From: William Allen Simpson <william.allen.simpson@gmail.com>
To: Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: [net-next-2.6 PATCH v7 5/7 RFC] TCPCT part 1e: implement socket option TCP_COOKIE_TRANSACTIONS
Date: Fri, 20 Nov 2009 09:48:12 -0500 [thread overview]
Message-ID: <4B06AC2C.3070102@gmail.com> (raw)
In-Reply-To: <4B06A1FF.8000202@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 868 bytes --]
Provide per socket control of the TCP cookie option and SYN/SYNACK data.
This is a straightforward re-implementation of an earlier (year-old)
patch that no longer applies cleanly, with permission of the original
author (Adam Langley):
http://thread.gmane.org/gmane.linux.network/102586
The principle difference is using a TCP option to carry the cookie nonce,
instead of a user configured offset in the data.
Allocations have been rearranged to avoid requiring GFP_ATOMIC.
Requires:
net: TCP_MSS_DEFAULT, TCP_MSS_DESIRED
TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS
TCPCT part 1d: define TCP cookie option, extend existing struct's
Signed-off-by: William.Allen.Simpson@gmail.com
---
net/ipv4/tcp.c | 133 +++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 131 insertions(+), 2 deletions(-)
[-- Attachment #2: TCPCT+1e7.patch --]
[-- Type: text/plain, Size: 4406 bytes --]
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 1356e3d..5b14e2b 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2084,8 +2084,9 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
int val;
int err = 0;
- /* This is a string value all the others are int's */
- if (optname == TCP_CONGESTION) {
+ /* These are data/string values, all the others are ints */
+ switch (optname) {
+ case TCP_CONGESTION: {
char name[TCP_CA_NAME_MAX];
if (optlen < 1)
@@ -2102,6 +2103,93 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
release_sock(sk);
return err;
}
+ case TCP_COOKIE_TRANSACTIONS: {
+ struct tcp_cookie_transactions ctd;
+ struct tcp_cookie_values *cvp = NULL;
+
+ if (sizeof(ctd) > optlen)
+ return -EINVAL;
+ if (copy_from_user(&ctd, optval, sizeof(ctd)))
+ return -EFAULT;
+
+ if (ctd.tcpct_used > sizeof(ctd.tcpct_value)
+ || ctd.tcpct_s_data_desired > TCP_MSS_DESIRED)
+ return -EINVAL;
+
+ if (ctd.tcpct_cookie_desired == 0) {
+ /* default to global value */
+ } else if ((0x1 & ctd.tcpct_cookie_desired)
+ || ctd.tcpct_cookie_desired > TCP_COOKIE_MAX
+ || ctd.tcpct_cookie_desired < TCP_COOKIE_MIN) {
+ return -EINVAL;
+ }
+
+ if (TCP_COOKIE_OUT_NEVER & ctd.tcpct_flags) {
+ /* Supercedes all other values */
+ lock_sock(sk);
+ if (tp->cookie_values != NULL) {
+ kref_put(&tp->cookie_values->kref,
+ tcp_cookie_values_release);
+ tp->cookie_values = NULL;
+ }
+ tp->rx_opt.cookie_in_always = 0; /* false */
+ tp->rx_opt.cookie_out_never = 1; /* true */
+ release_sock(sk);
+ return err;
+ }
+
+ /* Allocate ancillary memory before locking.
+ */
+ if (ctd.tcpct_used > 0
+ || (tp->cookie_values == NULL
+ && (sysctl_tcp_cookie_size > 0
+ || ctd.tcpct_cookie_desired > 0
+ || ctd.tcpct_s_data_desired > 0))) {
+ cvp = kzalloc(sizeof(*cvp) + ctd.tcpct_used,
+ GFP_KERNEL);
+ if (cvp == NULL)
+ return -ENOMEM;
+ }
+ lock_sock(sk);
+ tp->rx_opt.cookie_in_always =
+ (TCP_COOKIE_IN_ALWAYS & ctd.tcpct_flags);
+ tp->rx_opt.cookie_out_never = 0; /* false */
+
+ if (tp->cookie_values != NULL) {
+ if (cvp != NULL) {
+ /* Changed values are recorded by a changed
+ * pointer, ensuring the cookie will differ,
+ * without separately hashing each value later.
+ */
+ kref_put(&tp->cookie_values->kref,
+ tcp_cookie_values_release);
+ kref_init(&cvp->kref);
+ tp->cookie_values = cvp;
+ } else {
+ cvp = tp->cookie_values;
+ }
+ }
+ if (cvp != NULL) {
+ cvp->cookie_desired = ctd.tcpct_cookie_desired;
+
+ if (ctd.tcpct_used > 0) {
+ memcpy(cvp->s_data_payload, ctd.tcpct_value,
+ ctd.tcpct_used);
+ cvp->s_data_desired = ctd.tcpct_used;
+ cvp->s_data_constant = 1; /* true */
+ } else {
+ /* No constant payload data. */
+ cvp->s_data_desired = ctd.tcpct_s_data_desired;
+ cvp->s_data_constant = 0; /* false */
+ }
+ }
+ release_sock(sk);
+ return err;
+ }
+ default:
+ /* fallthru */
+ break;
+ };
if (optlen < sizeof(int))
return -EINVAL;
@@ -2426,6 +2514,47 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
if (copy_to_user(optval, icsk->icsk_ca_ops->name, len))
return -EFAULT;
return 0;
+
+ case TCP_COOKIE_TRANSACTIONS: {
+ struct tcp_cookie_transactions ctd;
+ struct tcp_cookie_values *cvp = tp->cookie_values;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+ if (len < sizeof(ctd))
+ return -EINVAL;
+
+ memset(&ctd, 0, sizeof(ctd));
+ ctd.tcpct_flags = (tp->rx_opt.cookie_in_always
+ ? TCP_COOKIE_IN_ALWAYS : 0)
+ | (tp->rx_opt.cookie_out_never
+ ? TCP_COOKIE_OUT_NEVER : 0);
+
+ if (cvp != NULL) {
+ ctd.tcpct_flags |= (cvp->s_data_in
+ ? TCP_S_DATA_IN : 0)
+ | (cvp->s_data_out
+ ? TCP_S_DATA_OUT : 0);
+
+ ctd.tcpct_cookie_desired = cvp->cookie_desired;
+ ctd.tcpct_s_data_desired = cvp->s_data_desired;
+
+ /* Cookie(s) saved, return as nonce */
+ if (sizeof(ctd.tcpct_value) < cvp->cookie_pair_size) {
+ /* impossible? */
+ return -EINVAL;
+ }
+ memcpy(&ctd.tcpct_value[0], &cvp->cookie_pair[0],
+ cvp->cookie_pair_size);
+ ctd.tcpct_used = cvp->cookie_pair_size;
+ }
+
+ if (put_user(sizeof(ctd), optlen))
+ return -EFAULT;
+ if (copy_to_user(optval, &ctd, sizeof(ctd)))
+ return -EFAULT;
+ return 0;
+ }
default:
return -ENOPROTOOPT;
}
--
1.6.3.3
next prev parent reply other threads:[~2009-11-20 14:48 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-20 14:04 [net-next-2.6 PATCH v7 0/7 RFC] TCPCT part 1: cookie option exchange William Allen Simpson
2009-11-20 14:12 ` [net-next-2.6 PATCH v7 1/7 RFC] TCPCT part 1a: add request_values parameter for sending SYNACK William Allen Simpson
2009-11-20 17:20 ` David Miller
2009-11-20 14:23 ` [net-next-2.6 PATCH v7 2/7 RFC] TCPCT part 1b: generate Responder Cookie secret William Allen Simpson
2009-11-20 17:22 ` David Miller
2009-11-20 20:47 ` Andi Kleen
2009-11-20 20:51 ` David Miller
2009-11-21 16:09 ` William Allen Simpson
2009-11-20 14:33 ` [net-next-2.6 PATCH v7 3/7 RFC] TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS William Allen Simpson
2009-11-20 17:24 ` David Miller
2009-11-21 16:51 ` William Allen Simpson
2009-11-21 19:18 ` David Miller
2009-11-21 19:22 ` David Miller
2009-11-22 4:40 ` William Allen Simpson
2009-11-20 14:38 ` [net-next-2.6 PATCH v7 4/7 RFC] TCPCT part 1d: define TCP cookie option, extend existing struct's William Allen Simpson
2009-11-20 17:25 ` David Miller
2009-11-22 4:53 ` William Allen Simpson
2009-11-20 14:48 ` William Allen Simpson [this message]
2009-11-20 17:26 ` [net-next-2.6 PATCH v7 5/7 RFC] TCPCT part 1e: implement socket option TCP_COOKIE_TRANSACTIONS David Miller
2009-11-20 20:54 ` Joe Perches
2009-11-22 6:25 ` William Allen Simpson
2009-11-22 7:10 ` Joe Perches
2009-11-23 11:16 ` William Allen Simpson
2009-11-23 17:25 ` Joe Perches
2009-11-23 17:49 ` David Miller
2009-11-23 0:31 ` David Miller
2009-11-23 18:28 ` [net-next-2.6 PATCH] net/ipv4: Move && and || to end of previous line Joe Perches
2009-11-23 18:31 ` David Miller
2009-11-23 18:38 ` Joe Perches
2009-11-23 18:41 ` David Miller
2009-11-29 21:00 ` [PATCH net-next-2.6 PATCH] net: " Joe Perches
2009-11-30 0:55 ` David Miller
2009-11-30 17:28 ` Stephen Hemminger
2009-11-30 17:57 ` Joe Perches
2009-11-30 21:00 ` David Miller
2009-12-03 17:58 ` [PATCH net-next-2.6] drivers/net: " Joe Perches
2009-12-03 20:40 ` David Miller
2009-12-04 13:10 ` Brice Goglin
2009-12-04 17:21 ` Joe Perches
2009-12-05 12:43 ` William Allen Simpson
2009-12-05 17:50 ` Joe Perches
2009-12-05 22:05 ` Jarek Poplawski
2009-12-06 3:36 ` William Allen Simpson
2009-12-05 22:21 ` David Miller
2009-12-06 3:00 ` William Allen Simpson
2009-12-06 17:01 ` Jonathan Corbet
2009-12-04 22:42 ` David Miller
2009-11-23 22:08 ` [net-next-2.6 PATCH] net/ipv4: " Ilpo Järvinen
2009-11-23 22:14 ` Joe Perches
2009-11-23 22:32 ` Ilpo Järvinen
2009-11-23 18:58 ` [net-next-2.6 PATCH] net/ipv6: " Joe Perches
2009-11-24 22:53 ` David Miller
2009-11-23 19:49 ` [net-next-2.6 PATCH] net/ipv[46]/netfilter: " Joe Perches
2009-11-23 22:20 ` Patrick McHardy
2009-11-20 14:55 ` [net-next-2.6 PATCH v7 6/7 RFC] TCPCT part 1f: Initiator Cookie => Responder William Allen Simpson
2009-11-20 17:29 ` David Miller
2009-11-20 15:06 ` [net-next-2.6 PATCH v7 7/7 RFC] TCPCT part 1g: Responder Cookie => Initiator William Allen Simpson
2009-11-20 17:31 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B06AC2C.3070102@gmail.com \
--to=william.allen.simpson@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).