Hi Matthieu, [re-sending as replying from mobile phone never works in plain text] On Thu, 6 Jun 2024 at 10:12, Matthieu Baerts <matttbe@xxxxxxxxxx> wrote: > > Hi Dmitry, > > On 06/06/2024 02:58, Dmitry Safonov via B4 Relay wrote: > > From: Dmitry Safonov <0x7f454c46@xxxxxxxxx> > > > > Two reasons: > > 1. It's grown up enough > > 2. In order to not do header spaghetti by including > > <trace/events/tcp.h>, which is necessary for TCP tracepoints. > > > > While at it, unexport and make static tcp_inbound_ao_hash(). > > Thank you for working on this. > > Signed-off-by: Dmitry Safonov <0x7f454c46@xxxxxxxxx> > > --- > > include/net/tcp.h | 78 +++---------------------------------------------------- > > net/ipv4/tcp.c | 66 ++++++++++++++++++++++++++++++++++++++++++++-- > > 2 files changed, 68 insertions(+), 76 deletions(-) > > > > diff --git a/include/net/tcp.h b/include/net/tcp.h > > index e5427b05129b..2aac11e7e1cc 100644 > > --- a/include/net/tcp.h > > +++ b/include/net/tcp.h > > @@ -1863,12 +1863,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk, > > return __tcp_md5_do_lookup(sk, 0, addr, family, true); > > } > > > > -enum skb_drop_reason > > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, > > - const void *saddr, const void *daddr, > > - int family, int l3index, const __u8 *hash_location); > > - > > - > > #define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key) > > #else > > static inline struct tcp_md5sig_key * > > @@ -1885,13 +1879,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk, > > return NULL; > > } > > > > -static inline enum skb_drop_reason > > -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, > > - const void *saddr, const void *daddr, > > - int family, int l3index, const __u8 *hash_location) > > -{ > > - return SKB_NOT_DROPPED_YET; > > -} > > It looks like this no-op is still needed, please see below. > > > #define tcp_twsk_md5_key(twsk) NULL > > #endif > > > > (...) > > > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c > > index fa43aaacd92b..80ed5c099f11 100644 > > --- a/net/ipv4/tcp.c > > +++ b/net/ipv4/tcp.c > > @@ -4456,7 +4456,7 @@ int tcp_md5_hash_key(struct tcp_sigpool *hp, > > EXPORT_SYMBOL(tcp_md5_hash_key); > > > > /* Called with rcu_read_lock() */ > > -enum skb_drop_reason > > +static enum skb_drop_reason > > tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, > > const void *saddr, const void *daddr, > > int family, int l3index, const __u8 *hash_location) > > @@ -4510,10 +4510,72 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, > > } > > return SKB_NOT_DROPPED_YET; > > } > > -EXPORT_SYMBOL(tcp_inbound_md5_hash); > > > > #endif > > > > +/* Called with rcu_read_lock() */ > > +enum skb_drop_reason > > +tcp_inbound_hash(struct sock *sk, const struct request_sock *req, > > + const struct sk_buff *skb, > > + const void *saddr, const void *daddr, > > + int family, int dif, int sdif) > > +{ > > + const struct tcphdr *th = tcp_hdr(skb); > > + const struct tcp_ao_hdr *aoh; > > + const __u8 *md5_location; > > + int l3index; > > + > > + /* Invalid option or two times meet any of auth options */ > > + if (tcp_parse_auth_options(th, &md5_location, &aoh)) { > > + tcp_hash_fail("TCP segment has incorrect auth options set", > > + family, skb, ""); > > + return SKB_DROP_REASON_TCP_AUTH_HDR; > > + } > > + > > + if (req) { > > + if (tcp_rsk_used_ao(req) != !!aoh) { > > + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); > > + tcp_hash_fail("TCP connection can't start/end using TCP-AO", > > + family, skb, "%s", > > + !aoh ? "missing AO" : "AO signed"); > > + return SKB_DROP_REASON_TCP_AOFAILURE; > > + } > > + } > > + > > + /* sdif set, means packet ingressed via a device > > + * in an L3 domain and dif is set to the l3mdev > > + */ > > + l3index = sdif ? dif : 0; > > + > > + /* Fast path: unsigned segments */ > > + if (likely(!md5_location && !aoh)) { > > + /* Drop if there's TCP-MD5 or TCP-AO key with any rcvid/sndid > > + * for the remote peer. On TCP-AO established connection > > + * the last key is impossible to remove, so there's > > + * always at least one current_key. > > + */ > > + if (tcp_ao_required(sk, saddr, family, l3index, true)) { > > + tcp_hash_fail("AO hash is required, but not found", > > + family, skb, "L3 index %d", l3index); > > + return SKB_DROP_REASON_TCP_AONOTFOUND; > > + } > > + if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { > > + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); > > + tcp_hash_fail("MD5 Hash not found", > > + family, skb, "L3 index %d", l3index); > > + return SKB_DROP_REASON_TCP_MD5NOTFOUND; > > + } > > + return SKB_NOT_DROPPED_YET; > > + } > > + > > + if (aoh) > > + return tcp_inbound_ao_hash(sk, skb, family, req, l3index, aoh); > > + > > + return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family, > > + l3index, md5_location); > > Many selftests are currently failing [1] because of this line: if > CONFIG_TCP_MD5SIG is not defined -- which is currently the case in many > selftests: tc, mptcp, forwarding, netfilter, drivers, etc. -- then this > tcp_inbound_md5_hash() function is not defined: > > > net/ipv4/tcp.c: In function ‘tcp_inbound_hash’: > > net/ipv4/tcp.c:4570:16: error: implicit declaration of function ‘tcp_inbound_md5_hash’; did you mean ‘tcp_inbound_ao_hash’? [-Werror=implicit-function-declaration] > > 4570 | return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family, > > | ^~~~~~~~~~~~~~~~~~~~ > > | tcp_inbound_ao_hash > > Do you (or any maintainers) mind replying to this email with this line > [2] so future builds from the CI will no longer pick-up this series? > > pw-bot: changes-requested Ugh, it seems I can falter on a plain place. I should have rechecked this for v3. pw-bot: changes-requested Thanks for the report, Dmitry