From patchwork Mon Jul 29 16:59:13 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138531
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="PwTrhs9G"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wp3Mz4z9s7T
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 30 Jul 2019 02:59:34 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728818AbfG2Q7d (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 29 Jul 2019 12:59:33 -0400
Received: from mail-pf1-f194.google.com ([209.85.210.194]:45907 "EHLO
	mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1728346AbfG2Q7c (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 29 Jul 2019 12:59:32 -0400
Received: by mail-pf1-f194.google.com with SMTP id r1so28329869pfq.12;
	Mon, 29 Jul 2019 09:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=DpOVC8gqwK4YWrrBVYqACoZ5/dJGAtrFwzBZYKGC418=;
	b=PwTrhs9GDO2C1lLm5npHbadkws8nichD7hXZAHQynmtQYdjPBSHDndQTMqXusWnuVm
	GkfcNM5Gaq/bY8+z9lb3CSJ0hS4xPQcZZq1hoDvyJHUQavmWwmJNakvyjT/gPiTCd554
	mmAd2ViJ05BMJjRZAG9UdqWyjsnF2S+rwUxvMUlhXDEU/2BJsoW3iEpBsUSMN1q0szZY
	jwtMxcWK91BXcwKNYyICYAHz8XbQH7GMqNoz1S0USxCOlVAgZYzpvF2rcgeW3FHKWLdg
	JPDNobf0rypF4E5w7Lxs0NATV+V5NEZfjqlV8cgvD/ZFZWn8HC+ST0ZJEH54P18ePAXe
	1IRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=DpOVC8gqwK4YWrrBVYqACoZ5/dJGAtrFwzBZYKGC418=;
	b=f2XpmYNNU+L5a8rrEmTgcVTU7J+ozQZ1Vpa/SO/5Ijioan4GH20FEawGO1pIeTxNqv
	ZsNOSebhvgWEDq/5g5xvcvyyLMeDQVrBjIEPCx+ZD6kJwGrqEZOOiAfHvECVTYeZvh8E
	gTjo2ICvYayYB0/vD2ndxl+BHdheuoKLf9FMUI9C53C+eY1ZE707Bh+cbLAXOxKnjUBN
	K3mIO9KE3iUMg4A7lKjVUZB9ynlTlNtO2KVs8QQYCYrXelpZq+izDbxy+gyTxr7J2Bji
	J/LxQh/rxOqcowrATNj18DAmlWhU7rxvRR3MQlTyFEO3yAjuB7ykU4WkRUwf6oTBViGO
	vFeQ==
X-Gm-Message-State: APjAAAVuy3kAz+gNz/9Wsz7O0rJAUw8M2hlEhA62YsxS2xW36KJPybrv
	7gh4SWx9dso8Qe7PbpNo5Zc5DLda
X-Google-Smtp-Source: 
 APXvYqzI2huUC9uz6NqNo+LCkorMVs0NTxflv5ZeGUYlTqVuh3GAHJy+y3N9hRqwhexQK2BbX8G3yg==
X-Received: by 2002:aa7:9513:: with SMTP id
	b19mr37709135pfp.30.1564419571554;
	Mon, 29 Jul 2019 09:59:31 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.30
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:31 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next,v2 1/6] tcp: tcp_syn_flood_action read port from socket
Date: Mon, 29 Jul 2019 09:59:13 -0700
Message-Id: <20190729165918.92933-2-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This allows us to call this function before an SKB has been
allocated.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 net/ipv4/tcp_input.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index c21e8a22fb3b..8892df6de1d4 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6422,9 +6422,7 @@ EXPORT_SYMBOL(inet_reqsk_alloc);
 /*
  * Return true if a syncookie should be sent
  */
-static bool tcp_syn_flood_action(const struct sock *sk,
-				 const struct sk_buff *skb,
-				 const char *proto)
+static bool tcp_syn_flood_action(const struct sock *sk, const char *proto)
 {
 	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
 	const char *msg = "Dropping request";
@@ -6444,7 +6442,7 @@ static bool tcp_syn_flood_action(const struct sock *sk,
 	    net->ipv4.sysctl_tcp_syncookies != 2 &&
 	    xchg(&queue->synflood_warned, 1) == 0)
 		net_info_ratelimited("%s: Possible SYN flooding on port %d. %s.  Check SNMP counters.\n",
-				     proto, ntohs(tcp_hdr(skb)->dest), msg);
+				     proto, sk->sk_num, msg);
 
 	return want_cookie;
 }
@@ -6487,7 +6485,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
 	 */
 	if ((net->ipv4.sysctl_tcp_syncookies == 2 ||
 	     inet_csk_reqsk_queue_is_full(sk)) && !isn) {
-		want_cookie = tcp_syn_flood_action(sk, skb, rsk_ops->slab_name);
+		want_cookie = tcp_syn_flood_action(sk, rsk_ops->slab_name);
 		if (!want_cookie)
 			goto drop;
 	}

From patchwork Mon Jul 29 16:59:14 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138532
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="qmKoP6vu"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wq1BNMz9sBt
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 30 Jul 2019 02:59:35 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728346AbfG2Q7e (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 29 Jul 2019 12:59:34 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:41031 "EHLO
	mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1728808AbfG2Q7d (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 29 Jul 2019 12:59:33 -0400
Received: by mail-pf1-f193.google.com with SMTP id m30so28348366pff.8;
	Mon, 29 Jul 2019 09:59:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=+heWdKVZ67A1KrVZPfXJxz5dwOLJLsGom0bgqbhOGtw=;
	b=qmKoP6vuvj5oCwratwF53+jGyCAVigSB3pJmxu7fC6LfA5CQRuNSS9dctF6NyQQPL9
	c204QY04xWmCy8vuYeJwbIuck0KqueANaXQ7DFPPyH0tM1+uFoOhO8WvJnXhYq5UjMwJ
	kWE8xwvwcidQREENi1WLdfzSIJEEluurfFKEmCbPn2gg5q03cWGMHPPQRg/MzGmkPTDC
	5rTilKfk1MOHWJujVYtOJ8EylomYYxyDnBG9GEYtVAHDUIMqarwEzLQkrAEp5b5IMt0T
	uni1qW2g/I1vZHLKWkmXjT0sxe8Ixs10OaMLCYVxCnjTlQ4or5yKCy4CMIsiHdXN96Vp
	vvPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=+heWdKVZ67A1KrVZPfXJxz5dwOLJLsGom0bgqbhOGtw=;
	b=RVYYXrMrAU8t20ps1PWZK0SnKfIejtG41rqKmc7onAJabnteOhWFl8cyNP2WRClWz9
	puIrPlmLb/D/fcCuGtb1RE09VqU+JRr2qOKWvlE+/ydSfdTaa1zwmKcAapB/nrVD/A/z
	Ue8FCAUq0iPAiy3ybEBTyS0EG4gQa/y3yFSBVPXg5apdbf4vafm0Lbt5U88KHQMor9Nc
	yR4ljtNbwNipiBHr1IjOovTrLh7EHlzUp6GIkPhBtNC3EgjDBWheMRZG/xyVRkJ2yKXv
	MlL8I90jvIkeJUWsbMQ3hmz5OBlhDHLvu//saQpKV9f5pdd8DFS9sFaVD8E+DYFCDuPk
	igEA==
X-Gm-Message-State: APjAAAVpCCmU6Cly7tojiDGMlyw84lXlKbHatzWYio1XDk0pn6L7KB+f
	7Guen1///CsutnjRX8oaNfkp1ws2
X-Google-Smtp-Source: 
 APXvYqyATkKV5qrIhtHaYHGAKz4iYr7rkz4y6dn+FZBlwI90UGEEtbEyg7YxfXGHiNsRdILn6/lKHQ==
X-Received: by 2002:a63:5452:: with SMTP id
	e18mr88891843pgm.232.1564419572272;
	Mon, 29 Jul 2019 09:59:32 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.31
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:31 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next,v2 2/6] tcp: add skb-less helpers to retrieve SYN cookie
Date: Mon, 29 Jul 2019 09:59:14 -0700
Message-Id: <20190729165918.92933-3-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This patch allows generation of a SYN cookie before an SKB has been
allocated, as is the case at XDP.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 include/net/tcp.h    | 10 ++++++
 net/ipv4/tcp_input.c | 73 ++++++++++++++++++++++++++++++++++++++++++++
 net/ipv4/tcp_ipv4.c  | 15 +++++++++
 net/ipv6/tcp_ipv6.c  | 15 +++++++++
 4 files changed, 113 insertions(+)

diff --git a/include/net/tcp.h b/include/net/tcp.h
index e5cf514ba118..fb7e153aecc5 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -414,6 +414,16 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb,
 		       int estab, struct tcp_fastopen_cookie *foc);
 const u8 *tcp_parse_md5sig_option(const struct tcphdr *th);
 
+/*
+ *	BPF SKB-less helpers
+ */
+u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
+			 struct tcphdr *th, u32 *cookie);
+u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
+			 struct tcphdr *th, u32 *cookie);
+u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops,
+			  const struct tcp_request_sock_ops *af_ops,
+			  struct sock *sk, struct tcphdr *th);
 /*
  *	TCP v4 functions exported for the inet6 API
  */
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 8892df6de1d4..706cbb3b2986 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3782,6 +3782,49 @@ static void smc_parse_options(const struct tcphdr *th,
 #endif
 }
 
+/* Try to parse the MSS option from the TCP header. Return 0 on failure, clamped
+ * value on success.
+ */
+static u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss)
+{
+	const unsigned char *ptr = (const unsigned char *)(th + 1);
+	int length = (th->doff * 4) - sizeof(struct tcphdr);
+	u16 mss = 0;
+
+	while (length > 0) {
+		int opcode = *ptr++;
+		int opsize;
+
+		switch (opcode) {
+		case TCPOPT_EOL:
+			return mss;
+		case TCPOPT_NOP:	/* Ref: RFC 793 section 3.1 */
+			length--;
+			continue;
+		default:
+			if (length < 2)
+				return mss;
+			opsize = *ptr++;
+			if (opsize < 2) /* "silly options" */
+				return mss;
+			if (opsize > length)
+				return mss;	/* fail on partial options */
+			if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) {
+				u16 in_mss = get_unaligned_be16(ptr);
+
+				if (in_mss) {
+					if (user_mss && user_mss < in_mss)
+						in_mss = user_mss;
+					mss = in_mss;
+				}
+			}
+			ptr += opsize - 2;
+			length -= opsize;
+		}
+	}
+	return mss;
+}
+
 /* Look for tcp options. Normally only called on SYN and SYNACK packets.
  * But, this can also be called on packets in the established flow when
  * the fast version below fails.
@@ -6464,6 +6507,36 @@ static void tcp_reqsk_record_syn(const struct sock *sk,
 	}
 }
 
+/* If a SYN cookie is required and supported, returns a clamped MSS value to be
+ * used for SYN cookie generation.
+ */
+u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops,
+			  const struct tcp_request_sock_ops *af_ops,
+			  struct sock *sk, struct tcphdr *th)
+{
+	struct tcp_sock *tp = tcp_sk(sk);
+	u16 mss;
+
+	if (sock_net(sk)->ipv4.sysctl_tcp_syncookies != 2 &&
+	    !inet_csk_reqsk_queue_is_full(sk))
+		return 0;
+
+	if (!tcp_syn_flood_action(sk, rsk_ops->slab_name))
+		return 0;
+
+	if (sk_acceptq_is_full(sk)) {
+		NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
+		return 0;
+	}
+
+	mss = tcp_parse_mss_option(th, tp->rx_opt.user_mss);
+	if (!mss)
+		mss = af_ops->mss_clamp;
+
+	return mss;
+}
+EXPORT_SYMBOL_GPL(tcp_get_syncookie_mss);
+
 int tcp_conn_request(struct request_sock_ops *rsk_ops,
 		     const struct tcp_request_sock_ops *af_ops,
 		     struct sock *sk, struct sk_buff *skb)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index d57641cb3477..10217393cda6 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1515,6 +1515,21 @@ static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
 	return sk;
 }
 
+u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
+			 struct tcphdr *th, u32 *cookie)
+{
+	u16 mss = 0;
+#ifdef CONFIG_SYN_COOKIES
+	mss = tcp_get_syncookie_mss(&tcp_request_sock_ops,
+				    &tcp_request_sock_ipv4_ops, sk, th);
+	if (mss) {
+		*cookie = __cookie_v4_init_sequence(iph, th, &mss);
+		tcp_synq_overflow(sk);
+	}
+#endif
+	return mss;
+}
+
 /* The socket must have it's spinlock held when we get
  * here, unless it is a TCP_LISTEN socket.
  *
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 5da069e91cac..87f44d3250ee 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1063,6 +1063,21 @@ static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb)
 	return sk;
 }
 
+u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
+			 struct tcphdr *th, u32 *cookie)
+{
+	u16 mss = 0;
+#ifdef CONFIG_SYN_COOKIES
+	mss = tcp_get_syncookie_mss(&tcp6_request_sock_ops,
+				    &tcp_request_sock_ipv6_ops, sk, th);
+	if (mss) {
+		*cookie = __cookie_v6_init_sequence(iph, th, &mss);
+		tcp_synq_overflow(sk);
+	}
+#endif
+	return mss;
+}
+
 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 {
 	if (skb->protocol == htons(ETH_P_IP))

From patchwork Mon Jul 29 16:59:15 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138539
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="nie5mf+N"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wy1nF1z9s7T
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 30 Jul 2019 02:59:42 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728981AbfG2Q7k (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 29 Jul 2019 12:59:40 -0400
Received: from mail-pg1-f195.google.com ([209.85.215.195]:46586 "EHLO
	mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1727487AbfG2Q7d (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 29 Jul 2019 12:59:33 -0400
Received: by mail-pg1-f195.google.com with SMTP id k189so9516795pgk.13;
	Mon, 29 Jul 2019 09:59:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=ClW+0hpgqgiDIXEC4dPRtbYibKS9Vk0HSZ+hghtMn6g=;
	b=nie5mf+NuGyPzY1gzyL1l6WRjhaUUxl5T23zo0WKY0lJA91FU/plPGShalk56FBJm4
	lHEHPoy0ebk7Zs/zJcoXMwLAIBR1TP/2e4Zwi57+50q1TOX5+omu0V2MYi6yVZKHaH0A
	aCaG7Szk7IkRTSg6beNTvEdexfrQVy0WXAlsrQAWmWpPGPJBncyJ9NXtKH0XcCiKS3lt
	ZaO140A7Bqczneafsl4DUt9rMz+6yGOauPLf9YtAGV2VETGTwORhhHKczt5ScUQszm6R
	9KB6S/i3hDCu+R2iAeeDU3klpc8Qhm+KQlTpJMvLs9qQABSIR5cdtgOaEqqb9dj2URFV
	yHiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=ClW+0hpgqgiDIXEC4dPRtbYibKS9Vk0HSZ+hghtMn6g=;
	b=AciqKPlrkbpVyHFU/ihTSW7DlTUkjclP72iZRyz4r0Id0D5pTViVI9L25Gi3Rj9cQ/
	CsUcGxiaPpFyL6V49nEbtMr58ldSP4/UMyW1QceYqf4RRuTp+AF+s6d3j8TyAoaum6Ji
	3FR8hZgxxEnCwUAqT6BXdW63GZc8fib12k+xUmKGeVdCHMT2d9oTVhjKV/W+CeJc/zU7
	8SK/xxOLaGrOMOnNsDIMsYdBU+s1p38/soKh8IyDSxgi68hWhZZbI8She2hWlOOQ7Toi
	atOVlsPFOkgVqrGE4gmJOhfoa1vmatahSVOcpCVSXRxfGr5NyhAzkNkw5xuxlpgmi8RB
	NPfw==
X-Gm-Message-State: APjAAAUdF1ohUJWe28Gmj76RIBsnLp6r/tI4EcawFUTMvEzbr5HGSv9/
	H/8IKIxyldqUdjn6DiHmHSPdHQm9
X-Google-Smtp-Source: 
 APXvYqw2i+m9jr9PD6Y9n69WD3ZneGseTxiWFqDC5SWt+CJUi7kJs0NAoKnwHSvwEgTJcFm6d7VFTQ==
X-Received: by 2002:aa7:8201:: with SMTP id k1mr36632220pfi.97.1564419573167;
	Mon, 29 Jul 2019 09:59:33 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.32
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:32 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next,v2 3/6] bpf: add bpf_tcp_gen_syncookie helper
Date: Mon, 29 Jul 2019 09:59:15 -0700
Message-Id: <20190729165918.92933-4-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

This helper function allows BPF programs to try to generate SYN
cookies, given a reference to a listener socket. The function works
from XDP and with an skb context since bpf_skc_lookup_tcp can lookup a
socket in both cases.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 include/uapi/linux/bpf.h | 30 ++++++++++++++++-
 net/core/filter.c        | 73 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index e985f07a98ed..5a54f1011db8 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2713,6 +2713,33 @@ union bpf_attr {
  *		**-EPERM** if no permission to send the *sig*.
  *
  *		**-EAGAIN** if bpf program can try again.
+ *
+ * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ *	Description
+ *		Try to issue a SYN cookie for the packet with corresponding
+ *		IP/TCP headers, *iph* and *th*, on the listening socket in *sk*.
+ *
+ *		*iph* points to the start of the IPv4 or IPv6 header, while
+ *		*iph_len* contains **sizeof**\ (**struct iphdr**) or
+ *		**sizeof**\ (**struct ip6hdr**).
+ *
+ *		*th* points to the start of the TCP header, while *th_len*
+ *		contains the length of the TCP header.
+ *
+ *	Return
+ *		On success, lower 32 bits hold the generated SYN cookie in
+ *		followed by 16 bits which hold the MSS value for that cookie,
+ *		and the top 16 bits are unused.
+ *
+ *		On failure, the returned value is one of the following:
+ *
+ *		**-EINVAL** SYN cookie cannot be issued due to error
+ *
+ *		**-ENOENT** SYN cookie should not be issued (no SYN flood)
+ *
+ *		**-EOPNOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ *		**-EPROTONOSUPPORT** IP packet version is not 4 or 6
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -2824,7 +2851,8 @@ union bpf_attr {
 	FN(strtoul),			\
 	FN(sk_storage_get),		\
 	FN(sk_storage_delete),		\
-	FN(send_signal),
+	FN(send_signal),		\
+	FN(tcp_gen_syncookie),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
diff --git a/net/core/filter.c b/net/core/filter.c
index 3961437ccc50..d7848d6944ff 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5850,6 +5850,75 @@ static const struct bpf_func_proto bpf_tcp_check_syncookie_proto = {
 	.arg5_type	= ARG_CONST_SIZE,
 };
 
+BPF_CALL_5(bpf_tcp_gen_syncookie, struct sock *, sk, void *, iph, u32, iph_len,
+	   struct tcphdr *, th, u32, th_len)
+{
+#ifdef CONFIG_SYN_COOKIES
+	u32 cookie;
+	u16 mss;
+
+	if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
+		return -EINVAL;
+
+	if (sk->sk_protocol != IPPROTO_TCP || sk->sk_state != TCP_LISTEN)
+		return -EINVAL;
+
+	if (!sock_net(sk)->ipv4.sysctl_tcp_syncookies)
+		return -ENOENT;
+
+	if (!th->syn || th->ack || th->fin || th->rst)
+		return -EINVAL;
+
+	if (unlikely(iph_len < sizeof(struct iphdr)))
+		return -EINVAL;
+
+	/* Both struct iphdr and struct ipv6hdr have the version field at the
+	 * same offset so we can cast to the shorter header (struct iphdr).
+	 */
+	switch (((struct iphdr *)iph)->version) {
+	case 4:
+		if (sk->sk_family == AF_INET6 && sk->sk_ipv6only)
+			return -EINVAL;
+
+		mss = tcp_v4_get_syncookie(sk, iph, th, &cookie);
+		break;
+
+#if IS_BUILTIN(CONFIG_IPV6)
+	case 6:
+		if (unlikely(iph_len < sizeof(struct ipv6hdr)))
+			return -EINVAL;
+
+		if (sk->sk_family != AF_INET6)
+			return -EINVAL;
+
+		mss = tcp_v6_get_syncookie(sk, iph, th, &cookie);
+		break;
+#endif /* CONFIG_IPV6 */
+
+	default:
+		return -EPROTONOSUPPORT;
+	}
+	if (mss <= 0)
+		return -ENOENT;
+
+	return cookie | ((u64)mss << 32);
+#else
+	return -EOPNOTSUPP;
+#endif /* CONFIG_SYN_COOKIES */
+}
+
+static const struct bpf_func_proto bpf_tcp_gen_syncookie_proto = {
+	.func		= bpf_tcp_gen_syncookie,
+	.gpl_only	= true, /* __cookie_v*_init_sequence() is GPL */
+	.pkt_access	= true,
+	.ret_type	= RET_INTEGER,
+	.arg1_type	= ARG_PTR_TO_SOCK_COMMON,
+	.arg2_type	= ARG_PTR_TO_MEM,
+	.arg3_type	= ARG_CONST_SIZE,
+	.arg4_type	= ARG_PTR_TO_MEM,
+	.arg5_type	= ARG_CONST_SIZE,
+};
+
 #endif /* CONFIG_INET */
 
 bool bpf_helper_changes_pkt_data(void *func)
@@ -6139,6 +6208,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_tcp_check_syncookie_proto;
 	case BPF_FUNC_skb_ecn_set_ce:
 		return &bpf_skb_ecn_set_ce_proto;
+	case BPF_FUNC_tcp_gen_syncookie:
+		return &bpf_tcp_gen_syncookie_proto;
 #endif
 	default:
 		return bpf_base_func_proto(func_id);
@@ -6178,6 +6249,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 		return &bpf_xdp_skc_lookup_tcp_proto;
 	case BPF_FUNC_tcp_check_syncookie:
 		return &bpf_tcp_check_syncookie_proto;
+	case BPF_FUNC_tcp_gen_syncookie:
+		return &bpf_tcp_gen_syncookie_proto;
 #endif
 	default:
 		return bpf_base_func_proto(func_id);

From patchwork Mon Jul 29 16:59:16 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138536
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="KZcbmtfU"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wv3SzGz9s7T
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 30 Jul 2019 02:59:39 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728975AbfG2Q7h (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 29 Jul 2019 12:59:37 -0400
Received: from mail-pg1-f193.google.com ([209.85.215.193]:36347 "EHLO
	mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1727899AbfG2Q7f (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 29 Jul 2019 12:59:35 -0400
Received: by mail-pg1-f193.google.com with SMTP id l21so28556806pgm.3;
	Mon, 29 Jul 2019 09:59:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=ksAzpj+KHDgXM/KyHUhWdINlogi/v++p7bhxJ+uB+bY=;
	b=KZcbmtfU13yKDgR+wr4hrSs3l1bzNUqaysOi4UcdhaPa+nOtHqJh+BlLkYZPfBOODV
	4b4QtCCt20bE+3gR1SzIxrVZ8nqvBANg06ig9tbiG4YyP8qTtEBLJp8K2pSE8rQrES60
	IB6/yqYIVHU6n6sggJZ735/Y8Rxr23I6Byd6Qbe0L527ZmWlHYjYNxe9Rta6Ft1hRHAM
	E17kzQvP5J3op9BAIw7tIpZeamPHCZIEi2/SRaZkcc5cphDapp0+zICqTJdq8VdyaRq4
	levzJMW+nU804yxGlSiON88C8TeBWWQTDQwpM5+LnFGOqdgpQ5D5qIQIpmCIYtQxeXyj
	0Dwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=ksAzpj+KHDgXM/KyHUhWdINlogi/v++p7bhxJ+uB+bY=;
	b=f4DpqsAMV+BV+jVXAHSQdOIasoVJDqdpL+1HrNreskLiiata6KhGxoUZ3CqrcjIYOy
	kOSHuyOE7Ji3I6At/f+AzQIQtrB/uUNEIo3OVPZbr9LpHfNuqsyNlmiycAjWhMjVMlKL
	lFCgBWdsk/ckDi6DMlT5whnQYe/CYzDdE2rPjdssJ1fX6DH6yammPu/bNBhNEtDXJj5R
	HB9vO8lVhG/NlfoU/NXvrAvqm0MiEY9hRuZEsdSmIhkMvW5BBvJRXBjQQP69DN3aQs3q
	/jsQRdGITYaNUCRIodONBhci8bIli0AJZySUumI5q18lUuNz74nd1JaRFSGFrdaVGNM7
	BUBg==
X-Gm-Message-State: APjAAAWMSvwcZCVKNFpJQ+x9mEjpzyBhV81baSlsHHgFgB61DVrGzSOB
	yR+GQyu2pKOoXjVpeE6CI2fKNb5R
X-Google-Smtp-Source: 
 APXvYqzSCNm51zetNwMUIh16uDoEJvr4tHpnbscqVUF01ity5U3L4R9PQyuX+CGHtBcOyaeCRqQZAw==
X-Received: by 2002:a65:56c1:: with SMTP id
	w1mr103441040pgs.395.1564419573929;
	Mon, 29 Jul 2019 09:59:33 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.33
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:33 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next,v2 4/6] bpf: sync bpf.h to tools/
Date: Mon, 29 Jul 2019 09:59:16 -0700
Message-Id: <20190729165918.92933-5-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Sync updated documentation for bpf_redirect_map.

Sync the bpf_tcp_gen_syncookie helper function definition with the one
in tools/uapi.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 tools/include/uapi/linux/bpf.h | 37 +++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 3d7fc67ec1b8..5a54f1011db8 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -1571,8 +1571,11 @@ union bpf_attr {
  * 		but this is only implemented for native XDP (with driver
  * 		support) as of this writing).
  *
- * 		All values for *flags* are reserved for future usage, and must
- * 		be left at zero.
+ * 		The lower two bits of *flags* are used as the return code if
+ * 		the map lookup fails. This is so that the return value can be
+ * 		one of the XDP program return codes up to XDP_TX, as chosen by
+ * 		the caller. Any higher bits in the *flags* argument must be
+ * 		unset.
  *
  * 		When used to redirect packets to net devices, this helper
  * 		provides a high performance increase over **bpf_redirect**\ ().
@@ -2710,6 +2713,33 @@ union bpf_attr {
  *		**-EPERM** if no permission to send the *sig*.
  *
  *		**-EAGAIN** if bpf program can try again.
+ *
+ * s64 bpf_tcp_gen_syncookie(struct bpf_sock *sk, void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ *	Description
+ *		Try to issue a SYN cookie for the packet with corresponding
+ *		IP/TCP headers, *iph* and *th*, on the listening socket in *sk*.
+ *
+ *		*iph* points to the start of the IPv4 or IPv6 header, while
+ *		*iph_len* contains **sizeof**\ (**struct iphdr**) or
+ *		**sizeof**\ (**struct ip6hdr**).
+ *
+ *		*th* points to the start of the TCP header, while *th_len*
+ *		contains the length of the TCP header.
+ *
+ *	Return
+ *		On success, lower 32 bits hold the generated SYN cookie in
+ *		followed by 16 bits which hold the MSS value for that cookie,
+ *		and the top 16 bits are unused.
+ *
+ *		On failure, the returned value is one of the following:
+ *
+ *		**-EINVAL** SYN cookie cannot be issued due to error
+ *
+ *		**-ENOENT** SYN cookie should not be issued (no SYN flood)
+ *
+ *		**-EOPNOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ *		**-EPROTONOSUPPORT** IP packet version is not 4 or 6
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -2821,7 +2851,8 @@ union bpf_attr {
 	FN(strtoul),			\
 	FN(sk_storage_get),		\
 	FN(sk_storage_delete),		\
-	FN(send_signal),
+	FN(send_signal),		\
+	FN(tcp_gen_syncookie),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call

From patchwork Mon Jul 29 16:59:17 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138534
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="M5NKlwJj"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wt0Tz0z9s7T
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 30 Jul 2019 02:59:38 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728961AbfG2Q7g (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 29 Jul 2019 12:59:36 -0400
Received: from mail-pl1-f195.google.com ([209.85.214.195]:40650 "EHLO
	mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1728828AbfG2Q7f (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 29 Jul 2019 12:59:35 -0400
Received: by mail-pl1-f195.google.com with SMTP id a93so27693920pla.7;
	Mon, 29 Jul 2019 09:59:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=D+TzFW4RpIKq9WD2DO20S9txmOagqfJIoYXfqJht9nY=;
	b=M5NKlwJjPm2fkyi/zJ78yISUKzXDSUcF1QZgvEx3/g6ccRY+K1Y4HgLpoSIu1DhMc9
	6CJoxJ9tN9etO6mG7C0lEDT1d8bEx3LsHtOogk8o8tSIhHPBSckpIuNRGv6a42N4iok3
	YrlaKFESssRQrsi9N5Ply5/qUBMe4G02PjdjpPpgx8zIKnTM2mH1W+F6pvZ91MFYUdPy
	lh6eE4h5Qs0qgTF+8/KzXuXw1x/NrZYMlgf7BPFBVMEH3Xmfs9B1GCRSNSfZmPaTFGKb
	2y0gOAgAT4KfX/3mBf0KkiDCDQyb679q6QEIxkGHHF0zzPlSv53jxo33b0h1aWBiNVLI
	dqRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=D+TzFW4RpIKq9WD2DO20S9txmOagqfJIoYXfqJht9nY=;
	b=FN0cZDZoKHHo1/7nt6/wYTysVURTFtwPNrOBoPhhuCpbSG7atyx9voV3owJDLXk7AY
	n7NCezyiNsqUtvgC+z/XyBSS6vtWMjLZ84/vgqQ4l2REOd3HzhxpcL9RoB5oAWV0U3PV
	veAdiC6JFTqGtiWe+XDWdakpTrJ1sAsSzppC0pjkp73jNdz706qQ89dFl+xzEyJt4mzW
	gkYDTjMMDWG6Hz720X7BaBteKwk5sLA+U8rOcTz6OYp031HZDooLhytrk6uodl0YzF+y
	ZHYsoztmTmJRRxOYy/JnkjH5e4DpIJOEtqFPw+I0Qztn33riTDsPN+rCVmwVA5DFdsaD
	OSDw==
X-Gm-Message-State: APjAAAVNUzxrSKYmn9tuFRqRqpiC8e/o2YxmpDNbtpftwqAMvCDXakL4
	58D8hRaJzIpHHLcvREXhDuTS65C8
X-Google-Smtp-Source: 
 APXvYqzujjWDuoHNjuek9zlIVpsU+gp4rrTesamLeRI5jcIE5FHu/bwMJ4Exz/U/D9J4iYQ72AFiSw==
X-Received: by 2002:a17:902:7288:: with SMTP id
	d8mr27304060pll.133.1564419574724;
	Mon, 29 Jul 2019 09:59:34 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.34
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:34 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next, v2 5/6] selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers
Date: Mon, 29 Jul 2019 09:59:17 -0700
Message-Id: <20190729165918.92933-6-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Expose bpf_tcp_gen_syncookie to selftests.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 tools/testing/selftests/bpf/bpf_helpers.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
index f804f210244e..120aa86c58d3 100644
--- a/tools/testing/selftests/bpf/bpf_helpers.h
+++ b/tools/testing/selftests/bpf/bpf_helpers.h
@@ -228,6 +228,9 @@ static void *(*bpf_sk_storage_get)(void *map, struct bpf_sock *sk,
 static int (*bpf_sk_storage_delete)(void *map, struct bpf_sock *sk) =
 	(void *)BPF_FUNC_sk_storage_delete;
 static int (*bpf_send_signal)(unsigned sig) = (void *)BPF_FUNC_send_signal;
+static long long (*bpf_tcp_gen_syncookie)(struct bpf_sock *sk, void *ip,
+					  int ip_len, void *tcp, int tcp_len) =
+	(void *) BPF_FUNC_tcp_gen_syncookie;
 
 /* llvm builtin functions that eBPF C program may use to
  * emit BPF_LD_ABS and BPF_LD_IND instructions

From patchwork Mon Jul 29 16:59:18 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Petar Penkov <ppenkov.kernel@gmail.com>
X-Patchwork-Id: 1138538
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <bpf-owner@vger.kernel.org>
X-Original-To: incoming-bpf@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=bpf-owner@vger.kernel.org; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="AkrdyvnM"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45y5Wx4B4fz9sBt
	for <incoming-bpf@patchwork.ozlabs.org>;
	Tue, 30 Jul 2019 02:59:41 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1728828AbfG2Q7j (ORCPT
	<rfc822;incoming-bpf@patchwork.ozlabs.org>);
	Mon, 29 Jul 2019 12:59:39 -0400
Received: from mail-pl1-f177.google.com ([209.85.214.177]:35347 "EHLO
	mail-pl1-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1728808AbfG2Q7g (ORCPT <rfc822; bpf@vger.kernel.org>);
	Mon, 29 Jul 2019 12:59:36 -0400
Received: by mail-pl1-f177.google.com with SMTP id w24so27741150plp.2;
	Mon, 29 Jul 2019 09:59:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=xphI6JZ/4VEeh2wSAzMPoVPbDD54bxmWPp69hdwyHKo=;
	b=AkrdyvnMujBZVflAuy5SEgVOwP8ATpb5Kpzb14bm8r8JyaTdE1lD5YKjMx1EpTZuk4
	+rkcE37eJHVogQHACogF6Du6y2BBzQLqR8zgM4Vw4QM6TcDpezf2jGh0jVo2PalmvING
	DQ6GX9iyRcnO99kQbOrKMjuRIAZScJJFXbdTeGeanmyxY+SVHx6cBEfBXBEWYvDehUY0
	q+tmKLrUxGDfMhaVX29lzNhEDVEPjB6Dr/kJ200hDlCObkeqT8Bu77XZIP471O5/H4BH
	inZPlI7gSwr3rIjgvPFyWBAYERkK4+8fGQOZJDEiX9E6rICWRJKmXdIZF3omrn24G1nO
	Lzhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=xphI6JZ/4VEeh2wSAzMPoVPbDD54bxmWPp69hdwyHKo=;
	b=jITisYl+zteAaWyRgh1MoP5Y7SE1VlaFmSK1u66BFpOTAorMPqZlRqjlMOxYT/WNO+
	OImBn6HhsnhiYD7QAjYFcVbacXtdk23OZUsltndxHkd3De5rveU9PNFyp64K0VYzzmmR
	mO3iSLBSHpdSpKzU2hpNi6xiAARu6IWw9Sn9YSTw3t/rlOg0ZW2lYxM+dfAu7gAI06s1
	X2MR8IoC6AL30L9u0kLWDciyVMBpGNy5HWO15bV5Xis558QaCW371c0z0tKfMJyF7V2k
	cM5Eps51ebUKhaJQ84G09gtOpeIll0a3icIW85C/5cE1cKr0C3fvlod5FW5k/GnGYjBG
	xfVw==
X-Gm-Message-State: APjAAAXokjthcabtdhisxy3eXTIOEdZdV1D1TI9bPIY6DVy6m9JtLeIy
	iFvcDrePax8RyQORuQ1NCmfPgO6Q
X-Google-Smtp-Source: 
 APXvYqzECqmLH95auX452SZdWcpl4NOQg7LJwyCVMUg1FUd32WHb52EazEqvYaa8/BmebI1CDk2pIA==
X-Received: by 2002:a17:902:9346:: with SMTP id
	g6mr110854238plp.61.1564419575470;
	Mon, 29 Jul 2019 09:59:35 -0700 (PDT)
Received: from ppenkov.svl.corp.google.com
	([2620:15c:2c4:201:7bd4:4f27:abe4:d695])
	by smtp.gmail.com with ESMTPSA id
	i198sm60784651pgd.44.2019.07.29.09.59.34
	(version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
	Mon, 29 Jul 2019 09:59:35 -0700 (PDT)
From: Petar Penkov <ppenkov.kernel@gmail.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
	edumazet@google.com, lmb@cloudflare.com, sdf@google.com,
	toke@redhat.com, Petar Penkov <ppenkov@google.com>
Subject: [bpf-next, v2 6/6] selftests/bpf: add test for bpf_tcp_gen_syncookie
Date: Mon, 29 Jul 2019 09:59:18 -0700
Message-Id: <20190729165918.92933-7-ppenkov.kernel@gmail.com>
X-Mailer: git-send-email 2.22.0.709.g102302147b-goog
In-Reply-To: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
References: <20190729165918.92933-1-ppenkov.kernel@gmail.com>
MIME-Version: 1.0
Sender: bpf-owner@vger.kernel.org
Precedence: bulk
List-ID: <bpf.vger.kernel.org>
X-Mailing-List: bpf@vger.kernel.org

From: Petar Penkov <ppenkov@google.com>

Modify the existing bpf_tcp_check_syncookie test to also generate a
SYN cookie, pass the packet to the kernel, and verify that the two
cookies are the same (and both valid). Since cloned SKBs are skipped
during generic XDP, this test does not issue a SYN cookie when run in
XDP mode. We therefore only check that a valid SYN cookie was issued at
the TC hook.

Additionally, verify that the MSS for that SYN cookie is within
expected range.

Signed-off-by: Petar Penkov <ppenkov@google.com>
Reviewed-by: Lorenz Bauer <lmb@cloudflare.com>
---
 .../bpf/progs/test_tcp_check_syncookie_kern.c | 48 +++++++++++++--
 .../selftests/bpf/test_tcp_check_syncookie.sh |  3 +
 .../bpf/test_tcp_check_syncookie_user.c       | 61 ++++++++++++++++---
 3 files changed, 99 insertions(+), 13 deletions(-)

diff --git a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
index 1ab095bcacd8..d8803dfa8d32 100644
--- a/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
+++ b/tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
@@ -19,10 +19,29 @@
 struct bpf_map_def SEC("maps") results = {
 	.type = BPF_MAP_TYPE_ARRAY,
 	.key_size = sizeof(__u32),
-	.value_size = sizeof(__u64),
-	.max_entries = 1,
+	.value_size = sizeof(__u32),
+	.max_entries = 3,
 };
 
+static __always_inline __s64 gen_syncookie(void *data_end, struct bpf_sock *sk,
+					   void *iph, __u32 ip_size,
+					   struct tcphdr *tcph)
+{
+	__u32 thlen = tcph->doff * 4;
+
+	if (tcph->syn && !tcph->ack) {
+		// packet should only have an MSS option
+		if (thlen != 24)
+			return 0;
+
+		if ((void *)tcph + thlen > data_end)
+			return 0;
+
+		return bpf_tcp_gen_syncookie(sk, iph, ip_size, tcph, thlen);
+	}
+	return 0;
+}
+
 static __always_inline void check_syncookie(void *ctx, void *data,
 					    void *data_end)
 {
@@ -33,8 +52,10 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 	struct ipv6hdr *ipv6h;
 	struct tcphdr *tcph;
 	int ret;
+	__u32 key_mss = 2;
+	__u32 key_gen = 1;
 	__u32 key = 0;
-	__u64 value = 1;
+	__s64 seq_mss;
 
 	ethh = data;
 	if (ethh + 1 > data_end)
@@ -66,6 +87,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		if (sk->state != BPF_TCP_LISTEN)
 			goto release;
 
+		seq_mss = gen_syncookie(data_end, sk, ipv4h, sizeof(*ipv4h),
+					tcph);
+
 		ret = bpf_tcp_check_syncookie(sk, ipv4h, sizeof(*ipv4h),
 					      tcph, sizeof(*tcph));
 		break;
@@ -95,6 +119,9 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		if (sk->state != BPF_TCP_LISTEN)
 			goto release;
 
+		seq_mss = gen_syncookie(data_end, sk, ipv6h, sizeof(*ipv6h),
+					tcph);
+
 		ret = bpf_tcp_check_syncookie(sk, ipv6h, sizeof(*ipv6h),
 					      tcph, sizeof(*tcph));
 		break;
@@ -103,8 +130,19 @@ static __always_inline void check_syncookie(void *ctx, void *data,
 		return;
 	}
 
-	if (ret == 0)
-		bpf_map_update_elem(&results, &key, &value, 0);
+	if (seq_mss > 0) {
+		__u32 cookie = (__u32)seq_mss;
+		__u32 mss = seq_mss >> 32;
+
+		bpf_map_update_elem(&results, &key_gen, &cookie, 0);
+		bpf_map_update_elem(&results, &key_mss, &mss, 0);
+	}
+
+	if (ret == 0) {
+		__u32 cookie = bpf_ntohl(tcph->ack_seq) - 1;
+
+		bpf_map_update_elem(&results, &key, &cookie, 0);
+	}
 
 release:
 	bpf_sk_release(sk);
diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh b/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
index d48e51716d19..9b3617d770a5 100755
--- a/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
+++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
@@ -37,6 +37,9 @@ setup()
 	ns1_exec ip link set lo up
 
 	ns1_exec sysctl -w net.ipv4.tcp_syncookies=2
+	ns1_exec sysctl -w net.ipv4.tcp_window_scaling=0
+	ns1_exec sysctl -w net.ipv4.tcp_timestamps=0
+	ns1_exec sysctl -w net.ipv4.tcp_sack=0
 
 	wait_for_ip 127.0.0.1
 	wait_for_ip ::1
diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
index 87829c86c746..b9e991d43155 100644
--- a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
+++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
@@ -2,6 +2,7 @@
 // Copyright (c) 2018 Facebook
 // Copyright (c) 2019 Cloudflare
 
+#include <limits.h>
 #include <string.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -77,7 +78,7 @@ static int connect_to_server(int server_fd)
 	return fd;
 }
 
-static int get_map_fd_by_prog_id(int prog_id)
+static int get_map_fd_by_prog_id(int prog_id, bool *xdp)
 {
 	struct bpf_prog_info info = {};
 	__u32 info_len = sizeof(info);
@@ -104,6 +105,8 @@ static int get_map_fd_by_prog_id(int prog_id)
 		goto err;
 	}
 
+	*xdp = info.type == BPF_PROG_TYPE_XDP;
+
 	map_fd = bpf_map_get_fd_by_id(map_ids[0]);
 	if (map_fd < 0)
 		log_err("Failed to get fd by map id %d", map_ids[0]);
@@ -113,18 +116,32 @@ static int get_map_fd_by_prog_id(int prog_id)
 	return map_fd;
 }
 
-static int run_test(int server_fd, int results_fd)
+static int run_test(int server_fd, int results_fd, bool xdp)
 {
 	int client = -1, srv_client = -1;
 	int ret = 0;
 	__u32 key = 0;
-	__u64 value = 0;
+	__u32 key_gen = 1;
+	__u32 key_mss = 2;
+	__u32 value = 0;
+	__u32 value_gen = 0;
+	__u32 value_mss = 0;
 
 	if (bpf_map_update_elem(results_fd, &key, &value, 0) < 0) {
 		log_err("Can't clear results");
 		goto err;
 	}
 
+	if (bpf_map_update_elem(results_fd, &key_gen, &value_gen, 0) < 0) {
+		log_err("Can't clear results");
+		goto err;
+	}
+
+	if (bpf_map_update_elem(results_fd, &key_mss, &value_mss, 0) < 0) {
+		log_err("Can't clear results");
+		goto err;
+	}
+
 	client = connect_to_server(server_fd);
 	if (client == -1)
 		goto err;
@@ -140,8 +157,35 @@ static int run_test(int server_fd, int results_fd)
 		goto err;
 	}
 
-	if (value != 1) {
-		log_err("Didn't match syncookie: %llu", value);
+	if (value == 0) {
+		log_err("Didn't match syncookie: %u", value);
+		goto err;
+	}
+
+	if (bpf_map_lookup_elem(results_fd, &key_gen, &value_gen) < 0) {
+		log_err("Can't lookup result");
+		goto err;
+	}
+
+	if (xdp && value_gen == 0) {
+		// SYN packets do not get passed through generic XDP, skip the
+		// rest of the test.
+		printf("Skipping XDP cookie check\n");
+		goto out;
+	}
+
+	if (bpf_map_lookup_elem(results_fd, &key_mss, &value_mss) < 0) {
+		log_err("Can't lookup result");
+		goto err;
+	}
+
+	if (value != value_gen) {
+		log_err("BPF generated cookie does not match kernel one");
+		goto err;
+	}
+
+	if (value_mss < 536 || value_mss > USHRT_MAX) {
+		log_err("Unexpected MSS retrieved");
 		goto err;
 	}
 
@@ -163,13 +207,14 @@ int main(int argc, char **argv)
 	int server_v6 = -1;
 	int results = -1;
 	int err = 0;
+	bool xdp;
 
 	if (argc < 2) {
 		fprintf(stderr, "Usage: %s prog_id\n", argv[0]);
 		exit(1);
 	}
 
-	results = get_map_fd_by_prog_id(atoi(argv[1]));
+	results = get_map_fd_by_prog_id(atoi(argv[1]), &xdp);
 	if (results < 0) {
 		log_err("Can't get map");
 		goto err;
@@ -194,10 +239,10 @@ int main(int argc, char **argv)
 	if (server_v6 == -1)
 		goto err;
 
-	if (run_test(server, results))
+	if (run_test(server, results, xdp))
 		goto err;
 
-	if (run_test(server_v6, results))
+	if (run_test(server_v6, results, xdp))
 		goto err;
 
 	printf("ok\n");