On Thu, Aug 8, 2019 at 11:50 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
> Socket cookie consumers must assume the value as opqaue in any case.
> The cookie does not guarantee an always unique identifier since it
> could wrap in fabricated corner cases where two sockets could end up
> holding the same cookie,
What do you mean by this ?
Cookie is guaranteed to be unique, it is from a 64bit counter...
There should be no collision.
> but is good enough to be used as a hint for
> many use cases; not every socket must have a cookie generated hence
> knowledge of the counter value does not provide much value either way.
>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Cc: Eric Dumazet <edumazet@xxxxxxxxxx>
> Cc: Alexei Starovoitov <ast@xxxxxxxxxx>
> Cc: Willem de Bruijn <willemb@xxxxxxxxxx>
> Cc: Martynas Pumputis <m@xxxxxxxxx>
> ---
> include/net/net_namespace.h | 1 -
> include/uapi/linux/bpf.h | 4 ++--
> net/core/sock_diag.c | 3 ++-
> 3 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
> index 4a9da951a794..cb668bc2692d 100644
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -61,7 +61,6 @@ struct net {
> spinlock_t rules_mod_lock;
>
> u32 hash_mix;
> - atomic64_t cookie_gen;
>
> struct list_head list; /* list of network namespaces */
> struct list_head exit_list; /* To linked to call pernet exit
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index fa1c753dcdbc..a5aa7d3ac6a1 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -1466,8 +1466,8 @@ union bpf_attr {
> * If no cookie has been set yet, generate a new cookie. Once
> * generated, the socket cookie remains stable for the life of the
> * socket. This helper can be useful for monitoring per socket
> - * networking traffic statistics as it provides a unique socket
> - * identifier per namespace.
> + * networking traffic statistics as it provides a global socket
> + * identifier that can be assumed unique.
> * Return
> * A 8-byte long non-decreasing number on success, or 0 if the
> * socket field is missing inside *skb*.
> diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
> index 3312a5849a97..c13ffbd33d8d 100644
> --- a/net/core/sock_diag.c
> +++ b/net/core/sock_diag.c
> @@ -19,6 +19,7 @@ static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
> static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
> static DEFINE_MUTEX(sock_diag_table_mutex);
> static struct workqueue_struct *broadcast_wq;
> +static atomic64_t cookie_gen;
>
> u64 sock_gen_cookie(struct sock *sk)
> {
> @@ -27,7 +28,7 @@ u64 sock_gen_cookie(struct sock *sk)
>
> if (res)
> return res;
> - res = atomic64_inc_return(&sock_net(sk)->cookie_gen);
> + res = atomic64_inc_return(&cookie_gen);
> atomic64_cmpxchg(&sk->sk_cookie, 0, res);
> }
> }
> --
> 2.17.1
>
