lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Apr 2022 20:23:25 +0300 From: Maxim Mikityanskiy <maximmi@...dia.com> To: Daniel Borkmann <daniel@...earbox.net> Cc: bpf@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>, Andrii Nakryiko <andrii@...nel.org>, netdev@...r.kernel.org, Tariq Toukan <tariqt@...dia.com>, Martin KaFai Lau <kafai@...com>, Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Petar Penkov <ppenkov@...gle.com>, Lorenz Bauer <lmb@...udflare.com>, Eric Dumazet <edumazet@...gle.com>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, David Ahern <dsahern@...nel.org>, Shuah Khan <shuah@...nel.org>, Jesper Dangaard Brouer <hawk@...nel.org>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Joe Stringer <joe@...ium.io>, Florent Revest <revest@...omium.org>, linux-kselftest@...r.kernel.org, Toke Høiland-Jørgensen <toke@...e.dk>, Kumar Kartikeya Dwivedi <memxor@...il.com>, Florian Westphal <fw@...len.de> Subject: Re: [PATCH bpf-next v5 4/6] bpf: Add helpers to issue and check SYN cookies in XDP On 2022-04-14 01:48, Daniel Borkmann wrote: > On 4/13/22 3:41 PM, Maxim Mikityanskiy wrote: > [...] >> /* integer value in 'imm' field of BPF_CALL instruction selects >> which helper >> diff --git a/net/core/filter.c b/net/core/filter.c >> index 7446b0ba4e38..428cc63ecdf7 100644 >> --- a/net/core/filter.c >> +++ b/net/core/filter.c >> @@ -7425,6 +7425,124 @@ static const struct bpf_func_proto >> bpf_skb_set_tstamp_proto = { >> .arg3_type = ARG_ANYTHING, >> }; >> +BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv4, struct iphdr *, iph, >> + struct tcphdr *, th, u32, th_len) >> +{ >> +#ifdef CONFIG_SYN_COOKIES >> + u32 cookie; >> + u16 mss; >> + >> + if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4)) >> + return -EINVAL; >> + >> + mss = tcp_parse_mss_option(th, 0) ?: TCP_MSS_DEFAULT; >> + cookie = __cookie_v4_init_sequence(iph, th, &mss); >> + >> + return cookie | ((u64)mss << 32); >> +#else >> + return -EOPNOTSUPP; >> +#endif /* CONFIG_SYN_COOKIES */ > > This (and for other added helpers below) will be rather tricky to probe > for availability > e.g. via `bpftool feature probe [...]`. Much better if you wrap the > ifdef CONFIG_SYN_COOKIES > around the {xdp,tc_cls_act}_func_proto() instead as we do elsewhere. Just for the record, I copied this pattern from the existing SYN cookie helpers, but what you suggest makes sense, so I'll fix it for my helpers and resubmit. >> +} >> + >> +static const struct bpf_func_proto >> bpf_tcp_raw_gen_syncookie_ipv4_proto = { >> + .func = bpf_tcp_raw_gen_syncookie_ipv4, >> + .gpl_only = true, /* __cookie_v4_init_sequence() is GPL */ >> + .pkt_access = true, >> + .ret_type = RET_INTEGER, >> + .arg1_type = ARG_PTR_TO_MEM, >> + .arg1_size = sizeof(struct iphdr), >> + .arg2_type = ARG_PTR_TO_MEM, >> + .arg3_type = ARG_CONST_SIZE, >> +}; >> + >> +BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv6, struct ipv6hdr *, iph, >> + struct tcphdr *, th, u32, th_len) >> +{ >> +#ifndef CONFIG_SYN_COOKIES >> + return -EOPNOTSUPP; >> +#elif !IS_BUILTIN(CONFIG_IPV6) >> + return -EPROTONOSUPPORT; >> +#else >> + const u16 mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - >> + sizeof(struct ipv6hdr); >> + u32 cookie; >> + u16 mss; >> + >> + if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4)) >> + return -EINVAL; >> + >> + mss = tcp_parse_mss_option(th, 0) ?: mss_clamp; >> + cookie = __cookie_v6_init_sequence(iph, th, &mss); >> + >> + return cookie | ((u64)mss << 32); >> +#endif >> +} >> + >> +static const struct bpf_func_proto >> bpf_tcp_raw_gen_syncookie_ipv6_proto = { >> + .func = bpf_tcp_raw_gen_syncookie_ipv6, >> + .gpl_only = true, /* __cookie_v6_init_sequence() is GPL */ >> + .pkt_access = true, >> + .ret_type = RET_INTEGER, >> + .arg1_type = ARG_PTR_TO_MEM, >> + .arg1_size = sizeof(struct ipv6hdr), >> + .arg2_type = ARG_PTR_TO_MEM, >> + .arg3_type = ARG_CONST_SIZE, >> +}; > [...] >> bool bpf_helper_changes_pkt_data(void *func) >> @@ -7837,6 +7955,14 @@ xdp_func_proto(enum bpf_func_id func_id, const >> struct bpf_prog *prog) >> return &bpf_tcp_check_syncookie_proto; >> case BPF_FUNC_tcp_gen_syncookie: >> return &bpf_tcp_gen_syncookie_proto; >> + case BPF_FUNC_tcp_raw_gen_syncookie_ipv4: >> + return &bpf_tcp_raw_gen_syncookie_ipv4_proto; >> + case BPF_FUNC_tcp_raw_gen_syncookie_ipv6: >> + return &bpf_tcp_raw_gen_syncookie_ipv6_proto; >> + case BPF_FUNC_tcp_raw_check_syncookie_ipv4: >> + return &bpf_tcp_raw_check_syncookie_ipv4_proto; >> + case BPF_FUNC_tcp_raw_check_syncookie_ipv6: >> + return &bpf_tcp_raw_check_syncookie_ipv6_proto; >> #endif >> default: >> return bpf_sk_base_func_proto(func_id);
Powered by blists - more mailing lists