Re: [PATCH bpf-next v5 4/6] bpf: Add helpers to issue and check SYN cookies in XDP

Maxim Mikityanskiy <maximmi@xxxxxxxxxx> · Fri, 22 Apr 2022 20:23:25 +0300

On 2022-04-14 01:48, Daniel Borkmann wrote:
On 4/13/22 3:41 PM, Maxim Mikityanskiy wrote:
[...]
  /* integer value in 'imm' field of BPF_CALL instruction selects 
which helper

diff --git a/net/core/filter.c b/net/core/filter.c
index 7446b0ba4e38..428cc63ecdf7 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7425,6 +7425,124 @@ static const struct bpf_func_proto 
bpf_skb_set_tstamp_proto = {
      .arg3_type      = ARG_ANYTHING,
  };
+BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv4, struct iphdr *, iph,
+       struct tcphdr *, th, u32, th_len)
+{
+#ifdef CONFIG_SYN_COOKIES
+    u32 cookie;
+    u16 mss;
+
+    if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
+        return -EINVAL;
+
+    mss = tcp_parse_mss_option(th, 0) ?: TCP_MSS_DEFAULT;
+    cookie = __cookie_v4_init_sequence(iph, th, &mss);
+
+    return cookie | ((u64)mss << 32);
+#else
+    return -EOPNOTSUPP;
+#endif /* CONFIG_SYN_COOKIES */

This (and for other added helpers below) will be rather tricky to probe 
for availability
e.g. via `bpftool feature probe [...]`. Much better if you wrap the 
ifdef CONFIG_SYN_COOKIES
around the {xdp,tc_cls_act}_func_proto() instead as we do elsewhere.

Just for the record, I copied this pattern from the existing SYN cookie 
helpers, but what you suggest makes sense, so I'll fix it for my helpers 
and resubmit.

+}
+
+static const struct bpf_func_proto 
bpf_tcp_raw_gen_syncookie_ipv4_proto = {
+    .func        = bpf_tcp_raw_gen_syncookie_ipv4,
+    .gpl_only    = true, /* __cookie_v4_init_sequence() is GPL */
+    .pkt_access    = true,
+    .ret_type    = RET_INTEGER,
+    .arg1_type    = ARG_PTR_TO_MEM,
+    .arg1_size    = sizeof(struct iphdr),
+    .arg2_type    = ARG_PTR_TO_MEM,
+    .arg3_type    = ARG_CONST_SIZE,
+};
+
+BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv6, struct ipv6hdr *, iph,
+       struct tcphdr *, th, u32, th_len)
+{
+#ifndef CONFIG_SYN_COOKIES
+    return -EOPNOTSUPP;
+#elif !IS_BUILTIN(CONFIG_IPV6)
+    return -EPROTONOSUPPORT;
+#else
+    const u16 mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) -
+        sizeof(struct ipv6hdr);
+    u32 cookie;
+    u16 mss;
+
+    if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
+        return -EINVAL;
+
+    mss = tcp_parse_mss_option(th, 0) ?: mss_clamp;
+    cookie = __cookie_v6_init_sequence(iph, th, &mss);
+
+    return cookie | ((u64)mss << 32);
+#endif
+}
+
+static const struct bpf_func_proto 
bpf_tcp_raw_gen_syncookie_ipv6_proto = {
+    .func        = bpf_tcp_raw_gen_syncookie_ipv6,
+    .gpl_only    = true, /* __cookie_v6_init_sequence() is GPL */
+    .pkt_access    = true,
+    .ret_type    = RET_INTEGER,
+    .arg1_type    = ARG_PTR_TO_MEM,
+    .arg1_size    = sizeof(struct ipv6hdr),
+    .arg2_type    = ARG_PTR_TO_MEM,
+    .arg3_type    = ARG_CONST_SIZE,
+};
[...]
  bool bpf_helper_changes_pkt_data(void *func)
@@ -7837,6 +7955,14 @@ xdp_func_proto(enum bpf_func_id func_id, const 
struct bpf_prog *prog)
          return &bpf_tcp_check_syncookie_proto;
      case BPF_FUNC_tcp_gen_syncookie:
          return &bpf_tcp_gen_syncookie_proto;
+    case BPF_FUNC_tcp_raw_gen_syncookie_ipv4:
+        return &bpf_tcp_raw_gen_syncookie_ipv4_proto;
+    case BPF_FUNC_tcp_raw_gen_syncookie_ipv6:
+        return &bpf_tcp_raw_gen_syncookie_ipv6_proto;
+    case BPF_FUNC_tcp_raw_check_syncookie_ipv4:
+        return &bpf_tcp_raw_check_syncookie_ipv4_proto;
+    case BPF_FUNC_tcp_raw_check_syncookie_ipv6:
+        return &bpf_tcp_raw_check_syncookie_ipv6_proto;
  #endif
      default:
          return bpf_sk_base_func_proto(func_id);







