Hi Matthieu,
[re-sending as replying from mobile phone never works in plain text]
On Thu, 6 Jun 2024 at 10:12, Matthieu Baerts <matttbe@xxxxxxxxxx> wrote:
>
> Hi Dmitry,
>
> On 06/06/2024 02:58, Dmitry Safonov via B4 Relay wrote:
> > From: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
> >
> > Two reasons:
> > 1. It's grown up enough
> > 2. In order to not do header spaghetti by including
> > <trace/events/tcp.h>, which is necessary for TCP tracepoints.
> >
> > While at it, unexport and make static tcp_inbound_ao_hash().
>
> Thank you for working on this.
> > Signed-off-by: Dmitry Safonov <0x7f454c46@xxxxxxxxx>
> > ---
> > include/net/tcp.h | 78 +++----------------------------------------------------
> > net/ipv4/tcp.c | 66 ++++++++++++++++++++++++++++++++++++++++++++--
> > 2 files changed, 68 insertions(+), 76 deletions(-)
> >
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index e5427b05129b..2aac11e7e1cc 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -1863,12 +1863,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> > return __tcp_md5_do_lookup(sk, 0, addr, family, true);
> > }
> >
> > -enum skb_drop_reason
> > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > - const void *saddr, const void *daddr,
> > - int family, int l3index, const __u8 *hash_location);
> > -
> > -
> > #define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key)
> > #else
> > static inline struct tcp_md5sig_key *
> > @@ -1885,13 +1879,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> > return NULL;
> > }
> >
> > -static inline enum skb_drop_reason
> > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > - const void *saddr, const void *daddr,
> > - int family, int l3index, const __u8 *hash_location)
> > -{
> > - return SKB_NOT_DROPPED_YET;
> > -}
>
> It looks like this no-op is still needed, please see below.
>
> > #define tcp_twsk_md5_key(twsk) NULL
> > #endif
> >
>
> (...)
>
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index fa43aaacd92b..80ed5c099f11 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -4456,7 +4456,7 @@ int tcp_md5_hash_key(struct tcp_sigpool *hp,
> > EXPORT_SYMBOL(tcp_md5_hash_key);
> >
> > /* Called with rcu_read_lock() */
> > -enum skb_drop_reason
> > +static enum skb_drop_reason
> > tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > const void *saddr, const void *daddr,
> > int family, int l3index, const __u8 *hash_location)
> > @@ -4510,10 +4510,72 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> > }
> > return SKB_NOT_DROPPED_YET;
> > }
> > -EXPORT_SYMBOL(tcp_inbound_md5_hash);
> >
> > #endif
> >
> > +/* Called with rcu_read_lock() */
> > +enum skb_drop_reason
> > +tcp_inbound_hash(struct sock *sk, const struct request_sock *req,
> > + const struct sk_buff *skb,
> > + const void *saddr, const void *daddr,
> > + int family, int dif, int sdif)
> > +{
> > + const struct tcphdr *th = tcp_hdr(skb);
> > + const struct tcp_ao_hdr *aoh;
> > + const __u8 *md5_location;
> > + int l3index;
> > +
> > + /* Invalid option or two times meet any of auth options */
> > + if (tcp_parse_auth_options(th, &md5_location, &aoh)) {
> > + tcp_hash_fail("TCP segment has incorrect auth options set",
> > + family, skb, "");
> > + return SKB_DROP_REASON_TCP_AUTH_HDR;
> > + }
> > +
> > + if (req) {
> > + if (tcp_rsk_used_ao(req) != !!aoh) {
> > + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
> > + tcp_hash_fail("TCP connection can't start/end using TCP-AO",
> > + family, skb, "%s",
> > + !aoh ? "missing AO" : "AO signed");
> > + return SKB_DROP_REASON_TCP_AOFAILURE;
> > + }
> > + }
> > +
> > + /* sdif set, means packet ingressed via a device
> > + * in an L3 domain and dif is set to the l3mdev
> > + */
> > + l3index = sdif ? dif : 0;
> > +
> > + /* Fast path: unsigned segments */
> > + if (likely(!md5_location && !aoh)) {
> > + /* Drop if there's TCP-MD5 or TCP-AO key with any rcvid/sndid
> > + * for the remote peer. On TCP-AO established connection
> > + * the last key is impossible to remove, so there's
> > + * always at least one current_key.
> > + */
> > + if (tcp_ao_required(sk, saddr, family, l3index, true)) {
> > + tcp_hash_fail("AO hash is required, but not found",
> > + family, skb, "L3 index %d", l3index);
> > + return SKB_DROP_REASON_TCP_AONOTFOUND;
> > + }
> > + if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) {
> > + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
> > + tcp_hash_fail("MD5 Hash not found",
> > + family, skb, "L3 index %d", l3index);
> > + return SKB_DROP_REASON_TCP_MD5NOTFOUND;
> > + }
> > + return SKB_NOT_DROPPED_YET;
> > + }
> > +
> > + if (aoh)
> > + return tcp_inbound_ao_hash(sk, skb, family, req, l3index, aoh);
> > +
> > + return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> > + l3index, md5_location);
>
> Many selftests are currently failing [1] because of this line: if
> CONFIG_TCP_MD5SIG is not defined -- which is currently the case in many
> selftests: tc, mptcp, forwarding, netfilter, drivers, etc. -- then this
> tcp_inbound_md5_hash() function is not defined:
>
> > net/ipv4/tcp.c: In function ‘tcp_inbound_hash’:
> > net/ipv4/tcp.c:4570:16: error: implicit declaration of function ‘tcp_inbound_md5_hash’; did you mean ‘tcp_inbound_ao_hash’? [-Werror=implicit-function-declaration]
> > 4570 | return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> > | ^~~~~~~~~~~~~~~~~~~~
> > | tcp_inbound_ao_hash
>
> Do you (or any maintainers) mind replying to this email with this line
> [2] so future builds from the CI will no longer pick-up this series?
>
> pw-bot: changes-requested
Ugh, it seems I can falter on a plain place.
I should have rechecked this for v3.
pw-bot: changes-requested
Thanks for the report,
Dmitry
