Commit d9790bc2 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'mptcp-syncookies' 



Florian Westphal says:

====================
mptcp: add syncookie support

Changes in v2:
- first patch renames req->ts_cookie to req->syncookie instead of
  removing ts_cookie member.
- patch to add 'want_cookie' arg to init_req() functions has been dropped.
  All users of that arg were changed to check 'req->syncookie' instead.

v1 cover letter:

When syn-cookies are used the SYN?ACK never contains a MPTCP option,
because the code path that creates a request socket based on a valid
cookie ACK lacks the needed changes to construct MPTCP request sockets.

After this series, if SYN carries MP_CAPABLE option, the option is not
cleared anymore and request socket will be reconstructed using the
MP_CAPABLE option data that is re-sent with the ACK.

This means that no additional state gets encoded into the syn cookie or
the TCP timestamp.

There are two caveats for SYN-Cookies with MPTCP:

1. When syn-cookies are used, the server-generated key is not stored.
The drawback is that the next connection request that comes in before
the cookie-ACK has a small chance that it will generate the same local_key.

If this happens, the cookie ACK that comes in second will (re)compute the
token hash and then detects that this is already in use.
Unlike normal case, where the server will pick a new key value and then
re-tries, we can't do that because we already committed to the key value
(it was sent to peer already).

Im this case, MPTCP cannot be used and late TCP fallback happens.

2). SYN packets with a MP_JOIN requests cannot be handled without storing
    state. This is because the SYN contains a nonce value that is needed to
    verify the HMAC of the MP_JOIN ACK that completes the three-way
    handshake.  Also, a local nonce is generated and used in the cookie
    SYN/ACK.

There are only 2 ways to solve this:
 a) Do not support JOINs when cookies are in effect.
 b) Store the nonces somewhere.

The approach chosen here is b).
Patch 8 adds a fixed-size (1024 entries) state table to store the
information required to validate the MP_JOIN ACK and re-build the
request socket.

State gets stored when syn-cookies are active and the token in the JOIN
request referred to an established MPTCP connection that can also accept
a new subflow.

State is restored if the ACK cookie is valid, an MP_JOIN option is present
and the state slot contains valid data from a previous SYN.

After the request socket has been re-build, normal HMAC check is done just
as without syn cookies.

Largely identical to last RFC, except patch #8 which follows Paolos
suggestion to use a private table storage area rather than keeping
request sockets around.  This also means I dropped the patch to remove
const qualifier from sk_listener pointers.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 77aec5e1 00587187

drivers/crypto/chelsio/chtls/chtls_cm.c

+1 −1
Original line number Diff line number Diff line
@@ -1348,7 +1348,7 @@ static void chtls_pass_accept_request(struct sock *sk, 


	oreq->rsk_rcv_wnd = 0;

	oreq->rsk_window_clamp = 0;

	oreq->cookie_ts = 0;

	oreq->syncookie = 0;

	oreq->mss = 0;

	oreq->ts_recent = 0;

include/net/mptcp.h

+11 −0
Original line number Diff line number Diff line
@@ -58,6 +58,7 @@ struct mptcp_out_options { 
};



#ifdef CONFIG_MPTCP

extern struct request_sock_ops mptcp_subflow_request_sock_ops;



void mptcp_init(void);
@@ -130,6 +131,9 @@ static inline bool mptcp_skb_can_collapse(const struct sk_buff *to, 
}



void mptcp_seq_show(struct seq_file *seq);

int mptcp_subflow_init_cookie_req(struct request_sock *req,

				  const struct sock *sk_listener,

				  struct sk_buff *skb);

#else



static inline void mptcp_init(void)
@@ -199,6 +203,13 @@ static inline bool mptcp_skb_can_collapse(const struct sk_buff *to, 


static inline void mptcp_space(const struct sock *ssk, int *s, int *fs) { }

static inline void mptcp_seq_show(struct seq_file *seq) { }



static inline int mptcp_subflow_init_cookie_req(struct request_sock *req,

						const struct sock *sk_listener,

						struct sk_buff *skb)

{

	return 0; /* TCP fallback */

}

#endif /* CONFIG_MPTCP */



#if IS_ENABLED(CONFIG_MPTCP_IPV6)

include/net/request_sock.h

+1 −1
Original line number Diff line number Diff line
@@ -54,7 +54,7 @@ struct request_sock { 
	struct request_sock		*dl_next;

	u16				mss;

	u8				num_retrans; /* number of retransmits */

	u8				cookie_ts:1; /* syncookie: encode tcpopts in timestamp */

	u8				syncookie:1; /* syncookie: encode tcpopts in timestamp */

	u8				num_timeout:7; /* number of timeouts */

	u32				ts_recent;

	struct timer_list		rsk_timer;

include/net/tcp.h

+2 −0
Original line number Diff line number Diff line
@@ -469,6 +469,8 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb, 
int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th,

		      u32 cookie);

struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);

struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,

					    struct sock *sk, struct sk_buff *skb);

#ifdef CONFIG_SYN_COOKIES



/* Syncookies use a monotonic timer which increments every 60 seconds.

net/ipv4/syncookies.c

+40 −4
Original line number Diff line number Diff line
@@ -212,6 +212,12 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb, 
		refcount_set(&req->rsk_refcnt, 1);

		tcp_sk(child)->tsoffset = tsoff;

		sock_rps_save_rxhash(child, skb);



		if (tcp_rsk(req)->drop_req) {

			refcount_set(&req->rsk_refcnt, 2);

			return child;

		}



		if (inet_csk_reqsk_queue_add(sk, req, child))

			return child;
@@ -276,6 +282,39 @@ bool cookie_ecn_ok(const struct tcp_options_received *tcp_opt, 
}

EXPORT_SYMBOL(cookie_ecn_ok);



struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,

					    struct sock *sk,

					    struct sk_buff *skb)

{

	struct tcp_request_sock *treq;

	struct request_sock *req;



#ifdef CONFIG_MPTCP

	if (sk_is_mptcp(sk))

		ops = &mptcp_subflow_request_sock_ops;

#endif



	req = inet_reqsk_alloc(ops, sk, false);

	if (!req)

		return NULL;



#if IS_ENABLED(CONFIG_MPTCP)

	treq = tcp_rsk(req);

	treq->is_mptcp = sk_is_mptcp(sk);

	if (treq->is_mptcp) {

		int err = mptcp_subflow_init_cookie_req(req, sk, skb);



		if (err) {

			reqsk_free(req);

			return NULL;

		}

	}

#endif



	return req;

}

EXPORT_SYMBOL_GPL(cookie_tcp_reqsk_alloc);



/* On input, sk is a listener.

 * Output is listener if incoming packet would not create a child

 *           NULL if memory could not be allocated.
@@ -326,7 +365,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) 
		goto out;



	ret = NULL;

	req = inet_reqsk_alloc(&tcp_request_sock_ops, sk, false); /* for safety */

	req = cookie_tcp_reqsk_alloc(&tcp_request_sock_ops, sk, skb);

	if (!req)

		goto out;
@@ -350,9 +389,6 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb) 
	treq->snt_synack	= 0;

	treq->tfo_listener	= false;



	if (IS_ENABLED(CONFIG_MPTCP))

		treq->is_mptcp = 0;



	if (IS_ENABLED(CONFIG_SMC))

		ireq->smc_ok = 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE