From: Daniel Zahka <daniel.zahka@gmail.com>
To: Donald Hunter <donald.hunter@gmail.com>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Simon Horman <horms@kernel.org>,
Jonathan Corbet <corbet@lwn.net>,
Andrew Lunn <andrew+netdev@lunn.ch>
Cc: "Saeed Mahameed" <saeedm@nvidia.com>,
"Leon Romanovsky" <leon@kernel.org>,
"Tariq Toukan" <tariqt@nvidia.com>,
"Boris Pismenny" <borisp@nvidia.com>,
"Kuniyuki Iwashima" <kuniyu@google.com>,
"Willem de Bruijn" <willemb@google.com>,
"David Ahern" <dsahern@kernel.org>,
"Neal Cardwell" <ncardwell@google.com>,
"Patrisious Haddad" <phaddad@nvidia.com>,
"Raed Salem" <raeds@nvidia.com>,
"Jianbo Liu" <jianbol@nvidia.com>,
"Dragos Tatulea" <dtatulea@nvidia.com>,
"Rahul Rameshbabu" <rrameshbabu@nvidia.com>,
"Stanislav Fomichev" <sdf@fomichev.me>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Alexander Lobakin" <aleksander.lobakin@intel.com>,
"Jacob Keller" <jacob.e.keller@intel.com>,
netdev@vger.kernel.org
Subject: [PATCH net-next v5 07/19] net: tcp: allow tcp_timewait_sock to validate skbs before handing to device
Date: Wed, 23 Jul 2025 13:34:18 -0700 [thread overview]
Message-ID: <20250723203454.519540-8-daniel.zahka@gmail.com> (raw)
In-Reply-To: <20250723203454.519540-1-daniel.zahka@gmail.com>
Provide a callback to validate skb's originating from tcp timewait
socks before passing to the device layer. Full socks have a
sk_validate_xmit_skb member for checking that a device is capable of
performing offloads required for transmitting an skb. With psp, tcp
timewait socks will inherit the crypto state from their corresponding
full socks. Any ACKs or RSTs that originate from a tcp timewait sock
carrying psp state should be psp encapsulated.
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Daniel Zahka <daniel.zahka@gmail.com>
---
Notes:
v3:
- check for sk_is_inet() before casting to inet_twsk()
v2:
- patch introduced in v2
include/net/inet_timewait_sock.h | 5 +++++
net/core/dev.c | 14 ++++++++++++--
net/ipv4/inet_timewait_sock.c | 3 +++
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
index c1295246216c..3a31c74c9e15 100644
--- a/include/net/inet_timewait_sock.h
+++ b/include/net/inet_timewait_sock.h
@@ -84,6 +84,11 @@ struct inet_timewait_sock {
#if IS_ENABLED(CONFIG_INET_PSP)
struct psp_assoc __rcu *psp_assoc;
#endif
+#ifdef CONFIG_SOCK_VALIDATE_XMIT
+ struct sk_buff* (*tw_validate_xmit_skb)(struct sock *sk,
+ struct net_device *dev,
+ struct sk_buff *skb);
+#endif
};
#define tw_tclass tw_tos
diff --git a/net/core/dev.c b/net/core/dev.c
index d23a056ab4db..442b9f7db704 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3903,10 +3903,20 @@ static struct sk_buff *sk_validate_xmit_skb(struct sk_buff *skb,
struct net_device *dev)
{
#ifdef CONFIG_SOCK_VALIDATE_XMIT
+ struct sk_buff *(*sk_validate)(struct sock *sk, struct net_device *dev,
+ struct sk_buff *skb);
struct sock *sk = skb->sk;
- if (sk && sk_fullsock(sk) && sk->sk_validate_xmit_skb) {
- skb = sk->sk_validate_xmit_skb(sk, dev, skb);
+ sk_validate = NULL;
+ if (sk) {
+ if (sk_fullsock(sk))
+ sk_validate = sk->sk_validate_xmit_skb;
+ else if (sk_is_inet(sk) && sk->sk_state == TCP_TIME_WAIT)
+ sk_validate = inet_twsk(sk)->tw_validate_xmit_skb;
+ }
+
+ if (sk_validate) {
+ skb = sk_validate(sk, dev, skb);
} else if (unlikely(skb_is_decrypted(skb))) {
pr_warn_ratelimited("unencrypted skb with no associated socket - dropping\n");
kfree_skb(skb);
diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
index 88b5faa656b4..93c369cdf979 100644
--- a/net/ipv4/inet_timewait_sock.c
+++ b/net/ipv4/inet_timewait_sock.c
@@ -210,6 +210,9 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
atomic64_set(&tw->tw_cookie, atomic64_read(&sk->sk_cookie));
twsk_net_set(tw, sock_net(sk));
timer_setup(&tw->tw_timer, tw_timer_handler, 0);
+#ifdef CONFIG_SOCK_VALIDATE_XMIT
+ tw->tw_validate_xmit_skb = NULL;
+#endif
/*
* Because we use RCU lookups, we should not set tw_refcnt
* to a non null value before everything is setup for this
--
2.47.1
next prev parent reply other threads:[~2025-07-23 20:35 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-23 20:34 [PATCH net-next v5 00/19] add basic PSP encryption for TCP connections Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 01/19] psp: add documentation Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 02/19] psp: base PSP device support Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 03/19] net: modify core data structures for PSP datapath support Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 04/19] tcp: add datapath logic for PSP with inline key exchange Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 05/19] psp: add op for rotation of device key Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 06/19] net: move sk_validate_xmit_skb() to net/core/dev.c Daniel Zahka
2025-07-23 20:34 ` Daniel Zahka [this message]
2025-07-23 20:34 ` [PATCH net-next v5 08/19] net: psp: add socket security association code Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 09/19] net: psp: update the TCP MSS to reflect PSP packet overhead Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 10/19] psp: track generations of device key Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 11/19] net/mlx5e: Support PSP offload functionality Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 12/19] net/mlx5e: Implement PSP operations .assoc_add and .assoc_del Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 13/19] psp: provide encapsulation helper for drivers Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 14/19] net/mlx5e: Implement PSP Tx data path Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 15/19] net/mlx5e: Add PSP steering in local NIC RX Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 16/19] net/mlx5e: Configure PSP Rx flow steering rules Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 17/19] psp: provide decapsulation and receive helper for drivers Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 18/19] net/mlx5e: Add Rx data path offload Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5 19/19] net/mlx5e: Implement PSP key_rotate operation Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 00/19] add basic PSP encryption for TCP connections Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 01/19] psp: add documentation Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 02/19] psp: base PSP device support Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 03/19] net: modify core data structures for PSP datapath support Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 04/19] tcp: add datapath logic for PSP with inline key exchange Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 05/19] psp: add op for rotation of device key Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 06/19] net: move sk_validate_xmit_skb() to net/core/dev.c Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 07/19] net: tcp: allow tcp_timewait_sock to validate skbs before handing to device Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 08/19] net: psp: add socket security association code Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 09/19] net: psp: update the TCP MSS to reflect PSP packet overhead Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 10/19] psp: track generations of device key Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 11/19] net/mlx5e: Support PSP offload functionality Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 12/19] net/mlx5e: Implement PSP operations .assoc_add and .assoc_del Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 13/19] psp: provide encapsulation helper for drivers Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 14/19] net/mlx5e: Implement PSP Tx data path Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 15/19] net/mlx5e: Add PSP steering in local NIC RX Daniel Zahka
2025-07-24 13:34 ` Simon Horman
2025-07-23 20:34 ` [PATCH net-next v5.0 16/19] net/mlx5e: Configure PSP Rx flow steering rules Daniel Zahka
2025-07-24 13:37 ` Simon Horman
2025-07-23 20:34 ` [PATCH net-next v5.0 17/19] psp: provide decapsulation and receive helper for drivers Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 18/19] net/mlx5e: Add Rx data path offload Daniel Zahka
2025-07-23 20:34 ` [PATCH net-next v5.0 19/19] net/mlx5e: Implement PSP key_rotate operation Daniel Zahka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250723203454.519540-8-daniel.zahka@gmail.com \
--to=daniel.zahka@gmail.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=borisp@nvidia.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=donald.hunter@gmail.com \
--cc=dsahern@kernel.org \
--cc=dtatulea@nvidia.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=jianbol@nvidia.com \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=leon@kernel.org \
--cc=ncardwell@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=phaddad@nvidia.com \
--cc=raeds@nvidia.com \
--cc=rrameshbabu@nvidia.com \
--cc=saeedm@nvidia.com \
--cc=sdf@fomichev.me \
--cc=tariqt@nvidia.com \
--cc=toke@redhat.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).