From patchwork Tue Jul 23 00:20:37 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135332
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="GgT1DxXn"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfQ1vFBz9s3Z
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 23 Jul 2019 10:21:02 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387646AbfGWAUw (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 22 Jul 2019 20:20:52 -0400
Received: from mail-pf1-f196.google.com ([209.85.210.196]:43312 "EHLO
	mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726283AbfGWAUt (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 22 Jul 2019 20:20:49 -0400
Received: by mail-pf1-f196.google.com with SMTP id i189so18163164pfg.10;
	Mon, 22 Jul 2019 17:20:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=jTr8NEpJLgXf+jV4qfw5bEZ4uzJQSJikCB2UYlRQiNY=;
	b=GgT1DxXn19H5kgs/6tmTDka1Unz3KYgOmf5C8EHeJ4bWBieN2QqAU/MBU1/Et/zd1I
	8ABygMVKH+BZtz8d27Dl5AaCr5ncb2j7Tc9lh5osucQOaoxRYBA14qBbUG2PFbuU3jSG
	MHr1y7jQvWnJ0hl02vKe4kQqWCJQh6M6frLLfDk6WXD2qEaojgIeHidJbp+dkavHavY1
	dHpHbIa0NhOvlIMmbdsJnR45og+5yehMjgKFkvjmVSkXtVnG+vwbSHLHbV33l9dz1YWn
	m9M7imXmsI+HyQGW/Bjmc0oxswE1NY8TzEJVyZffDwsc/50hWrrpiwnrsRolJykHU6TP
	jPag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=jTr8NEpJLgXf+jV4qfw5bEZ4uzJQSJikCB2UYlRQiNY=;
	b=rLxWRg0AkW5ddAehaq+wUXl3yB5HtgiR6On4njCOehtf9Vo1T5yDtmGdAH4stwOgcn
	EfxWhr/LqYUZmDf+n6/scm4H+3NrOZCN5F3ucLixYB5qm3ejVmvPYfAuMAkyHFlHNp8v
	5OM1Y6OzSXtt0wqXCyYWWPJelpyCcYOLpYWTy9Q3JZ3dkS8bObbOJucZ4rNxKdN8brlU
	j/iybSVcaHDqTLanzF+HRwsJYFxIkyMeG5uBpc4I4rFUUTsxE2bNl7cb48ROHijpN31Q
	jkH+Chu9+l+wwREqxqyuEW7tuQdU2fW9/tIy3A8VsmietkmHZTz3AIBYyG0VsiBUrl1G
	qnzA==
X-Gm-Message-State: APjAAAXHcxTnqOHUkKr9du45ACdu74MeM7W2dyWESdb5zMuPdoLhV4On
	eqPqK0obLLzhSHhNFlvuBvUIKjvu
X-Google-Smtp-Source: 
 APXvYqymCBbwNekus7+a2MiXSC1Q8VO2Onw/rqvrTE/PCGrv4x0c3BdeAZY3jnGKvhZlp0/bDMN0NA==
X-Received: by 2002:a63:58c:: with SMTP id
	134mr77181797pgf.106.1563841248983;
	Mon, 22 Jul 2019 17:20:48 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.48
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:48 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 1/6] tcp: tcp_syn_flood_action read port from socket
Date: Mon, 22 Jul 2019 17:20:37 -0700
Message-Id: <20190723002042.105927-2-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This allows us to call this function before an SKB has been
allocated.

Signed-off-by: Petar Penkov <ppenkov@google.com>
---
 net/ipv4/tcp_input.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c21e8a22fb3b..8892df6de1d4 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6422,9 +6422,7 @@ EXPORT_SYMBOL(inet_reqsk_alloc);
 /*
  * Return true if a syncookie should be sent
  */
-static bool tcp_syn_flood_action(const struct sock *sk,
-				 const struct sk_buff *skb,
-				 const char *proto)
+static bool tcp_syn_flood_action(const struct sock *sk, const char *proto)
 {
 	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
 	const char *msg = "Dropping request";
@@ -6444,7 +6442,7 @@ static bool tcp_syn_flood_action(const struct sock *sk,
 	    net->ipv4.sysctl_tcp_syncookies != 2 &&
 	    xchg(&queue->synflood_warned, 1) == 0)
 		net_info_ratelimited("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
-				     proto, ntohs(tcp_hdr(skb)->dest), msg);
+				     proto, sk->sk_num, msg);
 
 	return want_cookie;
 }
@@ -6487,7 +6485,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
 	 */
 	if ((net->ipv4.sysctl_tcp_syncookies == 2 ||
 	     inet_csk_reqsk_queue_is_full(sk)) && !isn) {
-		want_cookie = tcp_syn_flood_action(sk, skb, rsk_ops->slab_name);
+		want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name);
 		if (!want_cookie)
 			goto drop;
 	}

From patchwork Tue Jul 23 00:20:38 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135327
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="DXkRmXPL"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfG4t08z9sLt
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 23 Jul 2019 10:20:54 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387641AbfGWAUw (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 22 Jul 2019 20:20:52 -0400
Received: from mail-pg1-f176.google.com ([209.85.215.176]:35823 "EHLO
	mail-pg1-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387628AbfGWAUu (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 22 Jul 2019 20:20:50 -0400
Received: by mail-pg1-f176.google.com with SMTP id s1so12136879pgr.2;
	Mon, 22 Jul 2019 17:20:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=7rWINEKFNBhrkzn2eVjq0i+WJXxiQb0MvhMX3YqXCs4=;
	b=DXkRmXPL/XUMAqGwoS5/UTi0dmnQA2PR8XuiWeKmOkeLC6jo7xlKdcfDjhtUc4faTR
	sm0JQLcbb8/AWrHW481Tlh4EtAmc8qR5UqXvVdF3c6l4qEpGaMG1ULhlHLDGD375z448
	IyhH5HWyga5ZATRcBFc5XgxKwkh6FXf1yiM7yD0bac5odqAsZ/XpZddE1FnAIjrBdQEJ
	VvbJ1bOK2gn4owz+ytyOcU2TTSx9XMUyRw4GvkdaluVPDh4cdjzxjQ676RcW2ESIYe0r
	vTYLCbE+Icn9XCKe95ohC/4uYiK/RPQuEEXCszXKg8FoIRDq505AbyONsEDcvMx49jCN
	ucZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=7rWINEKFNBhrkzn2eVjq0i+WJXxiQb0MvhMX3YqXCs4=;
	b=ptXbOVJk3cfv2EYS3FEaH1NJcZEJ4SKoFF4uDHGCaWNc/SpWNZ3CVAJbbi/ZAJU+Kh
	4FBTJwB77klC8LkogSLIYnFSjC+6XgCx3e9SaMwq07U1Ye7wxC+i7u8wKR6iGPuydoVN
	gMIhunyG1j0RWpk9TO+B72tpPuTf/onWKIUrWWTJCpLYfgxSE9IaayBhKALObyZ0xCCL
	9zdtic6m1hGylE0M4JI3Xd5e18UN5GdsiMM1b5XC0wxreRxoABuR+ijiujK1r0J47uTN
	I6Tea2vPKce0NIZmnMHzm6vew6Cm8CFEFM/qnOujWkR+oBdF66ZcAPY1R9b78Dx3h83L
	5Mvg==
X-Gm-Message-State: APjAAAXCLtAg+zWgRZuOgpnZR0UOsc94gT+oJ5OPJwWAUKtw4eatjIF+
	E+l3ld/MAvJ5waxgnJAOTB0ZZhzM
X-Google-Smtp-Source: 
 APXvYqxylKuGligHaHUZ+Jhqjj0K52sqY1GM8PCAgf3QIb0MTz/fTfFPiIfwvN2aP6jECRQF1kmb4A==
X-Received: by 2002:a63:4c5a:: with SMTP id
	m26mr72707351pgl.270.1563841249868;
	Mon, 22 Jul 2019 17:20:49 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.49
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:49 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 2/6] tcp: add skb-less helpers to retrieve SYN cookie
Date: Mon, 22 Jul 2019 17:20:38 -0700
Message-Id: <20190723002042.105927-3-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This patch allows generation of a SYN cookie before an SKB has been
allocated, as is the case at XDP.

Signed-off-by: Petar Penkov <ppenkov@google.com>
---
 include/net/tcp.h    | 11 +++++++
 net/ipv4/tcp_input.c | 76 ++++++++++++++++++++++++++++++++++++++++++++
 net/ipv4/tcp_ipv4.c  |  8 +++++
 net/ipv6/tcp_ipv6.c  |  8 +++++
 4 files changed, 103 insertions(+)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index cca3c59b98bf..a128e22c0d5d 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -414,6 +414,17 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb,
 		       int estab, struct tcp_fastopen_cookie *foc);
 const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);
 
+/*
+ *	BPF SKB-less helpers
+ */
+u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
+			 struct tcphdr *tch, u32 *cookie);
+u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
+			 struct tcphdr *tch, u32 *cookie);
+u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops,
+		      const struct tcp_request_sock_ops *af_ops,
+		      struct sock *sk, void *iph, struct tcphdr *tch,
+		      u32 *cookie);
 /*
  *	TCP v4 functions exported for the inet6 API
  */
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 8892df6de1d4..893b275a6d49 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3782,6 +3782,49 @@ static void smc_parse_options(const struct tcphdr *th,
 #endif
 }
 
+/* Try to parse the MSS option from the TCP header. Return 0 on failure, clamped
+ * value on success.
+ */
+static u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss)
+{
+	const unsigned char *ptr = (const unsigned char *)(th + 1);
+	int length = (th->doff * 4) - sizeof(struct tcphdr);
+	u16 mss = 0;
+
+	while (length > 0) {
+		int opcode = *ptr++;
+		int opsize;
+
+		switch (opcode) {
+		case TCPOPT_EOL:
+			return mss;
+		case TCPOPT_NOP:	/* Ref: RFC 793 section 3.1 */
+			length--;
+			continue;
+		default:
+			if (length < 2)
+				return mss;
+			opsize = *ptr++;
+			if (opsize < 2) /* "silly options" */
+				return mss;
+			if (opsize > length)
+				return mss;	/* fail on partial options */
+			if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) {
+				u16 in_mss = get_unaligned_be16(ptr);
+
+				if (in_mss) {
+					if (user_mss && user_mss < in_mss)
+						in_mss = user_mss;
+					mss = in_mss;
+				}
+			}
+			ptr += opsize - 2;
+			length -= opsize;
+		}
+	}
+	return mss;
+}
+
 /* Look for tcp options. Normally only called on SYN and SYNACK packets.
  * But, this can also be called on packets in the established flow when
  * the fast version below fails.
@@ -6464,6 +6507,39 @@ static void tcp_reqsk_record_syn(const struct sock *sk,
 	}
 }
 
+u16 tcp_get_syncookie(struct request_sock_ops *rsk_ops,
+		      const struct tcp_request_sock_ops *af_ops,
+		      struct sock *sk, void *iph, struct tcphdr *th,
+		      u32 *cookie)
+{
+	u16 mss = 0;
+#ifdef CONFIG_SYN_COOKIES
+	bool is_v4 = rsk_ops->family == AF_INET;
+	struct tcp_sock *tp = tcp_sk(sk);
+
+	if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 &&
+	    !inet_csk_reqsk_queue_is_full(sk))
+		return 0;
+
+	if (!tcp_syn_flood_action(sk, rsk_ops->slab_name))
+		return 0;
+
+	if (sk_acceptq_is_full(sk)) {
+		NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
+		return 0;
+	}
+
+	mss = tcp_parse_mss_option(th, tp->rx_opt.user_mss);
+	if (!mss)
+		mss = af_ops->mss_clamp;
+
+	tcp_synq_overflow(sk);
+	*cookie = is_v4 ? __cookie_v4_init_sequence(iph, th, &mss)
+			: __cookie_v6_init_sequence(iph, th, &mss);
+#endif
+	return mss;
+}
+
 int tcp_conn_request(struct request_sock_ops *rsk_ops,
 		     const struct tcp_request_sock_ops *af_ops,
 		     struct sock *sk, struct sk_buff *skb)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d57641cb3477..0e06e59784bd 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1515,6 +1515,14 @@ static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
 	return sk;
 }
 
+u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
+			 struct tcphdr *tch, u32 *cookie)
+{
+	return tcp_get_syncookie(&tcp_request_sock_ops,
+				 &tcp_request_sock_ipv4_ops, sk, iph, tch,
+				 cookie);
+}
+
 /* The socket must have it's spinlock held when we get
  * here, unless it is a TCP_LISTEN socket.
  *
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5da069e91cac..102f68c3152d 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1063,6 +1063,14 @@ static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb)
 	return sk;
 }
 
+u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
+			 struct tcphdr *tch, u32 *cookie)
+{
+	return tcp_get_syncookie(&tcp6_request_sock_ops,
+				 &tcp_request_sock_ipv6_ops, sk, iph, tch,
+				 cookie);
+}
+
 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 {
 	if (skb->protocol == htons(ETH_P_IP))

From patchwork Tue Jul 23 00:20:39 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135325
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="QmKz5oLb"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfF3X6fz9s3Z
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 23 Jul 2019 10:20:53 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387642AbfGWAUw (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 22 Jul 2019 20:20:52 -0400
Received: from mail-pf1-f196.google.com ([209.85.210.196]:41414 "EHLO
	mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387633AbfGWAUv (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 22 Jul 2019 20:20:51 -0400
Received: by mail-pf1-f196.google.com with SMTP id m30so18171677pff.8;
	Mon, 22 Jul 2019 17:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=vgF24LyexnjpZpBmhmlOA7onPmOTJnnC05UHG8RL20Y=;
	b=QmKz5oLb/eawxPj0k71yzqxhwrI1ta3Cmh1Ffhbio88xij6YwJCPtRGKANTFZvg0eI
	PzmX4+JLel8i03B5xWdnBqTbygiXAtzQn4YeYoXdWwJr9h9haab8kk6yHwKkbwF+a4ma
	Sr6hL1S+f0upSW8RVDQuot7Iy1iNvbtTCN2ZxXHJgnUnU9U6p6oWYMPvQfQvPrcP07ei
	uliiipoINSNBUXwQwaYIxMlMxyeer0Kroye4pOB28pMBFetSF/9oH19IH5HPbGZtEGoc
	tm3T28aT3D9c4txzpEW48zuFUSyTLVRlUOf0QxczcofwLXeVwwxPXVp0FFm5R2+BpVf1
	3vEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=vgF24LyexnjpZpBmhmlOA7onPmOTJnnC05UHG8RL20Y=;
	b=LF9p8rPbaUbh/BqBtN/T+OWyqCmTZ4JGWcFR/qsQR8pm6Asxj+VNbC1mSann55pNJh
	jyd5gXEx8Ko0ULDheog/BuiW4YYYTNeUZVo1Ury6jQgsUI/quh4LgX0WNstahHZTn499
	RJd6OI+cnDhQ7tak3+IUVumczak2jHFIjy+TZJ9IxInqXEbfvS+Mpi7Pg2RoRzGBJLGU
	n/Aimi2xVmQzxHBPjEUzmHrCw0/B0UBjIZBu8jHbYC7nxXh3QEwDmU9aX2NR4Q4O3HZS
	6ifc6WQpFPPdukehJUnZR/kozhUqsSRChRnzVSijZIbaKYtEB0236r9JsycAX0nuJ6A8
	nDkQ==
X-Gm-Message-State: APjAAAW4n7k+4uYkOg7BWzhBxrowgYke2uYj0bLWpKqNh0duoNC5J9DF
	1By/caxzF6lVx5GH2BpghdK8ZXlA
X-Google-Smtp-Source: 
 APXvYqxmaLkeCINfGQW98uGFGVs4A/nGZLBzVxHW754kU93V3fn8P+2drFYONC4dn/hACeSzkvBqTg==
X-Received: by 2002:a63:eb51:: with SMTP id
	b17mr71887692pgk.384.1563841250731;
	Mon, 22 Jul 2019 17:20:50 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.49
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:50 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 3/6] bpf: add bpf_tcp_gen_syncookie helper
Date: Mon, 22 Jul 2019 17:20:39 -0700
Message-Id: <20190723002042.105927-4-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This helper function allows BPF programs to try to generate SYN
cookies, given a reference to a listener socket. The function works
from XDP and with an skb context since bpf_skc_lookup_tcp can lookup a
socket in both cases.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
---
 include/uapi/linux/bpf.h | 30 ++++++++++++++++-
 net/core/filter.c        | 73 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 6f68438aa4ed..20baee7b2219 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2713,6 +2713,33 @@ union bpf_attr {
  *		**-EPERM** if no permission to send the *sig*.
  *
  *		**-EAGAIN** if bpf program can try again.
+ *
+ * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ *	Description
+ *		Try to issue a SYN cookie for the packet with corresponding
+ *		IP/TCP headers, *iph* and *th*, on the listening socket in *sk*.
+ *
+ *		*iph* points to the start of the IPv4 or IPv6 header, while
+ *		*iph_len* contains **sizeof**\ (**struct iphdr**) or
+ *		**sizeof**\ (**struct ip6hdr**).
+ *
+ *		*th* points to the start of the TCP header, while *th_len*
+ *		contains the length of the TCP header.
+ *
+ *	Return
+ *		On success, lower 32 bits hold the generated SYN cookie in
+ *		followed by 16 bits which hold the MSS value for that cookie,
+ *		and the top 16 bits are unused.
+ *
+ *		On failure, the returned value is one of the following:
+ *
+ *		**-EINVAL** SYN cookie cannot be issued due to error
+ *
+ *		**-ENOENT** SYN cookie should not be issued (no SYN flood)
+ *
+ *		**-ENOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ *		**-EPROTONOSUPPORT** IP packet version is not 4 or 6
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -2824,7 +2851,8 @@ union bpf_attr {
 	FN(strtoul),			\
 	FN(sk_storage_get),		\
 	FN(sk_storage_delete),		\
-	FN(send_signal),
+	FN(send_signal),		\
+	FN(tcp_gen_syncookie),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
diff --git a/net/core/filter.c b/net/core/filter.c
index 47f6386fb17a..92114271eff6 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5850,6 +5850,75 @@ static const struct bpf_func_proto bpf_tcp_check_syncookie_proto = {
 	.arg5_type	= ARG_CONST_SIZE,
 };
 
+BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len,
+	   struct tcphdr *, th, u32, th_len)
+{
+#ifdef CONFIG_SYN_COOKIES
+	u32 cookie;
+	u16 mss;
+
+	if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
+		return -EINVAL;
+
+	if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN)
+		return -EINVAL;
+
+	if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies)
+		return -ENOENT;
+
+	if (!th->syn || th->ack || th->fin || th->rst)
+		return -EINVAL;
+
+	if (unlikely(iph_len < sizeof(struct iphdr)))
+		return -EINVAL;
+
+	/* Both struct iphdr and struct ipv6hdr have the version field at the
+	 * same offset so we can cast to the shorter header (struct iphdr).
+	 */
+	switch (((struct iphdr *)iph)->version) {
+	case 4:
+		if (sk->sk_family == AF_INET6 && sk->sk_ipv6only)
+			return -EINVAL;
+
+		mss = tcp_v4_get_syncookie(sk, iph, th, &cookie);
+		break;
+
+#if IS_BUILTIN(CONFIG_IPV6)
+	case 6:
+		if (unlikely(iph_len < sizeof(struct ipv6hdr)))
+			return -EINVAL;
+
+		if (sk->sk_family != AF_INET6)
+			return -EINVAL;
+
+		mss = tcp_v6_get_syncookie(sk, iph, th, &cookie);
+		break;
+#endif /* CONFIG_IPV6 */
+
+	default:
+		return -EPROTONOSUPPORT;
+	}
+	if (mss <= 0)
+		return -ENOENT;
+
+	return cookie | ((u64)mss << 32);
+#else
+	return -ENOTSUPP;
+#endif /* CONFIG_SYN_COOKIES */
+}
+
+static const struct bpf_func_proto bpf_tcp_gen_syncookie_proto = {
+	.func		= bpf_tcp_gen_syncookie,
+	.gpl_only	= true, /* __cookie_v*_init_sequence() is GPL */
+	.pkt_access	= true,
+	.ret_type	= RET_INTEGER,
+	.arg1_type	= ARG_PTR_TO_SOCK_COMMON,
+	.arg2_type	= ARG_PTR_TO_MEM,
+	.arg3_type	= ARG_CONST_SIZE,
+	.arg4_type	= ARG_PTR_TO_MEM,
+	.arg5_type	= ARG_CONST_SIZE,
+};
+
 #endif /* CONFIG_INET */
 
 bool bpf_helper_changes_pkt_data(void *func)
@@ -6135,6 +6204,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_tcp_check_syncookie_proto;
 	case BPF_FUNC_skb_ecn_set_ce:
 		return &bpf_skb_ecn_set_ce_proto;
+	case BPF_FUNC_tcp_gen_syncookie:
+		return &bpf_tcp_gen_syncookie_proto;
 #endif
 	default:
 		return bpf_base_func_proto(func_id);
@@ -6174,6 +6245,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_xdp_skc_lookup_tcp_proto;
 	case BPF_FUNC_tcp_check_syncookie:
 		return &bpf_tcp_check_syncookie_proto;
+	case BPF_FUNC_tcp_gen_syncookie:
+		return &bpf_tcp_gen_syncookie_proto;
 #endif
 	default:
 		return bpf_base_func_proto(func_id);

From patchwork Tue Jul 23 00:20:40 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135335
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="uhujTcc8"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfV02fgz9sLt
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 23 Jul 2019 10:21:06 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387668AbfGWAVE (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 22 Jul 2019 20:21:04 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:33864 "EHLO
	mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387634AbfGWAUw (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 22 Jul 2019 20:20:52 -0400
Received: by mail-pf1-f193.google.com with SMTP id b13so18168415pfo.1;
	Mon, 22 Jul 2019 17:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=8Xv1l4ZE6yrpvBzeQ0rNzLhkCrVRQ5YT3cae9HZbEjU=;
	b=uhujTcc8BuaCAOvpE+vYnYwSsAjF38zFuOWJ9H3vnhepxzAldtMC0pF6OyoidoDAtB
	jpu3Vxzb5tqwAZxwZr78S4aq3fRSMrL0JEaZffUI3siPhESLjLOLQQpkXEb3tERpqzfR
	KLXhlgJ1w5o415G01Pw3taOSieBsRtvUI/2/GxpzT5j26ylEQ7Q/mWCU6vcqbFYAg0n/
	0IT88jk/hVh1hY+saVYBYynPVAmfv2MtiBRkdPsnYYIgmo1gyfvzOjsegu/cwSmVCfdL
	pr9CZ2JOv3Ma+dpWzk/HjA9pFRPjFuZdrbOXa9puYsuf2uuhBfvcsS7yLZhLQaAwuRr5
	xLPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=8Xv1l4ZE6yrpvBzeQ0rNzLhkCrVRQ5YT3cae9HZbEjU=;
	b=OogfTUmBzd5P0oZi6+8JL4JCJuNxYXHClyvdQNDSkI0GIPkT9fsXfTz1/pnr58x3K2
	SoJ+x4+KhOzHyQ6YNPicVyEwxJx+2LU/iX0SlAo8tP26HnM0WiSVyjtu6P1pb8tNf8jJ
	7qedOIFa7HHE+xXYglflgTrH6KwTuRHC1r0kR+w+lvc5Rre9P0atYMs+0XAUvAefgIX9
	NkEAAF33Ygras18CgN/rxF/CC5Em40534KH0XajZJEV8JKRoZUxBIWIsVNI/mzH/X924
	2bGhVqEDGGTlQumomAyjJV1Vs/Y/V5LsgArJeUgaMvAZNMP/D62Zsqm35uDna6qtSpdE
	Q2zw==
X-Gm-Message-State: APjAAAVvhhVg24+gxIkFCpnNYL98PZi8UtR9Z1SQbE9fTme484seri0z
	/h1Mpz48evDpwipiqpYK86Q5+sIo
X-Google-Smtp-Source: 
 APXvYqyIWrBA5i5YNLtxnWD/FqSWdu/btyZcOrQS5rRHbis6PL8iBx4pZjrJibQu7skHoNkf7ZduMg==
X-Received: by 2002:a17:90a:17c4:: with SMTP id
	q62mr80939583pja.104.1563841251617;
	Mon, 22 Jul 2019 17:20:51 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.50
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:51 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 4/6] bpf: sync bpf.h to tools/
Date: Mon, 22 Jul 2019 17:20:40 -0700
Message-Id: <20190723002042.105927-5-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Sync updated documentation for bpf_redirect_map.

Sync the bpf_tcp_gen_syncookie helper function definition with the one
in tools/uapi.

Signed-off-by: Petar Penkov <ppenkov@google.com>
---
 tools/include/uapi/linux/bpf.h | 37 +++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index f506c68b2612..20baee7b2219 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1571,8 +1571,11 @@ union bpf_attr {
  * 		but this is only implemented for native XDP (with driver
  * 		support) as of this writing).
  *
- * 		All values for *flags* are reserved for future usage, and must
- * 		be left at zero.
+ * 		The lower two bits of *flags* are used as the return code if
+ * 		the map lookup fails. This is so that the return value can be
+ * 		one of the XDP program return codes up to XDP_TX, as chosen by
+ * 		the caller. Any higher bits in the *flags* argument must be
+ * 		unset.
  *
  * 		When used to redirect packets to net devices, this helper
  * 		provides a high performance increase over **bpf_redirect**\ ().
@@ -2710,6 +2713,33 @@ union bpf_attr {
  *		**-EPERM** if no permission to send the *sig*.
  *
  *		**-EAGAIN** if bpf program can try again.
+ *
+ * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ *	Description
+ *		Try to issue a SYN cookie for the packet with corresponding
+ *		IP/TCP headers, *iph* and *th*, on the listening socket in *sk*.
+ *
+ *		*iph* points to the start of the IPv4 or IPv6 header, while
+ *		*iph_len* contains **sizeof**\ (**struct iphdr**) or
+ *		**sizeof**\ (**struct ip6hdr**).
+ *
+ *		*th* points to the start of the TCP header, while *th_len*
+ *		contains the length of the TCP header.
+ *
+ *	Return
+ *		On success, lower 32 bits hold the generated SYN cookie in
+ *		followed by 16 bits which hold the MSS value for that cookie,
+ *		and the top 16 bits are unused.
+ *
+ *		On failure, the returned value is one of the following:
+ *
+ *		**-EINVAL** SYN cookie cannot be issued due to error
+ *
+ *		**-ENOENT** SYN cookie should not be issued (no SYN flood)
+ *
+ *		**-ENOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ *		**-EPROTONOSUPPORT** IP packet version is not 4 or 6
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -2821,7 +2851,8 @@ union bpf_attr {
 	FN(strtoul),			\
 	FN(sk_storage_get),		\
 	FN(sk_storage_delete),		\
-	FN(send_signal),
+	FN(send_signal),		\
+	FN(tcp_gen_syncookie),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call

From patchwork Tue Jul 23 00:20:41 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135326
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="lZ0j/Nuv"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfG1r20z9s7T
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 23 Jul 2019 10:20:54 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387652AbfGWAUx (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 22 Jul 2019 20:20:53 -0400
Received: from mail-pf1-f195.google.com ([209.85.210.195]:42821 "EHLO
	mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726283AbfGWAUx (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 22 Jul 2019 20:20:53 -0400
Received: by mail-pf1-f195.google.com with SMTP id q10so18154208pff.9;
	Mon, 22 Jul 2019 17:20:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=OAQCMm+LvmDbxVAKgZ82b3sMjfuFQxNO8tF7DCZWALE=;
	b=lZ0j/NuvR5Wv0CgxRgTh4/VUiiVElb4YeiiXLzstbl0LYS9IRon1BQorVanQeJ0Ej1
	gmFIM32eGdcphIg5JWurl+IbF7HlcFdj9Cl3lIwtfADIAWCUGFgH7+uybRUmlp/XmDcZ
	futyampQdOPPFU3CSwCjHulGiQmXWjQ+KIbWi6ID8q2l8LnDjYt+0FC1Dt0sZZS+aFNJ
	0aL7YW9Yki+YNbZ7Hcwg1YleujexvOc750CrmZoBKlKYonpBAC7LXyRu/lRvLQzYcGet
	OSNlSFl0MLI9+kNMq2nOVIpA1iq3sudm89vziURjkMa1TUyAPn/Aqk4h+oWyJG5kU5UN
	jC6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=OAQCMm+LvmDbxVAKgZ82b3sMjfuFQxNO8tF7DCZWALE=;
	b=Xez+6MLlJpWEeBrmCJEoJ/63TRppX0VK/I6wevGPKRNXAUE38mryFxsuzTO2FBFZ/i
	hKKjQ51wUhN7hLotitZX+o/01/wm9Uy9QnVTslWXiR1p0/LRTcZpAVNPMDuy6e+z6Da7
	Rnb4RAK7rPjLnWpHXlmE63An4G3tos6CBkfYtFL9//+Xe4aWjtMFsczCWLdhqH+nE1Eo
	QjE3pombUDK56wZUhOVTq1RvTys0QWdCj3hCSO41zjcfvsipXvtv/P28tYEe9i8D+kME
	xaakaPflbrqvfPn7k3E3+Wzaz5OmsTUCnFUD/lNIJxUW3nx78/LP6D8jd4VM7ppxS/q+
	22vA==
X-Gm-Message-State: APjAAAXILSk3ONEjweRgAgNdkjYYGXMQ2dUB47aEk21uWLWVy8M6tDV3
	wOUkQj53h0RgKi0JtCOH/5cV8O6I
X-Google-Smtp-Source: 
 APXvYqwFsgiHMWSMJNrq0UcALH0FFDeMkPYjYcUvXBzqJNLRTM3b0fpUwdyEl5rpy19hDOezBBgjIA==
X-Received: by 2002:a63:3009:: with SMTP id
	w9mr75920339pgw.260.1563841252476;
	Mon, 22 Jul 2019 17:20:52 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.51
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:52 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers
Date: Mon, 22 Jul 2019 17:20:41 -0700
Message-Id: <20190723002042.105927-6-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Expose bpf_tcp_gen_syncookie to selftests.

Signed-off-by: Petar Penkov <ppenkov@google.com>
---
 tools/testing/selftests/bpf/bpf_helpers.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
index 5a3d92c8bec8..19f01e967402 100644
--- a/tools/testing/selftests/bpf/bpf_helpers.h
+++ b/tools/testing/selftests/bpf/bpf_helpers.h
@@ -228,6 +228,9 @@ static void *(*bpf_sk_storage_get)(void *map, struct bpf_sock *sk,
 static int (*bpf_sk_storage_delete)(void *map, struct bpf_sock *sk) =
 	(void *)BPF_FUNC_sk_storage_delete;
 static int (*bpf_send_signal)(unsigned sig) = (void *)BPF_FUNC_send_signal;
+static long long (*bpf_tcp_gen_syncookie)(struct bpf_sock *sk, void *ip,
+					  int ip_len, void *tcp, int tcp_len) =
+	(void *) BPF_FUNC_tcp_gen_syncookie;
 
 /* llvm builtin functions that eBPF C program may use to
  * emit BPF_LD_ABS and BPF_LD_IND instructions

From patchwork Tue Jul 23 00:20:42 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1135330
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="TbzF36RL"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45szfM6mVwz9s3Z
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 23 Jul 2019 10:20:59 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2387667AbfGWAU4 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 22 Jul 2019 20:20:56 -0400
Received: from mail-pg1-f177.google.com ([209.85.215.177]:42644 "EHLO
	mail-pg1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387654AbfGWAUy (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 22 Jul 2019 20:20:54 -0400
Received: by mail-pg1-f177.google.com with SMTP id t132so18436018pgb.9;
	Mon, 22 Jul 2019 17:20:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=c99wI2jfOxLnz3fmhTQtoGvPeUTV6PDxtGN0WADyrJ4=;
	b=TbzF36RLqf3xQFMehp2O7Pkqv8vK82CSnR6V2hyNXwIzAtDGmRRbKUccHcgR1o/H6M
	kJBE2CoE77vYdvDdh8zQKMhOEOu+bHEpdXQJwmH/tB0IHU/WDYrlvMP96l+4wswivbXB
	f9IifKiQ0oQZGKRA5BFex/hKpduPBSn53Vi7RAHdAWZQjzIG7C81SzlOD6dNDG/JRKZ1
	EiPvXEA4NxdH97le7WUVLvfh/z3qIhmZaBzi3gvsTcqXgFY14DYpA3dbx/L5fp5WoXei
	/AOTVaxjsslFFUUt96PJQqcKVfV8zxDC8LvEyDEIJ2u/CrtlDRSVJ/v+Y4uqVovy0VIx
	OGug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=c99wI2jfOxLnz3fmhTQtoGvPeUTV6PDxtGN0WADyrJ4=;
	b=H/rceGi6gbY1M5enVoPNBDuk3G/Hu4ZGTNzBy2R1o/k4FLczXi1uG5tiNAPK4TB6yY
	IG3RiD5Gpqal7FefTIEmP0nQOG6ROQ/IPmB6V90oDo3SXsTlUOBNliT4HL+XKIUBXmwS
	YhjQzBN4s2FcitWKLcbN+EtmG7BCy5rFM6ozlISMUTTOqeLky0ph6HgX2jw6Z/h+xjZA
	vVVpfs503sUySmjxLai4fNbvuCzGS/kInRknI39TAL3pz7otReSCf/ttM2Gs5hSqqUPP
	Pxk4eBddCZwCZ0QDgIKXScq3QBE58Bd9R2aYmdfTAGt8h8Cw6+MlKHImzsyVLXh/0z7s
	KbKw==
X-Gm-Message-State: APjAAAWhBGRwhxGmgww6WK/tMOSyKmewoPiLO9TuPsoDOVPbtJoR8pzx
	xY5eySvgQt2plG8hyGzeHH8ec8fb
X-Google-Smtp-Source: 
 APXvYqwPAKyXkR6H82L55BrJOnevFktfT2e/P1ETBIADVido2fwEYFNPFs4ZhMRdCG615ws+O5D94g==
X-Received: by 2002:a63:4404:: with SMTP id
	r4mr72892133pga.245.1563841253222;
	Mon, 22 Jul 2019 17:20:53 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	k64sm21718423pge.65.2019.07.22.17.20.52
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 22 Jul 2019 17:20:52 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	Petar Penkov <ppenkov@google.com>
Subject: [bpf-next 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie
Date: Mon, 22 Jul 2019 17:20:42 -0700
Message-Id: <20190723002042.105927-7-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog
In-Reply-To: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
References: <20190723002042.105927-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Modify the existing bpf_tcp_check_syncookie test to also generate a
SYN cookie, pass the packet to the kernel, and verify that the two
cookies are the same (and both valid). Since cloned SKBs are skipped
during generic XDP, this test does not issue a SYN cookie when run in
XDP mode. We therefore only check that a valid SYN cookie was issued at
the TC hook.

Additionally, verify that the MSS for that SYN cookie is within
expected range.

Signed-off-by: Petar Penkov <ppenkov@google.com>
---
 .../bpf/progs/test_tcp_check_syncookie_kern.c | 48 +++++++++++++--
 .../selftests/bpf/test_tcp_check_syncookie.sh |  3 +
 .../bpf/test_tcp_check_syncookie_user.c       | 61 ++++++++++++++++---
 3 files changed, 99 insertions(+), 13 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
index 1ab095bcacd8..d8803dfa8d32 100644
--- a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
@@ -19,10 +19,29 @@
 struct bpf_map_def SEC("maps") results = {
 	.type = BPF_MAP_TYPE_ARRAY,
 	.key_size = sizeof(__u32),
-	.value_size = sizeof(__u64),
-	.max_entries = 1,
+	.value_size = sizeof(__u32),
+	.max_entries = 3,
 };
 
+static __always_inline __s64 gen_syncookie(void *data_end, struct bpf_sock *sk,
+					   void *iph, __u32 ip_size,
+					   struct tcphdr *tcph)
+{
+	__u32 thlen = tcph->doff * 4;
+
+	if (tcph->syn && !tcph->ack) {
+		// packet should only have an MSS option
+		if (thlen != 24)
+			return 0;
+
+		if ((void *)tcph + thlen > data_end)
+			return 0;
+
+		return bpf_tcp_gen_syncookie(sk, iph, ip_size, tcph, thlen);
+	}
+	return 0;
+}
+
 static __always_inline void check_syncookie(void *ctx, void *data,
 					    void *data_end)
 {
@@ -33,8 +52,10 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 	struct ipv6hdr *ipv6h;
 	struct tcphdr *tcph;
 	int ret;
+	__u32 key_mss = 2;
+	__u32 key_gen = 1;
 	__u32 key = 0;
-	__u64 value = 1;
+	__s64 seq_mss;
 
 	ethh = data;
 	if (ethh + 1 > data_end)
@@ -66,6 +87,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		if (sk->state != BPF_TCP_LISTEN)
 			goto release;
 
+		seq_mss = gen_syncookie(data_end, sk, ipv4h, sizeof(*ipv4h),
+					tcph);
+
 		ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h),
 					      tcph, sizeof(*tcph));
 		break;
@@ -95,6 +119,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		if (sk->state != BPF_TCP_LISTEN)
 			goto release;
 
+		seq_mss = gen_syncookie(data_end, sk, ipv6h, sizeof(*ipv6h),
+					tcph);
+
 		ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h),
 					      tcph, sizeof(*tcph));
 		break;
@@ -103,8 +130,19 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		return;
 	}
 
-	if (ret == 0)
-		bpf_map_update_elem(&results, &key, &value, 0);
+	if (seq_mss > 0) {
+		__u32 cookie = (__u32)seq_mss;
+		__u32 mss = seq_mss >> 32;
+
+		bpf_map_update_elem(&results, &key_gen, &cookie, 0);
+		bpf_map_update_elem(&results, &key_mss, &mss, 0);
+	}
+
+	if (ret == 0) {
+		__u32 cookie = bpf_ntohl(tcph->ack_seq) - 1;
+
+		bpf_map_update_elem(&results, &key, &cookie, 0);
+	}
 
 release:
 	bpf_sk_release(sk);
diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh b/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
index d48e51716d19..9b3617d770a5 100755
--- a/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
+++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
@@ -37,6 +37,9 @@ setup()
 	ns1_exec ip link set lo up
 
 	ns1_exec sysctl -w net.ipv4.tcp_syncookies=2
+	ns1_exec sysctl -w net.ipv4.tcp_window_scaling=0
+	ns1_exec sysctl -w net.ipv4.tcp_timestamps=0
+	ns1_exec sysctl -w net.ipv4.tcp_sack=0
 
 	wait_for_ip 127.0.0.1
 	wait_for_ip ::1
diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
index 87829c86c746..b9e991d43155 100644
--- a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
+++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
@@ -2,6 +2,7 @@
 // Copyright (c) 2018 Facebook
 // Copyright (c) 2019 Cloudflare
 
+#include <limits.h>
 #include <string.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -77,7 +78,7 @@ static int connect_to_server(int server_fd)
 	return fd;
 }
 
-static int get_map_fd_by_prog_id(int prog_id)
+static int get_map_fd_by_prog_id(int prog_id, bool *xdp)
 {
 	struct bpf_prog_info info = {};
 	__u32 info_len = sizeof(info);
@@ -104,6 +105,8 @@ static int get_map_fd_by_prog_id(int prog_id)
 		goto err;
 	}
 
+	*xdp = info.type == BPF_PROG_TYPE_XDP;
+
 	map_fd = bpf_map_get_fd_by_id(map_ids[0]);
 	if (map_fd < 0)
 		log_err("Failed to get fd by map id %d", map_ids[0]);
@@ -113,18 +116,32 @@ static int get_map_fd_by_prog_id(int prog_id)
 	return map_fd;
 }
 
-static int run_test(int server_fd, int results_fd)
+static int run_test(int server_fd, int results_fd, bool xdp)
 {
 	int client = -1, srv_client = -1;
 	int ret = 0;
 	__u32 key = 0;
-	__u64 value = 0;
+	__u32 key_gen = 1;
+	__u32 key_mss = 2;
+	__u32 value = 0;
+	__u32 value_gen = 0;
+	__u32 value_mss = 0;
 
 	if (bpf_map_update_elem(results_fd, &key, &value, 0) < 0) {
 		log_err("Can't clear results");
 		goto err;
 	}
 
+	if (bpf_map_update_elem(results_fd, &key_gen, &value_gen, 0) < 0) {
+		log_err("Can't clear results");
+		goto err;
+	}
+
+	if (bpf_map_update_elem(results_fd, &key_mss, &value_mss, 0) < 0) {
+		log_err("Can't clear results");
+		goto err;
+	}
+
 	client = connect_to_server(server_fd);
 	if (client == -1)
 		goto err;
@@ -140,8 +157,35 @@ static int run_test(int server_fd, int results_fd)
 		goto err;
 	}
 
-	if (value != 1) {
-		log_err("Didn't match syncookie: %llu", value);
+	if (value == 0) {
+		log_err("Didn't match syncookie: %u", value);
+		goto err;
+	}
+
+	if (bpf_map_lookup_elem(results_fd, &key_gen, &value_gen) < 0) {
+		log_err("Can't lookup result");
+		goto err;
+	}
+
+	if (xdp && value_gen == 0) {
+		// SYN packets do not get passed through generic XDP, skip the
+		// rest of the test.
+		printf("Skipping XDP cookie check\n");
+		goto out;
+	}
+
+	if (bpf_map_lookup_elem(results_fd, &key_mss, &value_mss) < 0) {
+		log_err("Can't lookup result");
+		goto err;
+	}
+
+	if (value != value_gen) {
+		log_err("BPF generated cookie does not match kernel one");
+		goto err;
+	}
+
+	if (value_mss < 536 || value_mss > USHRT_MAX) {
+		log_err("Unexpected MSS retrieved");
 		goto err;
 	}
 
@@ -163,13 +207,14 @@ int main(int argc, char **argv)
 	int server_v6 = -1;
 	int results = -1;
 	int err = 0;
+	bool xdp;
 
 	if (argc < 2) {
 		fprintf(stderr, "Usage: %s prog_id\n", argv[0]);
 		exit(1);
 	}
 
-	results = get_map_fd_by_prog_id(atoi(argv[1]));
+	results = get_map_fd_by_prog_id(atoi(argv[1]), &xdp);
 	if (results < 0) {
 		log_err("Can't get map");
 		goto err;
@@ -194,10 +239,10 @@ int main(int argc, char **argv)
 	if (server_v6 == -1)
 		goto err;
 
-	if (run_test(server, results))
+	if (run_test(server, results, xdp))
 		goto err;
 
-	if (run_test(server_v6, results))
+	if (run_test(server_v6, results, xdp))
 		goto err;
 
 	printf("ok\n");