From patchwork Tue Oct 17 06:37:14 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 826779 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="yDSL1vyD"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yGQVs6XZXz9s83 for ; Tue, 17 Oct 2017 17:38:13 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933699AbdJQGiL (ORCPT ); Tue, 17 Oct 2017 02:38:11 -0400 Received: from mail-out2.apple.com ([17.151.62.25]:53339 "EHLO mail-in2.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S933685AbdJQGiG (ORCPT ); Tue, 17 Oct 2017 02:38:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1508222285; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jUBfUnMdSy+KSqxvBUd2nvNmB1CGuOYvTV6IYw0/UlE=; b=yDSL1vyDPKjHE3tSCFUa2xknPHX5ZnWw/sQ1vz/cQOyYAOnMD0sUgeAWH/NM/ril 8vt4fZp/1U+hIXn/lcrelu/4t9XT4wOwl3K0zIgzj0sFCsswugz2Y4YkQ0dORGbh +2mRSPzzqIFovEzSLZh+gFlFDZMvNLrmuGUkPuyLXnv3exxAIcWBmf/RgrKOv6VI pzpqR9AOSq7LyEjxK254e8G4P3affbcYtgQn4hTNaotN1Zb3OScZYu6ofAJ6Rtbq bFJP9zLdnFLIvWJgcoqX2c1FPdHdnNmmIjSyDTGPeNGJLlkhfNDxS/4Q4B7gLZ/g PKXG7r6/73pD+2fq5mFzJw==; Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 87.7A.00737.D45A5E95; Mon, 16 Oct 2017 23:38:05 -0700 (PDT) X-AuditID: 11973e11-c9dff700000002e1-83-59e5a54d3e69 Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by relay7.apple.com (Apple SCV relay) with SMTP id FC.36.21522.D45A5E95; Mon, 16 Oct 2017 23:38:05 -0700 (PDT) Content-transfer-encoding: 7BIT Received: from localhost ([17.149.229.91]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.1.3.20170825 64bit (built Aug 25 2017)) with ESMTPSA id <0OXY00IZCFRH5G80@nwk-mmpp-sz10.apple.com>; Mon, 16 Oct 2017 23:38:05 -0700 (PDT) From: Christoph Paasch To: David Miller Cc: netdev@vger.kernel.org, Eric Dumazet , Yuchung Cheng Subject: [PATCH net-next] tcp: Enable TFO without a cookie on a per-socket basis Date: Mon, 16 Oct 2017 23:37:14 -0700 Message-id: <20171017063714.17346-1-cpaasch@apple.com> X-Mailer: git-send-email 2.14.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsUi2FCYquu79GmkwdrF5hZzzrewWDw99ojd 4tgCMYsvj6+yObB4bFl5k8ljwaZSj8+b5AKYo7hsUlJzMstSi/TtErgynr66z1zwRqbi3smb jA2MK8W7GDk5JARMJKYu6WDuYuTiEBJYwyTRcbSPtYuRAywx62ohRPwQo8SkEyeZQeLMAvIS B8/LQsQbmSR+/97JBjJIWEBSovvOHWYQm01AS+Lt7XZWEFtEQE1i4okJYHFmgWSJrfNPsULU B0h8ODMLLM4ioCrxsXsSmM0rYCbxfUYrG8Rx8hLnHtwGO05CYAWbxIQPr9gnMPLPQrhjASPj Kkah3MTMHN3MPCO9xIKCnFS95PzcTYygAJtuJ7iD8fgqq0OMAhyMSjy8B448iRRiTSwrrsw9 xCjNwaIkzvsEJCSQnliSmp2aWpBaFF9UmpNafIiRiYNTqoHxzj3m/fU9zXpLJX+tX/qssEy/ 4ZPBnLQjpmY9dWJTnn5y1b7H9WFO2sXSutu3km88Mj3U3tXEEn6RMXx+1ZGMRSvj8333n+Qq rJTs67fuq3Z5lxX84OZkP5nnT7uethye/iiBsXSyroeAqNaPXe+m6B6K/nPJ9ZrTdO55GmeO lMyt57JNVfqnxFKckWioxVxUnAgA3QgsExECAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi2FBcpeu79GmkwfNdRhZzzrewWDw99ojd 4tgCMYsvj6+yObB4bFl5k8ljwaZSj8+b5AKYowxt0vKLyhOLUhSKkgtKbJWKMxJT8svjLY2N TB0SCwpyUvWS83OV9O1sUlJzMstSi/TtEgwznr66z1zwRqbi3smbjA2MK8W7GDk4JARMJGZd Lexi5OIQEjjEKDHpxElmkDizgLzEwfOyEPFGJonfv3eydTFycggLSEp037nDDGKzCWhJvL3d zgpiiwioSUw8MQEsziyQLLF1/ilWiPoAiQ9nZoHFWQRUJT52TwKzeQXMJL7PaAWbKQG069yD 28wTGHlmIaxewMi4ilGgKDUnsdJcD+6nTYzg8CpM3cHYuNzqEKMAB6MSD++BI08ihVgTy4or c4F+4GBWEuFdN+lppBBvSmJlVWpRfnxRaU5q8SFGH6AbJjJLiSbnA0M/ryTe0NjC2NLEwsDA xNLMBIewkjjvjjtA4wXSE0tSs1NTC1KLYMYxcXBKNTByZKUanD9T/OTuzM+fK5jyv+kWZ7Ds bgpINrdZrdRQfX31FfmZq7kWr9hbneQ41+gz7+Qd6TcNlQ+J++2a1JJ2YF9lBEfci7Clukbr 1/DtOL9XeFfMpY0PDhw9VqS+136KCadZiuseG4erxSp2pmorogvFb3X0nXsdtGb6uyVxl9fw L/oSPOGDEgsw9g21mIuKEwEHPhwgXAIAAA== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We already allow to enable TFO without a cookie by using the fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200). This is safe to do in certain environments where we know that there isn't a malicous host (aka., data-centers). A server however might be talking to both sides (public Internet and data-center). So, this server would want to enable cookie-less TFO for the connections that go to the data-center while enforcing cookies for the traffic from the Internet. This patch exposes a socket-option to enable this (protected by CAP_NET_ADMIN). Signed-off-by: Christoph Paasch --- include/linux/tcp.h | 1 + include/uapi/linux/tcp.h | 1 + net/ipv4/tcp.c | 14 ++++++++++++++ net/ipv4/tcp_fastopen.c | 6 ++++-- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 1d2c44e09e31..cda5d4dc8d70 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -228,6 +228,7 @@ struct tcp_sock { syn_fastopen_ch:1, /* Active TFO re-enabling probe */ syn_data_acked:1,/* data in SYN is acked by SYN-ACK */ save_syn:1, /* Save headers of SYN packet */ + no_tfo_cookie:1, /* Allow send/recv SYN+data without a cookie */ is_cwnd_limited:1;/* forward progress limited by snd_cwnd? */ u32 tlp_high_seq; /* snd_nxt at the time of TLP retransmit. */ diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 15c25eccab2b..d44f4bef056c 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -119,6 +119,7 @@ enum { #define TCP_FASTOPEN_CONNECT 30 /* Attempt FastOpen with connect */ #define TCP_ULP 31 /* Attach a ULP to a TCP connection */ #define TCP_MD5SIG_EXT 32 /* TCP MD5 Signature with extensions */ +#define TCP_NO_TFO_COOKIE 33 /* Enable TFO without a TFO cookie */ struct tcp_repair_opt { __u32 opt_code; diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 3b34850d361f..88c90be12d9f 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2821,6 +2821,16 @@ static int do_tcp_setsockopt(struct sock *sk, int level, err = -EOPNOTSUPP; } break; + case TCP_NO_TFO_COOKIE: + if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) + err = -EPERM; + else if (val > 1 || val < 0) + err = -EINVAL; + else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) + err = -EINVAL; + else + tp->no_tfo_cookie = 1; + break; case TCP_TIMESTAMP: if (!tp->repair) err = -EPERM; @@ -3219,6 +3229,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level, val = tp->fastopen_connect; break; + case TCP_NO_TFO_COOKIE: + val = tp->no_tfo_cookie; + break; + case TCP_TIMESTAMP: val = tcp_time_stamp_raw() + tp->tsoffset; break; diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index 7ee4aadcdd71..c1b00b666b43 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -309,7 +309,8 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, return NULL; } - if (syn_data && (tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD)) + if (syn_data && ((tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD) || + tcp_sk(sk)->no_tfo_cookie)) goto fastopen; if (foc->len >= 0 && /* Client presents or requests a cookie */ @@ -363,7 +364,8 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss, return false; } - if (sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) { + if ((sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) || + tcp_sk(sk)->no_tfo_cookie) { cookie->len = -1; return true; }