From patchwork Thu Feb 1 00:07:05 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 868099 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="h2U9Sash"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zX0mh2XMdz9t20 for ; Thu, 1 Feb 2018 11:07:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754265AbeBAAH3 (ORCPT ); Wed, 31 Jan 2018 19:07:29 -0500 Received: from mail-out2.apple.com ([17.151.62.25]:47521 "EHLO mail-in2.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753730AbeBAAH2 (ORCPT ); Wed, 31 Jan 2018 19:07:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s; c=relaxed/simple; q=dns/txt; i=@apple.com; t=1517443648; x=2381357248; h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type: Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-reply-to:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=kiKX6EmSpsUDGJ//q+gzN6XGjc+qilFO8Z7P3/jI6to=; b=h2U9SashLbLL4L5KP96/Mt2Fl3dWigovozVyUczK4FEIWMw2HVhwo5zHm8kXmIKF qgEvYlU0daqD0jLaHeYDcLGlBjLNjYvQCYZOklAGEGp7cWR3u3TAvsMYIt+AH1LK S5RfGYfBhd89GbEeqrqQrsge7mDBJR82feuO5dKCH3jEyvFxRQNHRXe/4HrqkCjP 9s84cpzlsh+Z/v8V474KSwOAGP22qpnDY25+D4g9GX5b1HWdP0ABM+nmNeyRaYPh t4AS9QcNnsRcpkajRsjSMvScP9te+ylKuWTKRjcz03Xp4iEAkY/Zby5doyIfOd37 w6X5loTRgTaMRwDLHzjCcQ==; Received: from relay5.apple.com (relay5.apple.com [17.128.113.88]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail-in2.apple.com (Apple Secure Mail Relay) with SMTP id 20.94.12202.04A527A5; Wed, 31 Jan 2018 16:07:28 -0800 (PST) X-AuditID: 11973e11-f8a419e000002faa-44-5a725a403c0f Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com [17.128.115.216]) by relay5.apple.com (Apple SCV relay) with SMTP id E9.2E.18983.F3A527A5; Wed, 31 Jan 2018 16:07:28 -0800 (PST) Content-transfer-encoding: 7BIT Received: from localhost ([17.226.23.225]) by nwk-mmpp-sz13.apple.com (Oracle Communications Messaging Server 8.0.2.1.20180104 64bit (built Jan 4 2018)) with ESMTPSA id <0P3G006DQ30F15B0@nwk-mmpp-sz13.apple.com>; Wed, 31 Jan 2018 16:07:27 -0800 (PST) From: Christoph Paasch To: netdev@vger.kernel.org Cc: Eric Dumazet , Mat Martineau Subject: [RFC v2 03/14] tcp: Allow tcp_fast_parse_options to drop segments Date: Wed, 31 Jan 2018 16:07:05 -0800 Message-id: <20180201000716.69301-4-cpaasch@apple.com> X-Mailer: git-send-email 2.16.1 In-reply-to: <20180201000716.69301-1-cpaasch@apple.com> References: <20180201000716.69301-1-cpaasch@apple.com> X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprILMWRmVeSWpSXmKPExsUi2FAYoesQVRRlMPExu8XTY4/YLf629LNY HFsg5sDssWBTqce8k4EenzfJBTBHcdmkpOZklqUW6dslcGX8OjKdqeCVWMXTa0/ZGhjPCXUx cnJICJhI/L3zhKWLkYtDSGA1k8TiQz9ZYBJtj/vZIBKHGCWez74C5HBwMAvISxw8LwsRb2SS 2Luogw2kQVhAUqL7zh1mEJtNQEvi7e12VhBbREBK4uOO7ewgNrNAjMTL2d+YIOq9JN7NeQBm swioSlz/8wisnlfATGLD703MEEfISxx+0wQW5xQwl2jYNQdsjhBQzefri5lBjpAQ2MImMWFO I9MERsFZCPctYGRcxSiUm5iZo5uZZ6SXWFCQk6qXnJ+7iREUhtPtBHcwHl9ldYhRgINRiYd3 woXCKCHWxLLiytxDjNIcLErivJ6iRVFCAumJJanZqakFqUXxRaU5qcWHGJk4OKUaGB92djHn HpTUiAjf17lSll9/vk/2XPfaEuvIc3uq64K5U05enizVxRzIcH9uku1tNoXnQeoLFr44a731 l4ik7JPw85bbu7nm3f3ekqSwV/nH9mgTy2viIv5rdTbE3TbW67uybTv7s6DNdn9ePtf+JHMz tUHzRYv7nWS/vdv7j507kKywR+NpqhJLcUaioRZzUXEiAJq5xj8kAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrDLMWRmVeSWpSXmKPExsUi2FB8Q9chqijKYH07i8XTY4/YLf629LNY HFsg5sDssWBTqce8k4EenzfJBTBHGdqk5ReVJxalKBQlF5TYKhVnJKbkl8dbGhuZOiQWFOSk 6iXn5yrp29mkpOZklqUW6dslGGb8OjKdqeCVWMXTa0/ZGhjPCXUxcnJICJhItD3uZ+ti5OIQ EjjEKPF89hUgh4ODWUBe4uB5WYh4I5PE3kUdbCANwgKSEt137jCD2GwCWhJvb7ezgtgiAlIS H3dsZwexmQViJF7O/sYEUe8l8W7OAzCbRUBV4vqfR2D1vAJmEht+b2KGOEJe4vCbJrA4p4C5 RMOuOWBzhIBqPl9fzDyBkW8WwkkLGBlXMQoUpeYkVprqwT27iREchIUROxj/L7M6xCjAwajE wzvhQmGUEGtiWXFlLtBvHMxKIrwbRYqihHhTEiurUovy44tKc1KLDzH6AN02kVlKNDkfGCF5 JfGGxhbGliYWBgYmlmYmOISVxHmPKAHNEkhPLEnNTk0tSC2CGcfEwSnVwHg6+EfRdkdb1psH whbpGf8Ql9P1n68sOeOMlPBbr4tnb/HduiydYnLwoMT5y7eKVuatyYu6fpkx2M+n0UBLgclD cEK09o+QSTtX6lVpzjX4tTOQQalw4ip7RzWpmYflDv+wY9I/EtMatOaurryhxhGRXUz2T360 H+jRKHzC9MYuNmrV6wlvNiixAJOFoRZzUXEiAC+CuSpvAgAA Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org After parsing the TCP-options, some option-kinds might trigger a drop of the segment (e.g., as is the case for TCP_MD5). As we are moving to consolidate the TCP_MD5-code in follow-up patches, we need to add the capability to drop a segment right after parsing the options in tcp_fast_parse_options(). Originally, tcp_fast_parse_options() returned false, when there is no timestamp option, except in the case of the slow-path processing through tcp_parse_options() where it always returns true. So, the return-value of tcp_fast_parse_options() was kind of inconsistent. With this patch, we make it return true when the segment should get dropped based on the parsed options, and false otherwise. In tcp_validate_incoming, we will then just check for tp->rx_opt.saw_tstamp to see if we should verify PAWS. The goto will be used in a follow-up patch to check whether one of the options triggers a drop of the segment. Signed-off-by: Christoph Paasch Reviewed-by: Mat Martineau --- net/ipv4/tcp_input.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index cfa51cfd2d99..1fbabcc99b62 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -3847,6 +3847,8 @@ static bool tcp_parse_aligned_timestamp(struct tcp_sock *tp, const struct tcphdr /* Fast parse options. This hopes to only see timestamps. * If it is wrong it falls back on tcp_parse_options(). + * + * Returns true if we should drop this packet based on present TCP-options. */ static bool tcp_fast_parse_options(const struct net *net, const struct sk_buff *skb, @@ -3857,18 +3859,19 @@ static bool tcp_fast_parse_options(const struct net *net, */ if (th->doff == (sizeof(*th) / 4)) { tp->rx_opt.saw_tstamp = 0; - return false; + goto extra_opt_check; } else if (tp->rx_opt.tstamp_ok && th->doff == ((sizeof(*th) + TCPOLEN_TSTAMP_ALIGNED) / 4)) { if (tcp_parse_aligned_timestamp(tp, th)) - return true; + goto extra_opt_check; } tcp_parse_options(net, skb, &tp->rx_opt, 1, NULL); if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) tp->rx_opt.rcv_tsecr -= tp->tsoffset; - return true; +extra_opt_check: + return false; } #ifdef CONFIG_TCP_MD5SIG @@ -5188,9 +5191,11 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, struct tcp_sock *tp = tcp_sk(sk); bool rst_seq_match = false; + if (tcp_fast_parse_options(sock_net(sk), skb, th, tp)) + goto discard; + /* RFC1323: H1. Apply PAWS check first. */ - if (tcp_fast_parse_options(sock_net(sk), skb, th, tp) && - tp->rx_opt.saw_tstamp && + if (tp->rx_opt.saw_tstamp && tcp_paws_discard(sk, skb)) { if (!th->rst) { NET_INC_STATS(sock_net(sk), LINUX_MIB_PAWSESTABREJECTED);