| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Feb 2024 20:06:58 -0800
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <kerneljasonxing@...il.com>
CC: <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>,
<kernelxing@...cent.com>, <kuba@...nel.org>, <kuniyu@...zon.com>,
<netdev@...r.kernel.org>, <pabeni@...hat.com>
Subject: Re: [PATCH net-next v3 3/6] tcp: add dropreasons in tcp_rcv_state_process()
From: Jason Xing <kerneljasonxing@...il.com>
Date: Tue, 13 Feb 2024 09:48:04 +0800
> On Mon, Feb 12, 2024 at 11:33 PM Eric Dumazet <edumazet@...gle.com> wrote:
> >
> > On Mon, Feb 12, 2024 at 10:29 AM Jason Xing <kerneljasonxing@...il.com> wrote:
> > >
> > > From: Jason Xing <kernelxing@...cent.com>
> >
> >
> > > if (!acceptable)
> > > - return 1;
> > > + /* This reason isn't clear. We can refine it in the future */
> > > + return SKB_DROP_REASON_TCP_CONNREQNOTACCEPTABLE;
> >
> > tcp_conn_request() might return 0 when a syncookie has been generated.
> >
> > Technically speaking, the incoming SYN was not dropped :)
>
> Hi Eric, Kuniyuki
>
> Sorry, I should have checked tcp_conn_request() carefully last night.
> Today, I checked tcp_conn_request() over and over again.
>
> I didn't find there is any chance to return a negative/positive value,
> only 0. It means @acceptable is always true and it should never return
> TCP_CONNREQNOTACCEPTABLE for TCP ipv4/6 protocol and never trigger a
> reset in this way.
Ah right, I remember I digged the same thing before and even in the
initial commit, conn_request() always returned 0 and tcp_rcv_state_process()
tested it with if (retval < 0).
I think we can clean up the leftover with some comments above
->conn_request() definition so that we can convert it to void
when we deprecate DCCP in the near future.
>
> For DCCP, there are chances to return -1 in dccp_v4_conn_request().
> But I don't think we've already added drop reasons in DCCP before.
>
> If I understand correctly, there is no need to do any refinement or
> even introduce TCP_CONNREQNOTACCEPTABLE new dropreason about the
> .conn_request() for TCP.
>
> Should I add a NEW kfree_skb_reason() in tcp_conn_request() for those
> labels, like drop_and_release, drop_and_free, drop, and not return a
> drop reason to its caller tcp_rcv_state_process()?
Most interested reasons will be covered by
- reqsk q : net_info_ratelimited() in tcp_syn_flood_action() or
net_dbg_ratelimited() in pr_drop_req() or
__NET_INC_STATS(net, LINUX_MIB_LISTENDROPS) in tcp_listendrop()
- accept q: NET_INC_STATS(net, LINUX_MIB_LISTENOVERFLOWS) or
__NET_INC_STATS(net, LINUX_MIB_LISTENDROPS) in tcp_listendrop()
and could be refined by drop reason, but I'm not sure if drop reason
is used under such a pressured situation.
Also, these failures are now treated with consume_skb().
Whichever is fine to me, no strong preference.
>
> Please correct me if I'm wrong...
>
> Thanks,
> Jason
>
> >
> > I think you need to have a patch to change tcp_conn_request() and its
> > friends to return a 'refined' drop_reason
> > to avoid future questions / patches.
Powered by blists - more mailing lists