lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1eaebd1b-6933-20c9-1371-0429703bab2f@nvidia.com>
Date:   Tue, 10 May 2022 22:20:34 +0300
From:   Maxim Mikityanskiy <maximmi@...dia.com>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     bpf <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Networking <netdev@...r.kernel.org>,
        Tariq Toukan <tariqt@...dia.com>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Shuah Khan <shuah@...nel.org>,
        Jesper Dangaard Brouer <hawk@...nel.org>,
        Nathan Chancellor <nathan@...nel.org>,
        Nick Desaulniers <ndesaulniers@...gle.com>,
        Joe Stringer <joe@...ium.io>,
        Florent Revest <revest@...omium.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@...r.kernel.org>,
        Toke Høiland-Jørgensen <toke@...e.dk>,
        Kumar Kartikeya Dwivedi <memxor@...il.com>,
        Florian Westphal <fw@...len.de>, pabeni@...hat.com
Subject: Re: [PATCH bpf-next v9 3/5] bpf: Add helpers to issue and check SYN
 cookies in XDP

On 2022-05-07 00:19, Andrii Nakryiko wrote:
> On Tue, May 3, 2022 at 10:15 AM Maxim Mikityanskiy <maximmi@...dia.com> wrote:
>>
>> The new helpers bpf_tcp_raw_{gen,check}_syncookie_ipv{4,6} allow an XDP
>> program to generate SYN cookies in response to TCP SYN packets and to
>> check those cookies upon receiving the first ACK packet (the final
>> packet of the TCP handshake).
>>
>> Unlike bpf_tcp_{gen,check}_syncookie these new helpers don't need a
>> listening socket on the local machine, which allows to use them together
>> with synproxy to accelerate SYN cookie generation.
>>
>> Signed-off-by: Maxim Mikityanskiy <maximmi@...dia.com>
>> Reviewed-by: Tariq Toukan <tariqt@...dia.com>
>> ---
>>   include/net/tcp.h              |   1 +
>>   include/uapi/linux/bpf.h       |  78 ++++++++++++++++++++++
>>   net/core/filter.c              | 118 +++++++++++++++++++++++++++++++++
>>   net/ipv4/tcp_input.c           |   3 +-
>>   scripts/bpf_doc.py             |   4 ++
>>   tools/include/uapi/linux/bpf.h |  78 ++++++++++++++++++++++
>>   6 files changed, 281 insertions(+), 1 deletion(-)
>>
>> diff --git a/include/net/tcp.h b/include/net/tcp.h
>> index 94a52ad1101c..45aafc28ce00 100644
>> --- a/include/net/tcp.h
>> +++ b/include/net/tcp.h
>> @@ -432,6 +432,7 @@ u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
>>                           struct tcphdr *th, u32 *cookie);
>>   u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
>>                           struct tcphdr *th, u32 *cookie);
>> +u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss);
>>   u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops,
>>                            const struct tcp_request_sock_ops *af_ops,
>>                            struct sock *sk, struct tcphdr *th);
>> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
>> index 4dd9e34f2a60..5e611d898302 100644
>> --- a/include/uapi/linux/bpf.h
>> +++ b/include/uapi/linux/bpf.h
>> @@ -5156,6 +5156,80 @@ union bpf_attr {
>>    *             if not NULL, is a reference which must be released using its
>>    *             corresponding release function, or moved into a BPF map before
>>    *             program exit.
>> + *
>> + * s64 bpf_tcp_raw_gen_syncookie_ipv4(struct iphdr *iph, struct tcphdr *th, u32 th_len)
>> + *     Description
>> + *             Try to issue a SYN cookie for the packet with corresponding
>> + *             IPv4/TCP headers, *iph* and *th*, without depending on a
>> + *             listening socket.
>> + *
>> + *             *iph* points to the IPv4 header.
>> + *
>> + *             *th* points to the start of the TCP header, while *th_len*
>> + *             contains the length of the TCP header (at least
>> + *             **sizeof**\ (**struct tcphdr**)).
>> + *     Return
>> + *             On success, lower 32 bits hold the generated SYN cookie in
>> + *             followed by 16 bits which hold the MSS value for that cookie,
>> + *             and the top 16 bits are unused.
>> + *
>> + *             On failure, the returned value is one of the following:
>> + *
>> + *             **-EINVAL** if *th_len* is invalid.
>> + *
>> + * s64 bpf_tcp_raw_gen_syncookie_ipv6(struct ipv6hdr *iph, struct tcphdr *th, u32 th_len)
>> + *     Description
>> + *             Try to issue a SYN cookie for the packet with corresponding
>> + *             IPv6/TCP headers, *iph* and *th*, without depending on a
>> + *             listening socket.
>> + *
>> + *             *iph* points to the IPv6 header.
>> + *
>> + *             *th* points to the start of the TCP header, while *th_len*
>> + *             contains the length of the TCP header (at least
>> + *             **sizeof**\ (**struct tcphdr**)).
>> + *     Return
>> + *             On success, lower 32 bits hold the generated SYN cookie in
>> + *             followed by 16 bits which hold the MSS value for that cookie,
>> + *             and the top 16 bits are unused.
>> + *
>> + *             On failure, the returned value is one of the following:
>> + *
>> + *             **-EINVAL** if *th_len* is invalid.
>> + *
>> + *             **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
>> + *
>> + * int bpf_tcp_raw_check_syncookie_ipv4(struct iphdr *iph, struct tcphdr *th)
> 
> Note that all existing helpers that just return error or 0 on success
> return long. Please use long for consistency.

OK. There are some existing helpers that return int, though: 
bpf_inode_storage_delete, bpf_get_retval, bpf_set_retval. They should 
probably be fixed by someone as well.

>> + *     Description
>> + *             Check whether *iph* and *th* contain a valid SYN cookie ACK
>> + *             without depending on a listening socket.
>> + *
>> + *             *iph* points to the IPv4 header.
>> + *
>> + *             *th* points to the TCP header.
>> + *     Return
>> + *             0 if *iph* and *th* are a valid SYN cookie ACK.
>> + *
>> + *             On failure, the returned value is one of the following:
>> + *
>> + *             **-EACCES** if the SYN cookie is not valid.
>> + *
>> + * int bpf_tcp_raw_check_syncookie_ipv6(struct ipv6hdr *iph, struct tcphdr *th)
> 
> same
> 
>> + *     Description
>> + *             Check whether *iph* and *th* contain a valid SYN cookie ACK
>> + *             without depending on a listening socket.
>> + *
>> + *             *iph* points to the IPv6 header.
>> + *
>> + *             *th* points to the TCP header.
>> + *     Return
>> + *             0 if *iph* and *th* are a valid SYN cookie ACK.
>> + *
>> + *             On failure, the returned value is one of the following:
>> + *
>> + *             **-EACCES** if the SYN cookie is not valid.
>> + *
>> + *             **-EPROTONOSUPPORT** if CONFIG_IPV6 is not builtin.
> 
> [...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ