Re: [PATCH net-next v3 3/6] net/tcp: Move tcp_inbound_hash() from headers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matthieu,

[re-sending as replying from mobile phone never works in plain text]

On Thu, 6 Jun 2024 at 10:12, Matthieu Baerts <matttbe@xxxxxxxxxx> wrote:
>
> Hi Dmitry,
>
> On 06/06/2024 02:58, Dmitry Safonov via B4 Relay wrote:
> > From: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
> >
> > Two reasons:
> > 1. It's grown up enough
> > 2. In order to not do header spaghetti by including
> >    <trace/events/tcp.h>, which is necessary for TCP tracepoints.
> >
> > While at it, unexport and make static tcp_inbound_ao_hash().
>
> Thank you for working on this.
>  > Signed-off-by: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
> > ---
> >  include/net/tcp.h | 78 +++----------------------------------------------------
> >  net/ipv4/tcp.c    | 66 ++++++++++++++++++++++++++++++++++++++++++++--
> >  2 files changed, 68 insertions(+), 76 deletions(-)
> >
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index e5427b05129b..2aac11e7e1cc 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -1863,12 +1863,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> >       return __tcp_md5_do_lookup(sk, 0, addr, family, true);
> >  }
> >
> > -enum skb_drop_reason
> > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > -                  const void *saddr, const void *daddr,
> > -                  int family, int l3index, const __u8 *hash_location);
> > -
> > -
> >  #define tcp_twsk_md5_key(twsk)       ((twsk)->tw_md5_key)
> >  #else
> >  static inline struct tcp_md5sig_key *
> > @@ -1885,13 +1879,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> >       return NULL;
> >  }
> >
> > -static inline enum skb_drop_reason
> > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > -                  const void *saddr, const void *daddr,
> > -                  int family, int l3index, const __u8 *hash_location)
> > -{
> > -     return SKB_NOT_DROPPED_YET;
> > -}
>
> It looks like this no-op is still needed, please see below.
>
> >  #define tcp_twsk_md5_key(twsk)       NULL
> >  #endif
> >
>
> (...)
>
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index fa43aaacd92b..80ed5c099f11 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -4456,7 +4456,7 @@ int tcp_md5_hash_key(struct tcp_sigpool *hp,
> >  EXPORT_SYMBOL(tcp_md5_hash_key);
> >
> >  /* Called with rcu_read_lock() */
> > -enum skb_drop_reason
> > +static enum skb_drop_reason
> >  tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> >                    const void *saddr, const void *daddr,
> >                    int family, int l3index, const __u8 *hash_location)
> > @@ -4510,10 +4510,72 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> >       }
> >       return SKB_NOT_DROPPED_YET;
> >  }
> > -EXPORT_SYMBOL(tcp_inbound_md5_hash);
> >
> >  #endif
> >
> > +/* Called with rcu_read_lock() */
> > +enum skb_drop_reason
> > +tcp_inbound_hash(struct sock *sk, const struct request_sock *req,
> > +              const struct sk_buff *skb,
> > +              const void *saddr, const void *daddr,
> > +              int family, int dif, int sdif)
> > +{
> > +     const struct tcphdr *th = tcp_hdr(skb);
> > +     const struct tcp_ao_hdr *aoh;
> > +     const __u8 *md5_location;
> > +     int l3index;
> > +
> > +     /* Invalid option or two times meet any of auth options */
> > +     if (tcp_parse_auth_options(th, &md5_location, &aoh)) {
> > +             tcp_hash_fail("TCP segment has incorrect auth options set",
> > +                           family, skb, "");
> > +             return SKB_DROP_REASON_TCP_AUTH_HDR;
> > +     }
> > +
> > +     if (req) {
> > +             if (tcp_rsk_used_ao(req) != !!aoh) {
> > +                     NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
> > +                     tcp_hash_fail("TCP connection can't start/end using TCP-AO",
> > +                                   family, skb, "%s",
> > +                                   !aoh ? "missing AO" : "AO signed");
> > +                     return SKB_DROP_REASON_TCP_AOFAILURE;
> > +             }
> > +     }
> > +
> > +     /* sdif set, means packet ingressed via a device
> > +      * in an L3 domain and dif is set to the l3mdev
> > +      */
> > +     l3index = sdif ? dif : 0;
> > +
> > +     /* Fast path: unsigned segments */
> > +     if (likely(!md5_location && !aoh)) {
> > +             /* Drop if there's TCP-MD5 or TCP-AO key with any rcvid/sndid
> > +              * for the remote peer. On TCP-AO established connection
> > +              * the last key is impossible to remove, so there's
> > +              * always at least one current_key.
> > +              */
> > +             if (tcp_ao_required(sk, saddr, family, l3index, true)) {
> > +                     tcp_hash_fail("AO hash is required, but not found",
> > +                                   family, skb, "L3 index %d", l3index);
> > +                     return SKB_DROP_REASON_TCP_AONOTFOUND;
> > +             }
> > +             if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) {
> > +                     NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
> > +                     tcp_hash_fail("MD5 Hash not found",
> > +                                   family, skb, "L3 index %d", l3index);
> > +                     return SKB_DROP_REASON_TCP_MD5NOTFOUND;
> > +             }
> > +             return SKB_NOT_DROPPED_YET;
> > +     }
> > +
> > +     if (aoh)
> > +             return tcp_inbound_ao_hash(sk, skb, family, req, l3index, aoh);
> > +
> > +     return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> > +                                 l3index, md5_location);
>
> Many selftests are currently failing [1] because of this line: if
> CONFIG_TCP_MD5SIG is not defined -- which is currently the case in many
> selftests: tc, mptcp, forwarding, netfilter, drivers, etc. -- then this
> tcp_inbound_md5_hash() function is not defined:
>
> > net/ipv4/tcp.c: In function ‘tcp_inbound_hash’:
> > net/ipv4/tcp.c:4570:16: error: implicit declaration of function ‘tcp_inbound_md5_hash’; did you mean ‘tcp_inbound_ao_hash’? [-Werror=implicit-function-declaration]
> >  4570 |         return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> >       |                ^~~~~~~~~~~~~~~~~~~~
> >       |                tcp_inbound_ao_hash
>
> Do you (or any maintainers) mind replying to this email with this line
> [2] so future builds from the CI will no longer pick-up this series?
>
> pw-bot: changes-requested

Ugh, it seems I can falter on a plain place.
I should have rechecked this for v3.

pw-bot: changes-requested

Thanks for the report,
           Dmitry





[Index of Archives]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]

  Powered by Linux