lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 22 Apr 2022 20:23:25 +0300
From:   Maxim Mikityanskiy <maximmi@...dia.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     bpf@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
        Andrii Nakryiko <andrii@...nel.org>, netdev@...r.kernel.org,
        Tariq Toukan <tariqt@...dia.com>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Petar Penkov <ppenkov@...gle.com>,
        Lorenz Bauer <lmb@...udflare.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Shuah Khan <shuah@...nel.org>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Joe Stringer <joe@...ium.io>,
        Florent Revest <revest@...omium.org>,
        linux-kselftest@...r.kernel.org,
        Toke Høiland-Jørgensen <toke@...e.dk>,
        Kumar Kartikeya Dwivedi <memxor@...il.com>,
        Florian Westphal <fw@...len.de>
Subject: Re: [PATCH bpf-next v5 4/6] bpf: Add helpers to issue and check SYN
 cookies in XDP

On 2022-04-14 01:48, Daniel Borkmann wrote:
> On 4/13/22 3:41 PM, Maxim Mikityanskiy wrote:
> [...]
>>   /* integer value in 'imm' field of BPF_CALL instruction selects 
>> which helper
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 7446b0ba4e38..428cc63ecdf7 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -7425,6 +7425,124 @@ static const struct bpf_func_proto 
>> bpf_skb_set_tstamp_proto = {
>>       .arg3_type      = ARG_ANYTHING,
>>   };
>> +BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv4, struct iphdr *, iph,
>> +       struct tcphdr *, th, u32, th_len)
>> +{
>> +#ifdef CONFIG_SYN_COOKIES
>> +    u32 cookie;
>> +    u16 mss;
>> +
>> +    if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
>> +        return -EINVAL;
>> +
>> +    mss = tcp_parse_mss_option(th, 0) ?: TCP_MSS_DEFAULT;
>> +    cookie = __cookie_v4_init_sequence(iph, th, &mss);
>> +
>> +    return cookie | ((u64)mss << 32);
>> +#else
>> +    return -EOPNOTSUPP;
>> +#endif /* CONFIG_SYN_COOKIES */
> 
> This (and for other added helpers below) will be rather tricky to probe 
> for availability
> e.g. via `bpftool feature probe [...]`. Much better if you wrap the 
> ifdef CONFIG_SYN_COOKIES
> around the {xdp,tc_cls_act}_func_proto() instead as we do elsewhere.

Just for the record, I copied this pattern from the existing SYN cookie 
helpers, but what you suggest makes sense, so I'll fix it for my helpers 
and resubmit.

>> +}
>> +
>> +static const struct bpf_func_proto 
>> bpf_tcp_raw_gen_syncookie_ipv4_proto = {
>> +    .func        = bpf_tcp_raw_gen_syncookie_ipv4,
>> +    .gpl_only    = true, /* __cookie_v4_init_sequence() is GPL */
>> +    .pkt_access    = true,
>> +    .ret_type    = RET_INTEGER,
>> +    .arg1_type    = ARG_PTR_TO_MEM,
>> +    .arg1_size    = sizeof(struct iphdr),
>> +    .arg2_type    = ARG_PTR_TO_MEM,
>> +    .arg3_type    = ARG_CONST_SIZE,
>> +};
>> +
>> +BPF_CALL_3(bpf_tcp_raw_gen_syncookie_ipv6, struct ipv6hdr *, iph,
>> +       struct tcphdr *, th, u32, th_len)
>> +{
>> +#ifndef CONFIG_SYN_COOKIES
>> +    return -EOPNOTSUPP;
>> +#elif !IS_BUILTIN(CONFIG_IPV6)
>> +    return -EPROTONOSUPPORT;
>> +#else
>> +    const u16 mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) -
>> +        sizeof(struct ipv6hdr);
>> +    u32 cookie;
>> +    u16 mss;
>> +
>> +    if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
>> +        return -EINVAL;
>> +
>> +    mss = tcp_parse_mss_option(th, 0) ?: mss_clamp;
>> +    cookie = __cookie_v6_init_sequence(iph, th, &mss);
>> +
>> +    return cookie | ((u64)mss << 32);
>> +#endif
>> +}
>> +
>> +static const struct bpf_func_proto 
>> bpf_tcp_raw_gen_syncookie_ipv6_proto = {
>> +    .func        = bpf_tcp_raw_gen_syncookie_ipv6,
>> +    .gpl_only    = true, /* __cookie_v6_init_sequence() is GPL */
>> +    .pkt_access    = true,
>> +    .ret_type    = RET_INTEGER,
>> +    .arg1_type    = ARG_PTR_TO_MEM,
>> +    .arg1_size    = sizeof(struct ipv6hdr),
>> +    .arg2_type    = ARG_PTR_TO_MEM,
>> +    .arg3_type    = ARG_CONST_SIZE,
>> +};
> [...]
>>   bool bpf_helper_changes_pkt_data(void *func)
>> @@ -7837,6 +7955,14 @@ xdp_func_proto(enum bpf_func_id func_id, const 
>> struct bpf_prog *prog)
>>           return &bpf_tcp_check_syncookie_proto;
>>       case BPF_FUNC_tcp_gen_syncookie:
>>           return &bpf_tcp_gen_syncookie_proto;
>> +    case BPF_FUNC_tcp_raw_gen_syncookie_ipv4:
>> +        return &bpf_tcp_raw_gen_syncookie_ipv4_proto;
>> +    case BPF_FUNC_tcp_raw_gen_syncookie_ipv6:
>> +        return &bpf_tcp_raw_gen_syncookie_ipv6_proto;
>> +    case BPF_FUNC_tcp_raw_check_syncookie_ipv4:
>> +        return &bpf_tcp_raw_check_syncookie_ipv4_proto;
>> +    case BPF_FUNC_tcp_raw_check_syncookie_ipv6:
>> +        return &bpf_tcp_raw_check_syncookie_ipv6_proto;
>>   #endif
>>       default:
>>           return bpf_sk_base_func_proto(func_id);

Powered by blists - more mailing lists