mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-01 02:36:02 +00:00
bpf: tcp: Handle BPF SYN Cookie in cookie_v[46]_check().
We will support arbitrary SYN Cookie with BPF in the following patch. If BPF prog validates ACK and kfunc allocates a reqsk, it will be carried to cookie_[46]_check() as skb->sk. If skb->sk is not NULL, we call cookie_bpf_check(). Then, we clear skb->sk and skb->destructor, which are needed not to hold refcnt for reqsk and the listener. See the following patch for details. After that, we finish initialisation for the remaining fields with cookie_tcp_reqsk_init(). Note that the server side WScale is set only for non-BPF SYN Cookie. Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20240115205514.68364-5-kuniyu@amazon.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
parent
8b5ac68fb5
commit
695751e31a
@ -599,6 +599,26 @@ static inline bool cookie_ecn_ok(const struct net *net, const struct dst_entry *
|
||||
dst_feature(dst, RTAX_FEATURE_ECN);
|
||||
}
|
||||
|
||||
#if IS_ENABLED(CONFIG_BPF)
|
||||
static inline bool cookie_bpf_ok(struct sk_buff *skb)
|
||||
{
|
||||
return skb->sk;
|
||||
}
|
||||
|
||||
struct request_sock *cookie_bpf_check(struct sock *sk, struct sk_buff *skb);
|
||||
#else
|
||||
static inline bool cookie_bpf_ok(struct sk_buff *skb)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
static inline struct request_sock *cookie_bpf_check(struct net *net, struct sock *sk,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
|
||||
/* From net/ipv6/syncookies.c */
|
||||
int __cookie_v6_check(const struct ipv6hdr *iph, const struct tcphdr *th);
|
||||
struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb);
|
||||
|
@ -295,6 +295,24 @@ static int cookie_tcp_reqsk_init(struct sock *sk, struct sk_buff *skb,
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if IS_ENABLED(CONFIG_BPF)
|
||||
struct request_sock *cookie_bpf_check(struct sock *sk, struct sk_buff *skb)
|
||||
{
|
||||
struct request_sock *req = inet_reqsk(skb->sk);
|
||||
|
||||
skb->sk = NULL;
|
||||
skb->destructor = NULL;
|
||||
|
||||
if (cookie_tcp_reqsk_init(sk, skb, req)) {
|
||||
reqsk_free(req);
|
||||
req = NULL;
|
||||
}
|
||||
|
||||
return req;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(cookie_bpf_check);
|
||||
#endif
|
||||
|
||||
struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
|
||||
struct sock *sk, struct sk_buff *skb,
|
||||
struct tcp_options_received *tcp_opt,
|
||||
@ -395,9 +413,13 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
|
||||
!th->ack || th->rst)
|
||||
goto out;
|
||||
|
||||
req = cookie_tcp_check(net, sk, skb);
|
||||
if (IS_ERR(req))
|
||||
goto out;
|
||||
if (cookie_bpf_ok(skb)) {
|
||||
req = cookie_bpf_check(sk, skb);
|
||||
} else {
|
||||
req = cookie_tcp_check(net, sk, skb);
|
||||
if (IS_ERR(req))
|
||||
goto out;
|
||||
}
|
||||
if (!req)
|
||||
goto out_drop;
|
||||
|
||||
@ -445,7 +467,8 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
|
||||
ireq->wscale_ok, &rcv_wscale,
|
||||
dst_metric(&rt->dst, RTAX_INITRWND));
|
||||
|
||||
ireq->rcv_wscale = rcv_wscale;
|
||||
if (!req->syncookie)
|
||||
ireq->rcv_wscale = rcv_wscale;
|
||||
ireq->ecn_ok &= cookie_ecn_ok(net, &rt->dst);
|
||||
|
||||
ret = tcp_get_cookie_sock(sk, skb, req, &rt->dst);
|
||||
|
@ -182,9 +182,13 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
|
||||
!th->ack || th->rst)
|
||||
goto out;
|
||||
|
||||
req = cookie_tcp_check(net, sk, skb);
|
||||
if (IS_ERR(req))
|
||||
goto out;
|
||||
if (cookie_bpf_ok(skb)) {
|
||||
req = cookie_bpf_check(sk, skb);
|
||||
} else {
|
||||
req = cookie_tcp_check(net, sk, skb);
|
||||
if (IS_ERR(req))
|
||||
goto out;
|
||||
}
|
||||
if (!req)
|
||||
goto out_drop;
|
||||
|
||||
@ -247,7 +251,8 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
|
||||
ireq->wscale_ok, &rcv_wscale,
|
||||
dst_metric(dst, RTAX_INITRWND));
|
||||
|
||||
ireq->rcv_wscale = rcv_wscale;
|
||||
if (!req->syncookie)
|
||||
ireq->rcv_wscale = rcv_wscale;
|
||||
ireq->ecn_ok &= cookie_ecn_ok(net, dst);
|
||||
|
||||
ret = tcp_get_cookie_sock(sk, skb, req, dst);
|
||||
|
Loading…
Reference in New Issue
Block a user