| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <20171023161700.GB25570@da0602a-dhcp113.apple.com>
Date: Mon, 23 Oct 2017 09:17:00 -0700
From: Christoph Paasch <cpaasch@...le.com>
To: Yuchung Cheng <ycheng@...gle.com>
Cc: David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <edumazet@...gle.com>
Subject: Re: [PATCH v2 net-next] tcp: Enable TFO without a cookie on a
per-socket basis
Hello,
On 20/10/17 - 17:46:06, Yuchung Cheng wrote:
> On Fri, Oct 20, 2017 at 2:13 PM, Christoph Paasch <cpaasch@...le.com> wrote:
> >
> > We already allow to enable TFO without a cookie by using the
> > fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (0x200).
> > This is safe to do in certain environments where we know that there
> > isn't a malicous host (aka., data-centers).
> >
> > A server however might be talking to both sides (public Internet and
> > data-center). So, this server would want to enable cookie-less TFO for
> > the connections that go to the data-center while enforcing cookies for
> > the traffic from the Internet.
> >
> > This patch exposes a socket-option to enable this (protected by
> > CAP_NET_ADMIN).
> the protection is removed in this version?
yes, removed it upon suggestion by Eric. I missed to update the commit log.
Will do so in the v3.
>
> >
> > Signed-off-by: Christoph Paasch <cpaasch@...le.com>
> > ---
> >
> > Notes:
> > v2: * Rename to fastopen_no_cookie and TCP_FASTOPEN_NO_COOKIE
> > * Add per-route attribute for fastopen_no_cookie
> > * Get rid of the capability check
> >
> > include/linux/tcp.h | 3 ++-
> > include/net/tcp.h | 3 ++-
> > include/uapi/linux/rtnetlink.h | 2 ++
> > include/uapi/linux/tcp.h | 1 +
> > net/ipv4/tcp.c | 12 ++++++++++++
> > net/ipv4/tcp_fastopen.c | 14 +++++++++++---
> > net/ipv4/tcp_input.c | 2 +-
> > 7 files changed, 31 insertions(+), 6 deletions(-)
> >
> > diff --git a/include/linux/tcp.h b/include/linux/tcp.h
> > index 1d2c44e09e31..173a7c2f9636 100644
> > --- a/include/linux/tcp.h
> > +++ b/include/linux/tcp.h
> > @@ -215,7 +215,8 @@ struct tcp_sock {
> > u8 chrono_type:2, /* current chronograph type */
> > rate_app_limited:1, /* rate_{delivered,interval_us} limited? */
> > fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */
> > - unused:4;
> > + fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */
> > + unused:3;
> > u8 nonagle : 4,/* Disable Nagle algorithm? */
> > thin_lto : 1,/* Use linear timeouts for thin streams */
> > unused1 : 1,
> > diff --git a/include/net/tcp.h b/include/net/tcp.h
> > index 1efe8365cb28..020b20c3f50a 100644
> > --- a/include/net/tcp.h
> > +++ b/include/net/tcp.h
> > @@ -1562,7 +1562,8 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
> > void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);
> > struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> > struct request_sock *req,
> > - struct tcp_fastopen_cookie *foc);
> > + struct tcp_fastopen_cookie *foc,
> > + const struct dst_entry *dst);
> > void tcp_fastopen_init_key_once(struct net *net);
> > bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> > struct tcp_fastopen_cookie *cookie);
> > diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
> > index dab7dad9e01a..fe6679268901 100644
> > --- a/include/uapi/linux/rtnetlink.h
> > +++ b/include/uapi/linux/rtnetlink.h
> > @@ -430,6 +430,8 @@ enum {
> > #define RTAX_QUICKACK RTAX_QUICKACK
> > RTAX_CC_ALGO,
> > #define RTAX_CC_ALGO RTAX_CC_ALGO
> > + RTAX_FASTOPEN_NO_COOKIE,
> > +#define RTAX_FASTOPEN_NO_COOKIE RTAX_FASTOPEN_NO_COOKIE
> > __RTAX_MAX
> > };
> >
> > diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h
> > index 69c7493e42f8..d67e1d40c6d6 100644
> > --- a/include/uapi/linux/tcp.h
> > +++ b/include/uapi/linux/tcp.h
> > @@ -120,6 +120,7 @@ enum {
> > #define TCP_ULP 31 /* Attach a ULP to a TCP connection */
> > #define TCP_MD5SIG_EXT 32 /* TCP MD5 Signature with extensions */
> > #define TCP_FASTOPEN_KEY 33 /* Set the key for Fast Open (cookie) */
> > +#define TCP_FASTOPEN_NO_COOKIE 34 /* Enable TFO without a TFO cookie */
> >
> > struct tcp_repair_opt {
> > __u32 opt_code;
> > diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> > index 8b1fa4dd4538..a3d46a781abd 100644
> > --- a/net/ipv4/tcp.c
> > +++ b/net/ipv4/tcp.c
> > @@ -2832,6 +2832,14 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
> > err = -EOPNOTSUPP;
> > }
> > break;
> > + case TCP_FASTOPEN_NO_COOKIE:
> > + if (val > 1 || val < 0)
> > + err = -EINVAL;
> > + else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))
> > + err = -EINVAL;
> > + else
> > + tp->fastopen_no_cookie = 1;
> > + break;
> > case TCP_TIMESTAMP:
> > if (!tp->repair)
> > err = -EPERM;
> > @@ -3252,6 +3260,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level,
> > val = tp->fastopen_connect;
> > break;
> >
> > + case TCP_FASTOPEN_NO_COOKIE:
> > + val = tp->fastopen_no_cookie;
> > + break;
> > +
> > case TCP_TIMESTAMP:
> > val = tcp_time_stamp_raw() + tp->tsoffset;
> > break;
> > diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
> > index 21075ce19cb6..e704bd86fdf9 100644
> > --- a/net/ipv4/tcp_fastopen.c
> > +++ b/net/ipv4/tcp_fastopen.c
> > @@ -316,7 +316,8 @@ static bool tcp_fastopen_queue_check(struct sock *sk)
> > */
> > struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> > struct request_sock *req,
> > - struct tcp_fastopen_cookie *foc)
> > + struct tcp_fastopen_cookie *foc,
> > + const struct dst_entry *dst)
> > {
> > bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
> > int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
> > @@ -333,7 +334,9 @@ struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
> > return NULL;
> > }
> >
> > - if (syn_data && (tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD))
> > + if (syn_data && ((tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD) ||
> > + tcp_sk(sk)->fastopen_no_cookie ||
> > + (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))))
> > goto fastopen;
> >
> > if (foc->len >= 0 && /* Client presents or requests a cookie */
> > @@ -370,6 +373,7 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> > struct tcp_fastopen_cookie *cookie)
> > {
> > unsigned long last_syn_loss = 0;
> > + const struct dst_entry *dst;
> > int syn_loss = 0;
> >
> > tcp_fastopen_cache_get(sk, mss, cookie, &syn_loss, &last_syn_loss);
> > @@ -387,7 +391,11 @@ bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
> > return false;
> > }
> >
> > - if (sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) {
> > + dst = __sk_dst_get(sk);
> > +
> > + if ((sock_net(sk)->ipv4.sysctl_tcp_fastopen & TFO_CLIENT_NO_COOKIE) ||
> > + tcp_sk(sk)->fastopen_no_cookie ||
> > + (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE))) {
> perhaps a helper e.g. tcp_fastopen_needs_cookie(syscl_flag) for this
> function and tcp_try_fastopen() to tidy the code a bit?
Sure, I will create a helper.
Thanks,
Christoph
Powered by blists - more mailing lists