Hi Dmitry,
On 06/06/2024 02:58, Dmitry Safonov via B4 Relay wrote:
> From: Dmitry Safonov <0x7f454...@gmail.com>
>
> Two reasons:
> 1. It's grown up enough
> 2. In order to not do header spaghetti by including
> <trace/events/tcp.h>, which is necessary for TCP tracepoints.
>
> While at it, unexport and make static tcp_inbound_ao_hash().
Thank you for working on this.
> Signed-off-by: Dmitry Safonov <0x7f454...@gmail.com>
> ---
> include/net/tcp.h | 78
> +++----------------------------------------------------
> net/ipv4/tcp.c | 66 ++++++++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 68 insertions(+), 76 deletions(-)
>
> diff --git a/include/net/tcp.h b/include/net/tcp.h
> index e5427b05129b..2aac11e7e1cc 100644
> --- a/include/net/tcp.h
> +++ b/include/net/tcp.h
> @@ -1863,12 +1863,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> return __tcp_md5_do_lookup(sk, 0, addr, family, true);
> }
>
> -enum skb_drop_reason
> -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> - const void *saddr, const void *daddr,
> - int family, int l3index, const __u8 *hash_location);
> -
> -
> #define tcp_twsk_md5_key(twsk) ((twsk)->tw_md5_key)
> #else
> static inline struct tcp_md5sig_key *
> @@ -1885,13 +1879,6 @@ tcp_md5_do_lookup_any_l3index(const struct sock *sk,
> return NULL;
> }
>
> -static inline enum skb_drop_reason
> -tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> - const void *saddr, const void *daddr,
> - int family, int l3index, const __u8 *hash_location)
> -{
> - return SKB_NOT_DROPPED_YET;
> -}
It looks like this no-op is still needed, please see below.
> #define tcp_twsk_md5_key(twsk) NULL
> #endif
>
(...)
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index fa43aaacd92b..80ed5c099f11 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -4456,7 +4456,7 @@ int tcp_md5_hash_key(struct tcp_sigpool *hp,
> EXPORT_SYMBOL(tcp_md5_hash_key);
>
> /* Called with rcu_read_lock() */
> -enum skb_drop_reason
> +static enum skb_drop_reason
> tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb,
> const void *saddr, const void *daddr,
> int family, int l3index, const __u8 *hash_location)
> @@ -4510,10 +4510,72 @@ tcp_inbound_md5_hash(const struct sock *sk, const
> struct sk_buff *skb,
> }
> return SKB_NOT_DROPPED_YET;
> }
> -EXPORT_SYMBOL(tcp_inbound_md5_hash);
>
> #endif
>
> +/* Called with rcu_read_lock() */
> +enum skb_drop_reason
> +tcp_inbound_hash(struct sock *sk, const struct request_sock *req,
> + const struct sk_buff *skb,
> + const void *saddr, const void *daddr,
> + int family, int dif, int sdif)
> +{
> + const struct tcphdr *th = tcp_hdr(skb);
> + const struct tcp_ao_hdr *aoh;
> + const __u8 *md5_location;
> + int l3index;
> +
> + /* Invalid option or two times meet any of auth options */
> + if (tcp_parse_auth_options(th, &md5_location, &aoh)) {
> + tcp_hash_fail("TCP segment has incorrect auth options set",
> + family, skb, "");
> + return SKB_DROP_REASON_TCP_AUTH_HDR;
> + }
> +
> + if (req) {
> + if (tcp_rsk_used_ao(req) != !!aoh) {
> + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD);
> + tcp_hash_fail("TCP connection can't start/end using
> TCP-AO",
> + family, skb, "%s",
> + !aoh ? "missing AO" : "AO signed");
> + return SKB_DROP_REASON_TCP_AOFAILURE;
> + }
> + }
> +
> + /* sdif set, means packet ingressed via a device
> + * in an L3 domain and dif is set to the l3mdev
> + */
> + l3index = sdif ? dif : 0;
> +
> + /* Fast path: unsigned segments */
> + if (likely(!md5_location && !aoh)) {
> + /* Drop if there's TCP-MD5 or TCP-AO key with any rcvid/sndid
> + * for the remote peer. On TCP-AO established connection
> + * the last key is impossible to remove, so there's
> + * always at least one current_key.
> + */
> + if (tcp_ao_required(sk, saddr, family, l3index, true)) {
> + tcp_hash_fail("AO hash is required, but not found",
> + family, skb, "L3 index %d", l3index);
> + return SKB_DROP_REASON_TCP_AONOTFOUND;
> + }
> + if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) {
> + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
> + tcp_hash_fail("MD5 Hash not found",
> + family, skb, "L3 index %d", l3index);
> + return SKB_DROP_REASON_TCP_MD5NOTFOUND;
> + }
> + return SKB_NOT_DROPPED_YET;
> + }
> +
> + if (aoh)
> + return tcp_inbound_ao_hash(sk, skb, family, req, l3index, aoh);
> +
> + return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> + l3index, md5_location);
Many selftests are currently failing [1] because of this line: if
CONFIG_TCP_MD5SIG is not defined -- which is currently the case in many
selftests: tc, mptcp, forwarding, netfilter, drivers, etc. -- then this
tcp_inbound_md5_hash() function is not defined:
> net/ipv4/tcp.c: In function ‘tcp_inbound_hash’:
> net/ipv4/tcp.c:4570:16: error: implicit declaration of function
> ‘tcp_inbound_md5_hash’; did you mean ‘tcp_inbound_ao_hash’?
> [-Werror=implicit-function-declaration]
> 4570 | return tcp_inbound_md5_hash(sk, skb, saddr, daddr, family,
> | ^~~~~~~~~~~~~~~~~~~~
> | tcp_inbound_ao_hash
Do you (or any maintainers) mind replying to this email with this line
[2] so future builds from the CI will no longer pick-up this series?
pw-bot: changes-requested
[1]
https://netdev.bots.linux.dev/contest.html?pw-n=0&branch=net-next-2024-06-06--06-00&test=build
[2]
https://docs.kernel.org/process/maintainer-netdev.html#updating-patch-status
Cheers,
Matt
--
Sponsored by the NGI0 Core fund.
