On Wed, 20 Oct 2021 at 14:16, Maxim Mikityanskiy <maximmi@xxxxxxxxxx> wrote: > > On 2021-10-20 06:28, John Fastabend wrote: > > Maxim Mikityanskiy wrote: > >> bpf_tcp_check_syncookie returns errors when SYN cookie generation is > >> disabled (EINVAL) or when no cookies were recently generated (ENOENT). > >> The same error codes are used for other kinds of errors: invalid > >> parameters (EINVAL), invalid packet (EINVAL, ENOENT), bad cookie > >> (ENOENT). Such an overlap makes it impossible for a BPF program to > >> distinguish different cases that may require different handling. > > > > I'm not sure we can change these errors now. They are embedded in > > the helper API. I think a BPF program could uncover the meaning > > of the error anyways with some error path handling? > > > > Anyways even if we do change these most of us who run programs > > on multiple kernel versions would not be able to rely on them > > being one way or the other easily. > > The thing is, the error codes aren't really documented: > > * 0 if *iph* and *th* are a valid SYN cookie ACK, or a negative > * error otherwise. Yes, I kept this vague so that there is some wiggle room. FWIW your proposed change would not break our BPF. Same for the examples included in the kernel source itself. That is no guarantee of course. Personally, I'm a bit on the fence regarding a backport of this. Either this is a legitimate extension of the API and we don't backport, or it's a bug (how?) and then we should backport. -- Lorenz Bauer | Systems Engineer 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK www.cloudflare.com