From patchwork Mon Oct 23 20:22:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 829619 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="Fzg2DUwj"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yLSWF4CTkz9sRW for ; Tue, 24 Oct 2017 07:22:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751216AbdJWUW3 (ORCPT ); Mon, 23 Oct 2017 16:22:29 -0400 Received: from mail-out7.apple.com ([17.151.62.29]:62828 "EHLO mail-in7.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1750835AbdJWUW2 (ORCPT ); Mon, 23 Oct 2017 16:22:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1508790147; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=tsDHi2TjMGcLY7hxO2+nRGR3TQ1MMAjaZE1yPYhXmIw=; b=Fzg2DUwjp6w80z3vwvwdto8lvQMzlZEOcH/rMIKA5WOqH9N0brwJdhD+BWwINNey ZGNOToIGxsn5a4Bjq22OS+q2IcLmzhOzmaOKbUiOgyM79H0aK3K+qP+oziSC0OBP jpuVLvbiC2hKXBi+aF0XFkgXNusSxq79RmKe++ZatVZwn3nj3z4mHat0tMNw0hZU Ugva3raVweOrriA+Mqm2OSgqYMVGmJByskiTX7gUtkPeTUIcGyL+rn5iuQpDUWih wN/H5EMpuvcIvVcEOzYq1/aL5LIGCD4Jd1gKcchIgUjtEAt9Rxa0UZw/r+VuDluP gpyFN2l1pbGTCPzCKsAP7w==; Received: from relay7.apple.com (relay7.apple.com [17.128.113.101]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 2F.A5.31255.38F4EE95; Mon, 23 Oct 2017 13:22:27 -0700 (PDT) X-AuditID: 11973e16-c0fdc9c000007a17-2b-59ee4f83ff9e Received: from nwk-mmpp-sz11.apple.com (nwk-mmpp-sz11.apple.com [17.128.115.155]) by relay7.apple.com (Apple SCV relay) with SMTP id 38.5A.21522.38F4EE95; Mon, 23 Oct 2017 13:22:27 -0700 (PDT) Content-transfer-encoding: 7BIT Received: from localhost ([17.226.23.113]) by nwk-mmpp-sz11.apple.com (Oracle Communications Messaging Server 8.0.1.3.20170825 64bit (built Aug 25 2017)) with ESMTPSA id <0OYA00CWJLXF2CA0@nwk-mmpp-sz11.apple.com>; Mon, 23 Oct 2017 13:22:27 -0700 (PDT) From: Christoph Paasch To: David Miller Cc: Eric Dumazet , Yuchung Cheng , netdev@vger.kernel.org Subject: [PATCH v3 net-next] tcp: Configure TFO without cookie per socket and/or per route Date: Mon, 23 Oct 2017 13:22:23 -0700 Message-id: <20171023202223.42600-1-cpaasch@apple.com> X-Mailer: git-send-email 2.14.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLJMWRmVeSWpSXmKPExsUi2FCYqtvs/y7SYN0FI4s551tYLJ4ee8Ru cWyBmMWXx1fZHFg8tqy8yeSxYFOpx+dNcgHMUVw2Kak5mWWpRfp2CVwZnZt4Cw5aVPSfrG5g XKjbxcjJISFgItF3fwdrFyMXh5DAGiaJGwuuMcMkGo9eZodIHGKU+NA6F6iKg4NZQF7i4HlZ iHgjk0TnBpA4J4ewgKRE9507YM1sAloSb2+3g8VFBNQkJp6YABZnFkiWWPGuhxmiPkZi+cz3 LCA2i4CqxM83K8BsXgEziVkN2xkhjpCXOPfgNjPIMgmBJWwSmz9dYJvAyD8L4Y4FjIyrGIVy EzNzdDPzzPUSCwpyUvWS83M3MYLCa7qd2A7Gh6usDjEKcDAq8fA2mL+LFGJNLCuuzD3EKM3B oiTOK1LyKlJIID2xJDU7NbUgtSi+qDQntfgQIxMHp1QD43GFTPsjfZbH3A5c2h9rIy20Ncxc U7Q5MnjOg8pbt29Mjgr95fx/j+XaG5HlymvFJSuWT14Xc67G5p0IK3v7es/gVz7z3+2S4/86 3zHB80n6F/1nX5QPFNQXNqktXWaquv70X0k986ienKVu9X0hx17G3/H8Zd5Rfnyibbstx7UL B2eUr2DjVWIpzkg01GIuKk4EAK4hOXoQAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrBLMWRmVeSWpSXmKPExsUi2FA8W7fZ/12kQc8dPYs551tYLJ4ee8Ru cWyBmMWXx1fZHFg8tqy8yeSxYFOpx+dNcgHMUYY2aflF5YlFKQpFyQUltkrFGYkp+eXxlsZG pg6JBQU5qXrJ+blK+nY2Kak5mWWpRfp2CYYZnZt4Cw5aVPSfrG5gXKjbxcjJISFgItF49DJ7 FyMXh5DAIUaJD61zWbsYOTiYBeQlDp6XhYg3Mkl0bgCJc3IIC0hKdN+5wwxiswloSby93Q4W FxFQk5h4YgJYnFkgWWLFux5miPoYieUz37OA2CwCqhI/36wAs3kFzCRmNWxnhDhCXuLcg9vM Exh5ZiGsXsDIuIpRoCg1J7HSXA/upU2M4OAqTN3B2Ljc6hCjAAejEg9vg/m7SCHWxLLiylyg HziYlUR4Iz2BQrwpiZVVqUX58UWlOanFhxh9gG6YyCwlmpwPDPy8knhDYwtjSxMLAwMTSzMT HMJK4rw77jyJFBJITyxJzU5NLUgtghnHxMEp1cAovv2guqET+/3q9PIdjGdYWsquRojHz3/D d7rv0643PPNPpoZcD/iTeld6R4jZ39b7juturJr3d11b2IeJgRVbFA84t7qy98XdMgu4XPnl 7IFcSXNDrvMCamoZdSfeiV+6NUcu4Nq2M9fWa6YwttbEz95TMElYqp9ly4nooqVtV1PXi5ox FN5QYgFGvqEWc1FxIgA4p34eWwIAAA== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org We already allow to enable TFO without a cookie by using the fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (or TFO_CLIENT_NO_COOKIE). This is safe to do in certain environments where we know that there isn't a malicous host (aka., data-centers) or when the application-protocol already provides an authentication mechanism in the first flight of data. A server however might be providing multiple services or talking to both sides (public Internet and data-center). So, this server would want to enable cookie-less TFO for certain services and/or for connections that go to the data-center. This patch exposes a socket-option and a per-route attribute to enable such fine-grained configurations. Signed-off-by: Christoph Paasch Reviewed-by: Yuchung Cheng --- Notes: v3: * Fix/Clarify commit-log * Add helper function tcp_fastopen_no_cookie() * Set tp->fastopen_no_cookie to "val", not 1 in do_tcp_setsockopt(). v2: * Rename to fastopen_no_cookie and TCP_FASTOPEN_NO_COOKIE * Add per-route attribute for fastopen_no_cookie * Get rid of the capability check include/linux/tcp.h | 3 ++- include/net/tcp.h | 3 ++- include/uapi/linux/rtnetlink.h | 2 ++ include/uapi/linux/tcp.h | 1 + net/ipv4/tcp.c | 12 ++++++++++++ net/ipv4/tcp_fastopen.c | 20 +++++++++++++++++--- net/ipv4/tcp_input.c | 2 +- 7 files changed, 37 insertions(+), 6 deletions(-) diff --git a/include/linux/tcp.h b/include/linux/tcp.h index 1d2c44e09e31..173a7c2f9636 100644 --- a/include/linux/tcp.h +++ b/include/linux/tcp.h @@ -215,7 +215,8 @@ struct tcp_sock { u8 chrono_type:2, /* current chronograph type */ rate_app_limited:1, /* rate_{delivered,interval_us} limited? */ fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */ - unused:4; + fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */ + unused:3; u8 nonagle : 4,/* Disable Nagle algorithm? */ thin_lto : 1,/* Use linear timeouts for thin streams */ unused1 : 1, diff --git a/include/net/tcp.h b/include/net/tcp.h index 2c13484704cb..2392f74074e7 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -1567,7 +1567,8 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb); struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, struct request_sock *req, - struct tcp_fastopen_cookie *foc); + struct tcp_fastopen_cookie *foc, + const struct dst_entry *dst); void tcp_fastopen_init_key_once(struct net *net); bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss, struct tcp_fastopen_cookie *cookie); diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h index dab7dad9e01a..fe6679268901 100644 --- a/include/uapi/linux/rtnetlink.h +++ b/include/uapi/linux/rtnetlink.h @@ -430,6 +430,8 @@ enum { #define RTAX_QUICKACK RTAX_QUICKACK RTAX_CC_ALGO, #define RTAX_CC_ALGO RTAX_CC_ALGO + RTAX_FASTOPEN_NO_COOKIE, +#define RTAX_FASTOPEN_NO_COOKIE RTAX_FASTOPEN_NO_COOKIE __RTAX_MAX }; diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 69c7493e42f8..d67e1d40c6d6 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -120,6 +120,7 @@ enum { #define TCP_ULP 31 /* Attach a ULP to a TCP connection */ #define TCP_MD5SIG_EXT 32 /* TCP MD5 Signature with extensions */ #define TCP_FASTOPEN_KEY 33 /* Set the key for Fast Open (cookie) */ +#define TCP_FASTOPEN_NO_COOKIE 34 /* Enable TFO without a TFO cookie */ struct tcp_repair_opt { __u32 opt_code; diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 8b1fa4dd4538..02eb2f9cce4f 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2832,6 +2832,14 @@ static int do_tcp_setsockopt(struct sock *sk, int level, err = -EOPNOTSUPP; } break; + case TCP_FASTOPEN_NO_COOKIE: + if (val > 1 || val < 0) + err = -EINVAL; + else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) + err = -EINVAL; + else + tp->fastopen_no_cookie = val; + break; case TCP_TIMESTAMP: if (!tp->repair) err = -EPERM; @@ -3252,6 +3260,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level, val = tp->fastopen_connect; break; + case TCP_FASTOPEN_NO_COOKIE: + val = tp->fastopen_no_cookie; + break; + case TCP_TIMESTAMP: val = tcp_time_stamp_raw() + tp->tsoffset; break; diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index 21075ce19cb6..e0a4b56644aa 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c @@ -310,13 +310,23 @@ static bool tcp_fastopen_queue_check(struct sock *sk) return true; } +static bool tcp_fastopen_no_cookie(const struct sock *sk, + const struct dst_entry *dst, + int flag) +{ + return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) || + tcp_sk(sk)->fastopen_no_cookie || + (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE)); +} + /* Returns true if we should perform Fast Open on the SYN. The cookie (foc) * may be updated and return the client in the SYN-ACK later. E.g., Fast Open * cookie request (foc->len == 0). */ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, struct request_sock *req, - struct tcp_fastopen_cookie *foc) + struct tcp_fastopen_cookie *foc, + const struct dst_entry *dst) { bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1; int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen; @@ -333,7 +343,8 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb, return NULL; } - if (syn_data && (tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD)) + if (syn_data && + tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD)) goto fastopen; if (foc->len >= 0 && /* Client presents or requests a cookie */ @@ -370,6 +381,7 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss, struct tcp_fastopen_cookie *cookie) { unsigned long last_syn_loss = 0; + const struct dst_entry *dst; int syn_loss = 0; tcp_fastopen_cache_get(sk, mss, cookie, &syn_loss, &last_syn_loss); @@ -387,7 +399,9 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss, return false; } - if (sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) { + dst = __sk_dst_get(sk); + + if (tcp_fastopen_no_cookie(sk, dst, TFO_CLIENT_NO_COOKIE)) { cookie->len = -1; return true; } diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index ab3f12898245..714ba553e545 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6329,7 +6329,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, tcp_openreq_init_rwin(req, sk, dst); if (!want_cookie) { tcp_reqsk_record_syn(sk, req, skb); - fastopen_sk = tcp_try_fastopen(sk, skb, req, &foc); + fastopen_sk = tcp_try_fastopen(sk, skb, req, &foc, dst); } if (fastopen_sk) { af_ops->send_synack(fastopen_sk, dst, &fl, req,