From: Stanislav Fomichev <sdf@xxxxxxxxxx>
Date: Mon, 16 Oct 2023 13:38:25 -0700
> On 10/13, Kuniyuki Iwashima wrote:
> > This patch adds a new SOCK_OPS hook to validate arbitrary SYN Cookie.
> >
> > When the kernel receives ACK for SYN Cookie, the hook is invoked with
> > bpf_sock_ops.op == BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB if the listener has
> > BPF_SOCK_OPS_SYNCOOKIE_CB_FLAG set by bpf_sock_ops_cb_flags_set().
> >
> > The BPF program can access the following information to validate ISN:
> >
> > bpf_sock_ops.sk : 4-tuple
> > bpf_sock_ops.skb : TCP header
> > bpf_sock_ops.args[0] : ISN
> >
> > The program must decode MSS and set it to bpf_sock_ops.replylong[0].
> >
> > By default, the kernel validates SYN Cookie before allocating reqsk, but
> > the hook is invoked after allocating reqsk to keep the user interface
> > consistent with BPF_SOCK_OPS_GEN_SYNCOOKIE_CB.
> >
> > Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
> > ---
> > include/net/tcp.h | 12 ++++++
> > include/uapi/linux/bpf.h | 20 +++++++---
> > net/ipv4/syncookies.c | 73 +++++++++++++++++++++++++++-------
> > net/ipv6/syncookies.c | 44 +++++++++++++-------
> > tools/include/uapi/linux/bpf.h | 20 +++++++---
> > 5 files changed, 130 insertions(+), 39 deletions(-)
> >
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index 676618c89bb7..90d95acdc34a 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -2158,6 +2158,18 @@ static inline __u32 cookie_init_sequence(const struct tcp_request_sock_ops *ops,
> > __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESSENT);
> > return ops->cookie_init_seq(skb, mss);
> > }
> > +
> > +#ifdef CONFIG_CGROUP_BPF
> > +int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req,
> > + struct sk_buff *skb);
> > +#else
> > +static inline int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req,
> > + struct sk_buff *skb)
> > +{
> > + return 0;
> > +}
> > +#endif
> > +
> > #else
> > static inline __u32 cookie_init_sequence(const struct tcp_request_sock_ops *ops,
> > const struct sock *sk, struct sk_buff *skb,
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index d3cc530613c0..e6f1507d7895 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -6738,13 +6738,16 @@ enum {
> > * options first before the BPF program does.
> > */
> > BPF_SOCK_OPS_WRITE_HDR_OPT_CB_FLAG = (1<<6),
> > - /* Call bpf when the kernel generates SYN Cookie (ISN) for SYN+ACK.
> > + /* Call bpf when the kernel generates SYN Cookie (ISN) for SYN+ACK
> > + * and validates ACK for SYN Cookie.
> > *
> > - * The bpf prog will be called to encode MSS into SYN Cookie with
> > - * sock_ops->op == BPF_SOCK_OPS_GEN_SYNCOOKIE_CB.
> > + * The bpf prog will be first called to encode MSS into SYN Cookie
> > + * with sock_ops->op == BPF_SOCK_OPS_GEN_SYNCOOKIE_CB. Then, the
> > + * bpf prog will be called to decode MSS from SYN Cookie with
> > + * sock_ops->op == BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB.
> > *
> > - * Please refer to the comment in BPF_SOCK_OPS_GEN_SYNCOOKIE_CB for
> > - * input and output.
> > + * Please refer to the comment in BPF_SOCK_OPS_GEN_SYNCOOKIE_CB and
> > + * BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB for input and output.
> > */
> > BPF_SOCK_OPS_SYNCOOKIE_CB_FLAG = (1<<7),
> > /* Mask of all currently supported cb flags */
> > @@ -6868,6 +6871,13 @@ enum {
> > *
> > * replylong[0]: ISN
> > */
> > + BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB,/* Validate SYN Cookie and set
> > + * MSS.
> > + *
> > + * args[0]: ISN
> > + *
> > + * replylong[0]: MSS
> > + */
> > };
> >
> > /* List of TCP states. There is a build check in net/ipv4/tcp.c to detect
> > diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
> > index 514f1a4abdee..b1dd415863ff 100644
> > --- a/net/ipv4/syncookies.c
> > +++ b/net/ipv4/syncookies.c
> > @@ -317,6 +317,37 @@ struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
> > }
> > EXPORT_SYMBOL_GPL(cookie_tcp_reqsk_alloc);
> >
> > +#if IS_ENABLED(CONFIG_CGROUP_BPF) && IS_ENABLED(CONFIG_SYN_COOKIES)
> > +int bpf_skops_cookie_check(struct sock *sk, struct request_sock *req, struct sk_buff *skb)
> > +{
> > + struct bpf_sock_ops_kern sock_ops;
> > +
> > + memset(&sock_ops, 0, offsetof(struct bpf_sock_ops_kern, temp));
> > +
> > + sock_ops.op = BPF_SOCK_OPS_CHECK_SYNCOOKIE_CB;
> > + sock_ops.sk = req_to_sk(req);
> > + sock_ops.args[0] = tcp_rsk(req)->snt_isn;
> > +
> > + bpf_skops_init_skb(&sock_ops, skb, tcp_hdrlen(skb));
> > +
> > + if (BPF_CGROUP_RUN_PROG_SOCK_OPS_SK(&sock_ops, sk))
> > + goto err;
> > +
> > + if (!sock_ops.replylong[0])
> > + goto err;
> > +
> > + __NET_INC_STATS(sock_net(sk), LINUX_MIB_SYNCOOKIESRECV);
>
> I don't see LINUX_MIB_SYNCOOKIESSENT being incremented in the
> previous patch, so maybe also don't touch the mib here? The bpf
> program can do the counting if needed?
>
> Or, alternatively, add LINUX_MIB_SYNCOOKIESSENT to
> the BPF_SOCK_OPS_GEN_SYNCOOKIE_CB path?
Good catch!
I skipped calling tcp_synq_overflow() in the previous patch but should
have incremented LINUX_MIB_SYNCOOKIESSENT. Will fix in v2.
Thanks!
