* [PATCH net-next v2 1/2] net: add missing syncookie statistics for BPF custom syncookies
@ 2026-04-11 1:32 Jiayuan Chen
2026-04-11 1:32 ` [PATCH net-next v2 2/2] selftests/bpf: verify syncookie statistics in tcp_custom_syncookie Jiayuan Chen
0 siblings, 1 reply; 2+ messages in thread
From: Jiayuan Chen @ 2026-04-11 1:32 UTC (permalink / raw)
To: netdev
Cc: Jiayuan Chen, Eric Dumazet, Neal Cardwell, Kuniyuki Iwashima,
David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
David Ahern, Andrii Nakryiko, Eduard Zingerman,
Alexei Starovoitov, Daniel Borkmann, Martin KaFai Lau, Song Liu,
Yonghong Song, John Fastabend, KP Singh, Stanislav Fomichev,
Hao Luo, Jiri Olsa, Shuah Khan, linux-kernel, bpf,
linux-kselftest
1. Replace IS_ENABLED(CONFIG_BPF) with CONFIG_BPF_SYSCALL for
cookie_bpf_ok() and cookie_bpf_check(). CONFIG_BPF is selected by
CONFIG_NET unconditionally, so IS_ENABLED(CONFIG_BPF) is always
true and provides no real guard. CONFIG_BPF_SYSCALL is the correct
config for BPF program functionality.
2. Remove the CONFIG_BPF_SYSCALL guard around struct bpf_tcp_req_attrs.
This struct is referenced by bpf_sk_assign_tcp_reqsk() in
net/core/filter.c which is compiled unconditionally, so wrapping
the definition in a config guard could cause build failures when
CONFIG_BPF_SYSCALL=n.
3. Fix mismatched declaration of cookie_bpf_check() between the
CONFIG_BPF_SYSCALL and stub paths: the real definition takes
'struct net *net' but the declaration in the header did not.
Add the net parameter to the declaration and all call sites.
4. Add missing LINUX_MIB_SYNCOOKIESRECV and LINUX_MIB_SYNCOOKIESFAILED
statistics in cookie_bpf_check(), so that BPF custom syncookie
validation is accounted for in SNMP counters just like the
non-BPF path.
Compile-tested with CONFIG_BPF_SYSCALL=y and CONFIG_BPF_SYSCALL
not set.
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
No functional bug here — CONFIG_BPF is always enabled under
CONFIG_NET, so the existing code compiles and works correctly.
This is a cleanup and improvement, no backport needed.
Added a selftest, suggested by Kuniyuki Iwashima.
---
include/net/tcp.h | 7 +++----
net/ipv4/syncookies.c | 10 +++++++---
net/ipv6/syncookies.c | 2 +-
3 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 6156d1d068e1..570a8836c2ba 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -598,7 +598,6 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
struct tcp_options_received *tcp_opt,
int mss, u32 tsoff);
-#if IS_ENABLED(CONFIG_BPF)
struct bpf_tcp_req_attrs {
u32 rcv_tsval;
u32 rcv_tsecr;
@@ -612,7 +611,6 @@ struct bpf_tcp_req_attrs {
u8 usec_ts_ok;
u8 reserved[3];
};
-#endif
#ifdef CONFIG_SYN_COOKIES
@@ -715,13 +713,14 @@ static inline bool cookie_ecn_ok(const struct net *net, const struct dst_entry *
dst_feature(dst, RTAX_FEATURE_ECN);
}
-#if IS_ENABLED(CONFIG_BPF)
+#ifdef CONFIG_BPF_SYSCALL
static inline bool cookie_bpf_ok(struct sk_buff *skb)
{
return skb->sk;
}
-struct request_sock *cookie_bpf_check(struct sock *sk, struct sk_buff *skb);
+struct request_sock *cookie_bpf_check(struct net *net, struct sock *sk,
+ struct sk_buff *skb);
#else
static inline bool cookie_bpf_ok(struct sk_buff *skb)
{
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index f1474598d2c8..d685631438cb 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -295,8 +295,9 @@ static int cookie_tcp_reqsk_init(struct sock *sk, struct sk_buff *skb,
return 0;
}
-#if IS_ENABLED(CONFIG_BPF)
-struct request_sock *cookie_bpf_check(struct sock *sk, struct sk_buff *skb)
+#ifdef CONFIG_BPF_SYSCALL
+struct request_sock *cookie_bpf_check(struct net *net, struct sock *sk,
+ struct sk_buff *skb)
{
struct request_sock *req = inet_reqsk(skb->sk);
@@ -306,6 +307,9 @@ struct request_sock *cookie_bpf_check(struct sock *sk, struct sk_buff *skb)
if (cookie_tcp_reqsk_init(sk, skb, req)) {
reqsk_free(req);
req = NULL;
+ __NET_INC_STATS(net, LINUX_MIB_SYNCOOKIESFAILED);
+ } else {
+ __NET_INC_STATS(net, LINUX_MIB_SYNCOOKIESRECV);
}
return req;
@@ -419,7 +423,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
goto out;
if (cookie_bpf_ok(skb)) {
- req = cookie_bpf_check(sk, skb);
+ req = cookie_bpf_check(net, sk, skb);
} else {
req = cookie_tcp_check(net, sk, skb);
if (IS_ERR(req))
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 4f6f0d751d6c..111d7a41d957 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -190,7 +190,7 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
goto out;
if (cookie_bpf_ok(skb)) {
- req = cookie_bpf_check(sk, skb);
+ req = cookie_bpf_check(net, sk, skb);
} else {
req = cookie_tcp_check(net, sk, skb);
if (IS_ERR(req))
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* [PATCH net-next v2 2/2] selftests/bpf: verify syncookie statistics in tcp_custom_syncookie
2026-04-11 1:32 [PATCH net-next v2 1/2] net: add missing syncookie statistics for BPF custom syncookies Jiayuan Chen
@ 2026-04-11 1:32 ` Jiayuan Chen
0 siblings, 0 replies; 2+ messages in thread
From: Jiayuan Chen @ 2026-04-11 1:32 UTC (permalink / raw)
To: netdev
Cc: Jiayuan Chen, Eric Dumazet, Neal Cardwell, Kuniyuki Iwashima,
David S. Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
David Ahern, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
Shuah Khan, linux-kernel, bpf, linux-kselftest
Add read_tcpext_snmp() helper to network_helpers which reads a
TcpExt SNMP counter via nstat, and use it in the tcp_custom_syncookie
test to verify that LINUX_MIB_SYNCOOKIESRECV is incremented and
LINUX_MIB_SYNCOOKIESFAILED stays unchanged across a successful
BPF custom syncookie validation.
The delta is captured between start_server() and accept(), which
covers the full SYN/ACK/cookie-check path for one connection.
Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>
---
tools/testing/selftests/bpf/network_helpers.c | 22 +++++++++++++++++++
tools/testing/selftests/bpf/network_helpers.h | 1 +
.../bpf/prog_tests/tcp_custom_syncookie.c | 20 +++++++++++++++++
3 files changed, 43 insertions(+)
diff --git a/tools/testing/selftests/bpf/network_helpers.c b/tools/testing/selftests/bpf/network_helpers.c
index b82f572641b7..3388dd5112b6 100644
--- a/tools/testing/selftests/bpf/network_helpers.c
+++ b/tools/testing/selftests/bpf/network_helpers.c
@@ -621,6 +621,28 @@ int get_socket_local_port(int sock_fd)
return -1;
}
+int read_tcpext_snmp(const char *name, unsigned long *val)
+{
+ char cmd[128], buf[128];
+ int ret = 0;
+ FILE *f;
+
+ snprintf(cmd, sizeof(cmd),
+ "nstat -az TcpExt%s | awk '/TcpExt/ {print $2}'", name);
+ f = popen(cmd, "r");
+ if (!f)
+ return -errno;
+
+ if (!fgets(buf, sizeof(buf), f)) {
+ ret = ferror(f) ? -errno : -ENODATA;
+ goto out;
+ }
+ *val = strtoul(buf, NULL, 10);
+out:
+ pclose(f);
+ return ret;
+}
+
int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param)
{
struct ifreq ifr = {0};
diff --git a/tools/testing/selftests/bpf/network_helpers.h b/tools/testing/selftests/bpf/network_helpers.h
index 79a010c88e11..c53cd781df6e 100644
--- a/tools/testing/selftests/bpf/network_helpers.h
+++ b/tools/testing/selftests/bpf/network_helpers.h
@@ -84,6 +84,7 @@ int make_sockaddr(int family, const char *addr_str, __u16 port,
struct sockaddr_storage *addr, socklen_t *len);
char *ping_command(int family);
int get_socket_local_port(int sock_fd);
+int read_tcpext_snmp(const char *name, unsigned long *val);
int get_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param);
int set_hw_ring_size(char *ifname, struct ethtool_ringparam *ring_param);
diff --git a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
index eaf441dc7e79..6adfb4b892f8 100644
--- a/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
+++ b/tools/testing/selftests/bpf/prog_tests/tcp_custom_syncookie.c
@@ -91,12 +91,21 @@ static void transfer_message(int sender, int receiver)
static void create_connection(struct test_tcp_custom_syncookie_case *test_case)
{
+ unsigned long recv_before, recv_after;
+ unsigned long failed_before, failed_after;
int server, client, child;
server = start_server(test_case->family, test_case->type, test_case->addr, 0, 0);
if (!ASSERT_NEQ(server, -1, "start_server"))
return;
+ if (!ASSERT_OK(read_tcpext_snmp("SyncookiesRecv", &recv_before),
+ "read SyncookiesRecv before"))
+ goto close_server;
+ if (!ASSERT_OK(read_tcpext_snmp("SyncookiesFailed", &failed_before),
+ "read SyncookiesFailed before"))
+ goto close_server;
+
client = connect_to_fd(server, 0);
if (!ASSERT_NEQ(client, -1, "connect_to_fd"))
goto close_server;
@@ -105,9 +114,20 @@ static void create_connection(struct test_tcp_custom_syncookie_case *test_case)
if (!ASSERT_NEQ(child, -1, "accept"))
goto close_client;
+ if (!ASSERT_OK(read_tcpext_snmp("SyncookiesRecv", &recv_after),
+ "read SyncookiesRecv after"))
+ goto close_child;
+ if (!ASSERT_OK(read_tcpext_snmp("SyncookiesFailed", &failed_after),
+ "read SyncookiesFailed after"))
+ goto close_child;
+
+ ASSERT_EQ(recv_after - recv_before, 1, "SyncookiesRecv delta");
+ ASSERT_EQ(failed_after - failed_before, 0, "SyncookiesFailed delta");
+
transfer_message(client, child);
transfer_message(child, client);
+close_child:
close(child);
close_client:
close(client);
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-11 1:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-11 1:32 [PATCH net-next v2 1/2] net: add missing syncookie statistics for BPF custom syncookies Jiayuan Chen
2026-04-11 1:32 ` [PATCH net-next v2 2/2] selftests/bpf: verify syncookie statistics in tcp_custom_syncookie Jiayuan Chen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox