b25b1fc9d9d529e3c53778ef09b65b1ac4c9d5..1ca4f11c3d6f3af2a0148f0e50dfea96b8ba3a53
100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1653,16 +1653,13 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
        if (sk->sk_state == TCP_LISTEN) {
                struct sock *nsk = tcp_v6_cookie_check(sk, skb);

-               if (!nsk)
-                       goto discard;
-
-               if (nsk != sk) {
+               if (nsk && nsk != sk) {
                        if (tcp_child_process(sk, nsk, skb))
                                goto reset;
-                       if (opt_skb)
-                               __kfree_skb(opt_skb);
-                       return 0;
                }
+               if (opt_skb)
+                       __kfree_skb(opt_skb);
+               return 0;
        } else
                sock_rps_save_rxhash(sk, skb);

Re: [PATCH net-next v4 4/5] tcp: directly drop skb in cookie check for ipv6

[Jason Xing]

On Tue, Feb 13, 2024 at 11:30 PM Eric Dumazet <edumazet@google.com> wrote:
>
> On Tue, Feb 13, 2024 at 2:42 PM Jason Xing <kerneljasonxing@gmail.com> wrote:
> >
> > From: Jason Xing <kernelxing@tencent.com>
> >
> > Like previous patch does, only moving skb drop logical code to
> > cookie_v6_check() for later refinement.
> >
> > Signed-off-by: Jason Xing <kernelxing@tencent.com>
> > ---
> >  net/ipv6/syncookies.c | 4 ++++
> >  net/ipv6/tcp_ipv6.c   | 7 +++++--
> >  2 files changed, 9 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
> > index 6b9c69278819..ea0d9954a29f 100644
> > --- a/net/ipv6/syncookies.c
> > +++ b/net/ipv6/syncookies.c
> > @@ -177,6 +177,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
> >         struct sock *ret = sk;
> >         __u8 rcv_wscale;
> >         int full_space;
> > +       SKB_DR(reason);
> >
> >         if (!READ_ONCE(net->ipv4.sysctl_tcp_syncookies) ||
> >             !th->ack || th->rst)
> > @@ -256,10 +257,13 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
> >         ireq->ecn_ok &= cookie_ecn_ok(net, dst);
> >
> >         ret = tcp_get_cookie_sock(sk, skb, req, dst);
> > +       if (!ret)
> > +               goto out_drop;
> >  out:
> >         return ret;
> >  out_free:
> >         reqsk_free(req);
> >  out_drop:
> > +       kfree_skb_reason(skb, reason);
> >         return NULL;
> >  }
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 57b25b1fc9d9..27639ffcae2f 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -1653,8 +1653,11 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
> >         if (sk->sk_state == TCP_LISTEN) {
> >                 struct sock *nsk = tcp_v6_cookie_check(sk, skb);
> >
> > -               if (!nsk)
> > -                       goto discard;
> > +               if (!nsk) {
> > +                       if (opt_skb)
> > +                               __kfree_skb(opt_skb);
> > +                       return 0;
> > +               }
> >
> >                 if (nsk != sk) {
> >                         if (tcp_child_process(sk, nsk, skb))
> > --
>
> or perhaps try to avoid duplication of these opt_skb tests/actions.
>
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 57b25b1fc9d9d529e3c53778ef09b65b1ac4c9d5..1ca4f11c3d6f3af2a0148f0e50dfea96b8ba3a53
> 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1653,16 +1653,13 @@ int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
>         if (sk->sk_state == TCP_LISTEN) {
>                 struct sock *nsk = tcp_v6_cookie_check(sk, skb);
>
> -               if (!nsk)
> -                       goto discard;
> -
> -               if (nsk != sk) {
> +               if (nsk && nsk != sk) {
>                         if (tcp_child_process(sk, nsk, skb))
>                                 goto reset;
> -                       if (opt_skb)
> -                               __kfree_skb(opt_skb);
> -                       return 0;
>                 }
> +               if (opt_skb)
> +                       __kfree_skb(opt_skb);
> +               return 0;
>         } else
>                 sock_rps_save_rxhash(sk, skb);

Thanks for your advice. Will update it:)

Thanks,
Jason

[PATCH net-next v4 5/5] tcp: use drop reasons in cookie check for ipv6

[Jason Xing]

From: Jason Xing <kernelxing@tencent.com>

Like what I did to ipv4 mode, refine this part: adding more drop
reasons for better tracing.

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 net/ipv6/syncookies.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index ea0d9954a29f..f5d7c91abe74 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -190,16 +190,20 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 		if (IS_ERR(req))
 			goto out;
 	}
-	if (!req)
+	if (!req) {
+		SKB_DR_SET(reason, NO_REQSK_ALLOC);
 		goto out_drop;
+	}
 
 	ireq = inet_rsk(req);
 
 	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
 
-	if (security_inet_conn_request(sk, skb, req))
+	if (security_inet_conn_request(sk, skb, req)) {
+		SKB_DR_SET(reason, SECURITY_HOOK);
 		goto out_free;
+	}
 
 	if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
 	    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
@@ -236,8 +240,10 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 		security_req_classify_flow(req, flowi6_to_flowi_common(&fl6));
 
 		dst = ip6_dst_lookup_flow(net, sk, &fl6, final_p);
-		if (IS_ERR(dst))
+		if (IS_ERR(dst)) {
+			SKB_DR_SET(reason, INVALID_DST);
 			goto out_free;
+		}
 	}
 
 	req->rsk_window_clamp = tp->window_clamp ? :dst_metric(dst, RTAX_WINDOW);
@@ -257,8 +263,10 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 	ireq->ecn_ok &= cookie_ecn_ok(net, dst);
 
 	ret = tcp_get_cookie_sock(sk, skb, req, dst);
-	if (!ret)
+	if (!ret) {
+		SKB_DR_SET(reason, COOKIE_NOCHILD);
 		goto out_drop;
+	}
 out:
 	return ret;
 out_free:
-- 
2.37.3