| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Feb 2024 14:12:12 +0800
From: Jason Xing <kerneljasonxing@...il.com>
To: davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
dsahern@...nel.org
Cc: netdev@...r.kernel.org,
kerneljasonxing@...il.com,
Jason Xing <kernelxing@...cent.com>
Subject: [PATCH v2 net-next 1/2] tcp: add more DROP REASONs in cookie check
From: Jason Xing <kernelxing@...cent.com>
Since we've already introduced the drop reason mechanism, this function
is always using NOT_SPECIFIED which is too general and unhelpful to us
if we want to track this part.
Signed-off-by: Jason Xing <kernelxing@...cent.com>
---
include/net/dropreason-core.h | 12 ++++++++++++
net/ipv4/syncookies.c | 20 ++++++++++++++++----
net/ipv4/tcp_ipv4.c | 2 +-
3 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h
index 6d3a20163260..efbc5dfd9e84 100644
--- a/include/net/dropreason-core.h
+++ b/include/net/dropreason-core.h
@@ -6,6 +6,7 @@
#define DEFINE_DROP_REASON(FN, FNe) \
FN(NOT_SPECIFIED) \
FN(NO_SOCKET) \
+ FN(NO_REQSK_ALLOC) \
FN(PKT_TOO_SMALL) \
FN(TCP_CSUM) \
FN(SOCKET_FILTER) \
@@ -43,10 +44,12 @@
FN(TCP_FASTOPEN) \
FN(TCP_OLD_ACK) \
FN(TCP_TOO_OLD_ACK) \
+ FN(COOKIE_NOCHILD) \
FN(TCP_ACK_UNSENT_DATA) \
FN(TCP_OFO_QUEUE_PRUNE) \
FN(TCP_OFO_DROP) \
FN(IP_OUTNOROUTES) \
+ FN(IP_ROUTEOUTPUTKEY) \
FN(BPF_CGROUP_EGRESS) \
FN(IPV6DISABLED) \
FN(NEIGH_CREATEFAIL) \
@@ -54,6 +57,7 @@
FN(NEIGH_QUEUEFULL) \
FN(NEIGH_DEAD) \
FN(TC_EGRESS) \
+ FN(SECURITY_HOOK) \
FN(QDISC_DROP) \
FN(CPU_BACKLOG) \
FN(XDP) \
@@ -107,6 +111,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NOT_SPECIFIED,
/** @SKB_DROP_REASON_NO_SOCKET: socket not found */
SKB_DROP_REASON_NO_SOCKET,
+ /** @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed */
+ SKB_DROP_REASON_NO_REQSK_ALLOC,
/** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
SKB_DROP_REASON_PKT_TOO_SMALL,
/** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
@@ -243,6 +249,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OLD_ACK,
/** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
SKB_DROP_REASON_TCP_TOO_OLD_ACK,
+ /** @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode */
+ SKB_DROP_REASON_COOKIE_NOCHILD,
/**
* @SKB_DROP_REASON_TCP_ACK_UNSENT_DATA: TCP ACK for data we haven't
* sent yet
@@ -254,6 +262,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OFO_DROP,
/** @SKB_DROP_REASON_IP_OUTNOROUTES: route lookup failed */
SKB_DROP_REASON_IP_OUTNOROUTES,
+ /** @SKB_DROP_REASON_IP_ROUTEOUTPUTKEY: route output key failed */
+ SKB_DROP_REASON_IP_ROUTEOUTPUTKEY,
/**
* @SKB_DROP_REASON_BPF_CGROUP_EGRESS: dropped by BPF_PROG_TYPE_CGROUP_SKB
* eBPF program
@@ -271,6 +281,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NEIGH_DEAD,
/** @SKB_DROP_REASON_TC_EGRESS: dropped in TC egress HOOK */
SKB_DROP_REASON_TC_EGRESS,
+ /** @SKB_DROP_REASON_SECURITY_HOOK: dropped due to security HOOK */
+ SKB_DROP_REASON_SECURITY_HOOK,
/**
* @SKB_DROP_REASON_QDISC_DROP: dropped by qdisc when packet outputting (
* failed to enqueue to current qdisc)
diff --git a/net/ipv4/syncookies.c b/net/ipv4/syncookies.c
index be88bf586ff9..6eb559ee20f9 100644
--- a/net/ipv4/syncookies.c
+++ b/net/ipv4/syncookies.c
@@ -399,6 +399,7 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
{
struct ip_options *opt = &TCP_SKB_CB(skb)->header.h4.opt;
const struct tcphdr *th = tcp_hdr(skb);
+ enum skb_drop_reason reason;
struct tcp_sock *tp = tcp_sk(sk);
struct inet_request_sock *ireq;
struct net *net = sock_net(sk);
@@ -420,8 +421,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
if (IS_ERR(req))
goto out;
}
- if (!req)
+ if (!req) {
+ reason = SKB_DROP_REASON_NO_REQSK_ALLOC;
goto out_drop;
+ }
ireq = inet_rsk(req);
@@ -433,8 +436,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
*/
RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
- if (security_inet_conn_request(sk, skb, req))
+ if (security_inet_conn_request(sk, skb, req)) {
+ reason = SKB_DROP_REASON_SECURITY_HOOK;
goto out_free;
+ }
tcp_ao_syncookie(sk, skb, req, AF_INET);
@@ -451,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
rt = ip_route_output_key(net, &fl4);
- if (IS_ERR(rt))
+ if (IS_ERR(rt)) {
+ reason = SKB_DROP_REASON_IP_ROUTEOUTPUTKEY;
goto out_free;
+ }
/* Try to redo what tcp_v4_send_synack did. */
req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
@@ -475,12 +482,17 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
/* ip_queue_xmit() depends on our flow being setup
* Normal sockets get it right from inet_csk_route_child_sock()
*/
- if (ret)
+ if (ret) {
inet_sk(ret)->cork.fl.u.ip4 = fl4;
+ } else {
+ reason = SKB_DROP_REASON_COOKIE_NOCHILD;
+ goto out_drop;
+ }
out:
return ret;
out_free:
reqsk_free(req);
out_drop:
+ kfree_skb_reason(skb, reason);
return NULL;
}
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 0c50c5a32b84..0a944e109088 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1915,7 +1915,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
struct sock *nsk = tcp_v4_cookie_check(sk, skb);
if (!nsk)
- goto discard;
+ return 0;
if (nsk != sk) {
if (tcp_child_process(sk, nsk, skb)) {
rsk = nsk;
--
2.37.3
Powered by blists - more mailing lists