From patchwork Mon Dec 18 21:50:58 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 850423 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="3cllJ9vB"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z0vrL2qkCz9s7v for ; Tue, 19 Dec 2017 08:51:46 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S937572AbdLRVvn (ORCPT ); Mon, 18 Dec 2017 16:51:43 -0500 Received: from mail-out6.apple.com ([17.151.62.28]:48858 "EHLO mail-in6.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S937167AbdLRVvd (ORCPT ); Mon, 18 Dec 2017 16:51:33 -0500 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1513633892; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2mpG38hv9klaBbNntD80yb4Gj1vMLxJy6EJ4/Oep1Mc=; b=3cllJ9vBLDVpf2Zr1uSpC5qVi+bAdx4NIUVpuv7uTA78gqbXfLjkg7ykdLL6yZ2y 7SViUvtopLWOZ9J7QqvNoW1dDVjB2jWOa2LZ7Ig+2WyyU0y+dBX1DUVNx1bVJgVQ Zou0B9JUE7iTPteSmPEV77v1UnsoA/7DJSx8GwVL2+qMN2+EMT3ARnCBDtXiTuhP P3XfNvIBqCBcok0rYo5SFjDm97z5zBJRNiuxYr7DEgpeteLKWWFff372YeABdHyt DsoUJ/lSqqC5zw90/g/Q0492SPH52YtEeVAOoSZo/TtgydMHHds+ZG/x8D5wab6F ++PFA5v0akqwuGwTRgPPmw==; Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in6.apple.com (Apple Secure Mail Relay) with SMTP id 09.23.20985.468383A5; Mon, 18 Dec 2017 13:51:32 -0800 (PST) X-AuditID: 11973e15-7125b9c0000051f9-2f-5a383864ac37 Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by relay5.apple.com (Apple SCV relay) with SMTP id E4.D8.18983.368383A5; Mon, 18 Dec 2017 13:51:32 -0800 (PST) Content-transfer-encoding: 7BIT Received: from localhost ([17.226.23.135]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.1.20171204 64bit (built Dec 4 2017)) with ESMTPSA id <0P1600LC0FDVYT00@nwk-mmpp-sz13.apple.com>; Mon, 18 Dec 2017 13:51:31 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Mat Martineau , Alexei Starovoitov Subject: [RFC 03/14] tcp: Allow tcp_fast_parse_options to drop segments Date: Mon, 18 Dec 2017 13:50:58 -0800 Message-id: <20171218215109.38700-4-cpaasch@apple.com> X-Mailer: git-send-email 2.15.0 In-reply-to: <20171218215109.38700-1-cpaasch@apple.com> References: <20171218215109.38700-1-cpaasch@apple.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprFLMWRmVeSWpSXmKPExsUi2FAYoZtiYRFlcPomm8WXn7fZLZ4ee8Ru 8beln8Xi2AIxBxaPBZtKPTat6mTzmHcy0OPzJrkAligum5TUnMyy1CJ9uwSujKXbelgKXolV 7J64iamB8ZxQFyMnh4SAicS6N5+Zuxi5OIQEVjNJzPx6igUmsXPjXajEIUaJg4tmACU4OJgF 5CUOnpeFiDcySSzct44VpEFYQFKi+84dZhCbTUBL4u3tdrC4iICUxMcd29lBbGaBZkaJnXNE IOrdJb6fPsIIYrMIqEpsmtbFBGLzCphJtEzYzQhxhLzE4u872UBsTgFziZ6vj8DmCAHVnP/5 kgmi5gSbxNSNyhMYBWchnLeAkXEVo1BuYmaObmaemV5iQUFOql5yfu4mRlBgTrcT3cF4ZpXV IUYBDkYlHt4ZV82jhFgTy4orcw8xSnOwKInzXqw2iRISSE8sSc1OTS1ILYovKs1JLT7EyMTB KdXAWH+IdY7Q9Rmdvwvb/9QdPr7yz7qDHTJt2xQ3RAW9aNPbynDDoSB04UdNp7t7OppP3lM7 OEuqvr01+ZTl5h7+2R5rndx/WWgmaDGlty2RWL/pziER9qOcPG3lqluXXVy17FP1qdrIpqqO h+/ZOI10y39v3O1tf98yM6v42a+UIIcz3KUuqc7PlFiKMxINtZiLihMBQhxtai0CAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrGLMWRmVeSWpSXmKPExsUi2FB8QzfFwiLKYOtCFosvP2+zWzw99ojd 4m9LP4vFsQViDiweCzaVemxa1cnmMe9koMfnTXIBLFGGNmn5ReWJRSkKRckFJbZKxRmJKfnl 8ZbGRqYOiQUFOal6yfm5Svp2NimpOZllqUX6dgmGGUu39bAUvBKr2D1xE1MD4zmhLkZODgkB E4mdG+8ydzFycQgJHGKUOLhoBksXIwcHs4C8xMHzshDxRiaJhfvWsYI0CAtISnTfucMMYrMJ aEm8vd0OFhcRkJL4uGM7O4jNLNDMKLFzjghEvbvE99NHGEFsFgFViU3TuphAbF4BM4mWCbsZ IY6Ql1j8fScbiM0pYC7R8/UR2BwhoJrzP18yTWDkm4Vw0gJGxlWMAkWpOYmVpnpwz25iBAdm YcQOxv/LrA4xCnAwKvHwzrhqHiXEmlhWXJkL9BsHs5IIr99ZoBBvSmJlVWpRfnxRaU5q8SFG H6DbJjJLiSbnA6MmryTe0NjC2NLEwsDAxNLMBIewkjiv+yqgWQLpiSWp2ampBalFMOOYODil Ghj3TN8gfUYmk+t7h4lHo/nCP9aMORuqttV58/t433pvmOHx7FFE/gkf6U+Nb5ed/umUJuHg 2Bk5nXtOeyLv/B2vdi6eFX3R+RjHrvtX/ELPiLSvYy3aLTin7sKNFgXHiD7zogYPQwXhqpOv Dk3Z8WH+bVb3tK1zQ4J3xjyoDVqQfvbBepuI3ZeUWIDJwlCLuag4EQBrDU9beQIAAA== Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org After parsing the TCP-options, some option-kinds might trigger a drop of the segment (e.g., as is the case for TCP_MD5). As we are moving to consolidate the TCP_MD5-code in follow-up patches, we need to add the capability to drop a segment right after parsing the options in tcp_fast_parse_options(). Originally, tcp_fast_parse_options() returned false, when there is no timestamp option, except in the case of the slow-path processing through tcp_parse_options() where it always returns true. So, the return-value of tcp_fast_parse_options() was kind of inconsistent. With this patch, we make it return true when the segment should get dropped based on the parsed options, and false otherwise. In tcp_validate_incoming, we will then just check for tp->rx_opt.saw_tstamp to see if we should verify PAWS. The goto will be used in a follow-up patch to check whether one of the options triggers a drop of the segment. Signed-off-by: Christoph Paasch Reviewed-by: Mat Martineau --- net/ipv4/tcp_input.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 4d55c4b338ee..eb97ee24c601 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3827,6 +3827,8 @@ static bool tcp_parse_aligned_timestamp(struct tcp_sock *tp, const struct tcphdr /* Fast parse options. This hopes to only see timestamps. * If it is wrong it falls back on tcp_parse_options(). + * + * Returns true if we should drop this packet based on present TCP-options. */ static bool tcp_fast_parse_options(const struct net *net, const struct sk_buff *skb, @@ -3837,18 +3839,19 @@ static bool tcp_fast_parse_options(const struct net *net, */ if (th->doff == (sizeof(*th) / 4)) { tp->rx_opt.saw_tstamp = 0; - return false; + goto extra_opt_check; } else if (tp->rx_opt.tstamp_ok && th->doff == ((sizeof(*th) + TCPOLEN_TSTAMP_ALIGNED) / 4)) { if (tcp_parse_aligned_timestamp(tp, th)) - return true; + goto extra_opt_check; } tcp_parse_options(net, skb, &tp->rx_opt, 1, NULL); if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) tp->rx_opt.rcv_tsecr -= tp->tsoffset; - return true; +extra_opt_check: + return false; } #ifdef CONFIG_TCP_MD5SIG @@ -5168,9 +5171,11 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, struct tcp_sock *tp = tcp_sk(sk); bool rst_seq_match = false; + if (tcp_fast_parse_options(sock_net(sk), skb, th, tp)) + goto discard; + /* RFC1323: H1. Apply PAWS check first. */ - if (tcp_fast_parse_options(sock_net(sk), skb, th, tp) && - tp->rx_opt.saw_tstamp && + if (tp->rx_opt.saw_tstamp && tcp_paws_discard(sk, skb)) { if (!th->rst) { NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);