On Tue, Jul 26, 2022 at 9:06 AM Eric Dumazet <edumazet@xxxxxxxxxx> wrote: > > On Tue, Jul 26, 2022 at 8:16 AM Leonard Crestez <cdleonard@xxxxxxxxx> wrote: > > > > Tests are mostly copied from tcp_md5 with minor changes. > > > > It covers VRF support but only based on binding multiple servers: not > > multiple keys bound to different interfaces. > > > > Also add a specific -t tcp_authopt to run only these tests specifically. > > > > Thanks for the test. > > Could you amend the existing TCP MD5 test to make sure dual sockets > mode is working ? > > Apparently, if we have a dual stack listener socket (AF_INET6), > correct incoming IPV4 SYNs are dropped. > > If this is the case, fixing MD5 should happen first ;) > > I think that we are very late in the cycle (linux-5.19 should be > released in 5 days), and your patch set should not be merged so late. I suspect bug was added in commit 7bbb765b73496699a165d505ecdce962f903b422 Author: Dmitry Safonov <0x7f454c46@xxxxxxxxx> Date: Wed Feb 23 17:57:40 2022 +0000 net/tcp: Merge TCP-MD5 inbound callbacks a possible fix (also removing an indirect call for IPV4) could be: diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index ba2bdc81137490bd1748cde95789f8d2bff3ab0f..66b883d1683ddf7de6a8959a2b4e025a74c830b1 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4534,8 +4534,14 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, } /* check the signature */ - genhash = tp->af_specific->calc_md5_hash(newhash, hash_expected, - NULL, skb); + if (family == AF_INET) + genhash = tcp_v4_md5_hash_skb(newhash, + hash_expected, + NULL, skb); + else + genhash = tp->af_specific->calc_md5_hash(newhash, + hash_expected, + NULL, skb); if (genhash || memcmp(hash_location, newhash, 16) != 0) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);