From patchwork Fri Oct 20 21:13:03 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christoph Paasch <cpaasch@apple.com>
X-Patchwork-Id: 828802
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=apple.com header.i=@apple.com
	header.b="0zOz+7kN"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3yJdnB5HpLz9t2t
	for <patchwork-incoming@ozlabs.org>;
	Sat, 21 Oct 2017 08:13:18 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752338AbdJTVNQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 20 Oct 2017 17:13:16 -0400
Received: from mail-out7.apple.com ([17.151.62.29]:62295 "EHLO
	mail-in7.apple.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
	with ESMTP id S1752093AbdJTVNO (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 20 Oct 2017 17:13:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; d=apple.com; s=mailout2048s;
	c=relaxed/simple; q=dns/txt; i=@apple.com; t=1508533993;
	h=From:Sender:Reply-To:Subject:Date:Message-id:To:Cc:MIME-Version:Content-Type:
	Content-transfer-encoding:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id:
	List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=OzDAenU1DW7bTR3eq8/D62z66FAyWFJFrHbbUj+Oibs=;
	b=0zOz+7kNhY8Wg0gMnWdUUVBNuogPIU9YOq7ATWnQsDK36KWQrx2fGCXTJuw2Nsjz
	14iSR73jJCvVMzpFwbmWCcrAbSjMznSdexYNDhBW/WshXelbOLpde1RAZyr5nKFD
	p4T8xMOUgnlJGsrIgtiSJUvogaLi5I/hlWvfKx2nuTTMMgGSw4NIOUp0DeUffUtU
	V+0g1wCLN6IglYMxs1PSFNmYFB82xzPEhssrbAPUIHZDTb3PX+K1x910Y4miBhPR
	PfK/iZ5D1gSFWe8Ib9A3er/Pe+A0RJ3qhS6n52CIfeWm2Y7pjUOJH5WMsOGIxyKA
	hWyPUizgWY+pi0RXtMMbhA==;
Received: from relay2.apple.com (relay2.apple.com [17.128.113.67])
	(using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id
	F1.1D.31255.9E66AE95; Fri, 20 Oct 2017 14:13:13 -0700 (PDT)
X-AuditID: 11973e16-c0fdc9c000007a17-15-59ea66e925cc
Received: from nwk-mmpp-sz13.apple.com (nwk-mmpp-sz13.apple.com
	[17.128.115.216])
	by relay2.apple.com (Apple SCV relay) with SMTP id
	03.32.21963.9E66AE95; Fri, 20 Oct 2017 14:13:13 -0700 (PDT)
Content-transfer-encoding: 7BIT
Received: from localhost ([17.226.23.175]) by nwk-mmpp-sz13.apple.com
	(Oracle Communications Messaging Server 8.0.1.3.20170825 64bit (built
	Aug 25
	2017)) with ESMTPSA id <0OY5001UW4A1FB30@nwk-mmpp-sz13.apple.com>;
	Fri, 20 Oct 2017 14:13:13 -0700 (PDT)
From: Christoph Paasch <cpaasch@apple.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	Yuchung Cheng <ycheng@google.com>
Subject: [PATCH v2 net-next] tcp: Enable TFO without a cookie on a per-socket
	basis
Date: Fri, 20 Oct 2017 14:13:03 -0700
Message-id: <20171020211303.76466-1-cpaasch@apple.com>
X-Mailer: git-send-email 2.14.1
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFvrHJMWRmVeSWpSXmKPExsUi2FDorPsy7VWkwdajVhZzzrewWDw99ojd
	4tgCMYsvj6+yObB4bFl5k8ljwaZSj8+b5AKYo7hsUlJzMstSi/TtErgyXkwKKdhhXHFy6Szm
	BsYNml2MnBwSAiYSL+d+Z+9i5OIQEljNJLHy93R2mMSxlQ8ZIRKHGCXO/T0F5HBwMAvISxw8
	LwsRb2SSeHTmH1iDsICkRPedO8wgNpuAlsTb2+2sILaIgJrExBMTwOLMAskSW+efYoWoD5WY
	3v2NDcRmEVCV+L34KBOIzStgJtE64xQLxBHyEuce3GYGWSYhsIRN4tzkE6wTGPlnIdyxgJFx
	FaNQbmJmjm5mnrleYkFBTqpecn7uJkZQgE23E9vB+HCV1SFGAQ5GJR7eCxKvIoVYE8uKK3MP
	MUpzsCiJ8+41eRkpJJCeWJKanZpakFoUX1Sak1p8iJGJg1OqgdGE/yQny1fnlc8M50RyXzVe
	c5L/0OFMrR2Z3L6lJ84KVwl4xrjxTBcQjzbbIXJaf6/2zTSLDwlXVzG0la5S/BzwxyZ29R0p
	lykR/RW1Pksm/8x8xCJep3pwN/f7PU5BPI8mM1is0FD5HXax3KQzY8/d86kzzoYbVRxNV5Td
	HJggeHU7U8K1RCWW4oxEQy3mouJEAKswi2kRAgAA
X-Brightmail-Tracker: 
 H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUi2FB8Q/dl2qtIg03/zSzmnG9hsXh67BG7
	xbEFYhZfHl9lc2Dx2LLyJpPHgk2lHp83yQUwRxnapOUXlScWpSgUJReU2CoVZySm5JfHWxob
	mTokFhTkpOol5+cq6dvZpKTmZJalFunbJRhmvJgUUrDDuOLk0lnMDYwbNLsYOTkkBEwkjq18
	yNjFyMUhJHCIUeLc31NADgcHs4C8xMHzshDxRiaJR2f+sYM0CAtISnTfucMMYrMJaEm8vd3O
	CmKLCKhJTDwxASzOLJAssXX+KVaI+lCJ6d3f2EBsFgFVid+LjzKB2LwCZhKtM06xQBwhL3Hu
	wW3mCYw8sxBWL2BkXMUoUJSak1hppAf30yZGcHgVOu9gPLbM6hCjAAejEg/vBYlXkUKsiWXF
	lblAP3AwK4nw7gkFCvGmJFZWpRblxxeV5qQWH2L0AbphIrOUaHI+MPTzSuINjS2MLU0sDAxM
	LM1McAgrifNuv/MkUkggPbEkNTs1tSC1CGYcEwenVAOjp0JiQU3cFOGYebx1kx5FWhbnB1w7
	ss/KPChFzlSS1zVFUXHR6kkShRmx3KUHmkqCjr1l3z2v76/eLWvFJqP7ZoEzZSb/uJ4feEXC
	UfOnfNYcWePPXTuO7o997nGBJaTi5Um1vLp7nryVzjlfm1sm/DHjTUi0kAt8d8P944WIrzwe
	7Dk3HymxAGPfUIu5qDgRAO3DThxcAgAA
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

We already allow to enable TFO without a cookie by using the
fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200).
This is safe to do in certain environments where we know that there
isn't a malicous host (aka., data-centers).

A server however might be talking to both sides (public Internet and
data-center). So, this server would want to enable cookie-less TFO for
the connections that go to the data-center while enforcing cookies for
the traffic from the Internet.

This patch exposes a socket-option to enable this (protected by
CAP_NET_ADMIN).

Signed-off-by: Christoph Paasch <cpaasch@apple.com>
---

Notes:
    v2: * Rename to fastopen_no_cookie and TCP_FASTOPEN_NO_COOKIE
        * Add per-route attribute for fastopen_no_cookie
        * Get rid of the capability check

 include/linux/tcp.h            |  3 ++-
 include/net/tcp.h              |  3 ++-
 include/uapi/linux/rtnetlink.h |  2 ++
 include/uapi/linux/tcp.h       |  1 +
 net/ipv4/tcp.c                 | 12 ++++++++++++
 net/ipv4/tcp_fastopen.c        | 14 +++++++++++---
 net/ipv4/tcp_input.c           |  2 +-
 7 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/include/linux/tcp.h b/include/linux/tcp.h
index 1d2c44e09e31..173a7c2f9636 100644
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -215,7 +215,8 @@ struct tcp_sock {
 	u8	chrono_type:2,	/* current chronograph type */
 		rate_app_limited:1,  /* rate_{delivered,interval_us} limited? */
 		fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */
-		unused:4;
+		fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */
+		unused:3;
 	u8	nonagle     : 4,/* Disable Nagle algorithm?             */
 		thin_lto    : 1,/* Use linear timeouts for thin streams */
 		unused1	    : 1,
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 1efe8365cb28..020b20c3f50a 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1562,7 +1562,8 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
 void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
 struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
 			      struct request_sock *req,
-			      struct tcp_fastopen_cookie *foc);
+			      struct tcp_fastopen_cookie *foc,
+			      const struct dst_entry *dst);
 void tcp_fastopen_init_key_once(struct net *net);
 bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
 			     struct tcp_fastopen_cookie *cookie);
diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index dab7dad9e01a..fe6679268901 100644
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -430,6 +430,8 @@ enum {
 #define RTAX_QUICKACK RTAX_QUICKACK
 	RTAX_CC_ALGO,
 #define RTAX_CC_ALGO RTAX_CC_ALGO
+	RTAX_FASTOPEN_NO_COOKIE,
+#define RTAX_FASTOPEN_NO_COOKIE RTAX_FASTOPEN_NO_COOKIE
 	__RTAX_MAX
 };
 
diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
index 69c7493e42f8..d67e1d40c6d6 100644
--- a/include/uapi/linux/tcp.h
+++ b/include/uapi/linux/tcp.h
@@ -120,6 +120,7 @@ enum {
 #define TCP_ULP			31	/* Attach a ULP to a TCP connection */
 #define TCP_MD5SIG_EXT		32	/* TCP MD5 Signature with extensions */
 #define TCP_FASTOPEN_KEY	33	/* Set the key for Fast Open (cookie) */
+#define TCP_FASTOPEN_NO_COOKIE	34	/* Enable TFO without a TFO cookie */
 
 struct tcp_repair_opt {
 	__u32	opt_code;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 8b1fa4dd4538..a3d46a781abd 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2832,6 +2832,14 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
 			err = -EOPNOTSUPP;
 		}
 		break;
+	case TCP_FASTOPEN_NO_COOKIE:
+		if (val > 1 || val < 0)
+			err = -EINVAL;
+		else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
+			err = -EINVAL;
+		else
+			tp->fastopen_no_cookie = 1;
+		break;
 	case TCP_TIMESTAMP:
 		if (!tp->repair)
 			err = -EPERM;
@@ -3252,6 +3260,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
 		val = tp->fastopen_connect;
 		break;
 
+	case TCP_FASTOPEN_NO_COOKIE:
+		val = tp->fastopen_no_cookie;
+		break;
+
 	case TCP_TIMESTAMP:
 		val = tcp_time_stamp_raw() + tp->tsoffset;
 		break;
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index 21075ce19cb6..e704bd86fdf9 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -316,7 +316,8 @@ static bool tcp_fastopen_queue_check(struct sock *sk)
  */
 struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
 			      struct request_sock *req,
-			      struct tcp_fastopen_cookie *foc)
+			      struct tcp_fastopen_cookie *foc,
+			      const struct dst_entry *dst)
 {
 	bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
 	int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
@@ -333,7 +334,9 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
 		return NULL;
 	}
 
-	if (syn_data && (tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD))
+	if (syn_data && ((tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD) ||
+			 tcp_sk(sk)->fastopen_no_cookie ||
+			 (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))))
 		goto fastopen;
 
 	if (foc->len >= 0 &&  /* Client presents or requests a cookie */
@@ -370,6 +373,7 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
 			       struct tcp_fastopen_cookie *cookie)
 {
 	unsigned long last_syn_loss = 0;
+	const struct dst_entry *dst;
 	int syn_loss = 0;
 
 	tcp_fastopen_cache_get(sk, mss, cookie, &syn_loss, &last_syn_loss);
@@ -387,7 +391,11 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
 		return false;
 	}
 
-	if (sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) {
+	dst = __sk_dst_get(sk);
+
+	if ((sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) ||
+	    tcp_sk(sk)->fastopen_no_cookie ||
+	    (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))) {
 		cookie->len = -1;
 		return true;
 	}
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index b2390bfdc68f..a6cf6407f780 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -6329,7 +6329,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops,
 	tcp_openreq_init_rwin(req, sk, dst);
 	if (!want_cookie) {
 		tcp_reqsk_record_syn(sk, req, skb);
-		fastopen_sk = tcp_try_fastopen(sk, skb, req, &foc);
+		fastopen_sk = tcp_try_fastopen(sk, skb, req, &foc, dst);
 	}
 	if (fastopen_sk) {
 		af_ops->send_synack(fastopen_sk, dst, &fl, req,