[SRU][F:linux-bluefield][PATCH 20/21] UBUNTU: SAUCE: bpf: Add helpers to issue and check SYN cookies in XDP
Bodong Wang
bodong at nvidia.com
Mon Jul 5 15:39:58 UTC 2021
From: Maxim Mikityanskiy <maximmi at nvidia.com>
BugLink: https://bugs.launchpad.net/bugs/1934499
The new helpers bpf_tcp_raw_{gen,check}_syncookie allow an XDP program
to generate SYN cookies in response to TCP SYN packets and to check
those cookies upon receiving the first ACK packet (the final packet of
the TCP handshake).
Unlike bpf_tcp_{gen,check}_syncookie these new helpers don't need a
listening socket on the local machine, which allows to use them together
with synproxy to accelerate SYN cookie generation.
Signed-off-by: Maxim Mikityanskiy <maximmi at nvidia.com>
Reviewed-by: Tariq Toukan <tariqt at nvidia.com>
Signed-off-by: Bodong Wang <bodong at nvidia.com>
---
include/net/tcp.h | 1 +
include/uapi/linux/bpf.h | 53 +++++++++++++
net/core/filter.c | 119 ++++++++++++++++++++++++++++++
net/ipv4/tcp_input.c | 3 +-
tools/include/uapi/linux/bpf.h | 51 +++++++++++++
tools/testing/selftests/bpf/bpf_helpers.h | 6 ++
6 files changed, 232 insertions(+), 1 deletion(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index b914959..2f2c7aa 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -421,6 +421,7 @@ u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
struct tcphdr *th, u32 *cookie);
u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
struct tcphdr *th, u32 *cookie);
+u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss);
u16 tcp_get_syncookie_mss(struct request_sock_ops *rsk_ops,
const struct tcp_request_sock_ops *af_ops,
struct sock *sk, struct tcphdr *th);
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 9128511..e3c55b7 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2767,6 +2767,57 @@ struct bpf_stack_build_id {
* **-EINVAL** input arguments are invalid.
*
* **-ENOENT** the connection is not known to conntrack.
+ *
+ * s64 bpf_tcp_raw_gen_syncookie(void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ * Description
+ * Try to issue a SYN cookie for the packet with corresponding
+ * IP/TCP headers, *iph* and *th*, without depending on a listening
+ * socket.
+ *
+ * *iph* points to the start of the IPv4 or IPv6 header, while
+ * *iph_len* contains **sizeof**\ (**struct iphdr**) or
+ * **sizeof**\ (**struct ip6hdr**).
+ *
+ * *th* points to the start of the TCP header, while *th_len*
+ * contains the length of the TCP header.
+ *
+ * Return
+ * On success, lower 32 bits hold the generated SYN cookie in
+ * followed by 16 bits which hold the MSS value for that cookie,
+ * and the top 16 bits are unused.
+ *
+ * On failure, the returned value is one of the following:
+ *
+ * **-EINVAL** input arguments are invalid
+ *
+ * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ * **-EPROTONOSUPPORT** IP packet version is not 4 or 6
+ *
+ * int bpf_tcp_raw_check_syncookie(void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ * Description
+ * Check whether *iph* and *th* contain a valid SYN cookie ACK
+ * without depending on a listening socket.
+ *
+ * *iph* points to the start of the IPv4 or IPv6 header, while
+ * *iph_len* contains **sizeof**\ (**struct iphdr**) or
+ * **sizeof**\ (**struct ip6hdr**).
+ *
+ * *th* points to the start of the TCP header, while *th_len*
+ * contains **sizeof**\ (**struct tcphdr**).
+ *
+ * Return
+ * On success, 0.
+ *
+ * On failure, the returned value is one of the following:
+ *
+ * **-EINVAL** input arguments are invalid
+ *
+ * **-ENOENT** the packet is not a valid ACK packet
+ *
+ * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ * **-EPROTONOSUPPORT** IP packet version is not 4 or 6
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -2881,6 +2932,8 @@ struct bpf_stack_build_id {
FN(send_signal), \
FN(tcp_gen_syncookie), \
FN(ct_lookup_tcp), \
+ FN(tcp_raw_gen_syncookie), \
+ FN(tcp_raw_check_syncookie), \
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
diff --git a/net/core/filter.c b/net/core/filter.c
index 7df5971..a08a7ff 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6017,6 +6017,121 @@ u32 bpf_xdp_sock_convert_ctx_access(enum bpf_access_type type,
};
#endif
+BPF_CALL_4(bpf_tcp_raw_gen_syncookie, void *, iph, u32, iph_len,
+ struct tcphdr *, th, u32, th_len)
+{
+#ifdef CONFIG_SYN_COOKIES
+ u32 cookie;
+ u16 mss;
+
+ if (unlikely(th_len < sizeof(*th) || th_len != th->doff * 4))
+ return -EINVAL;
+
+ if (!th->syn || th->ack || th->fin || th->rst)
+ return -EINVAL;
+
+ if (unlikely(iph_len < sizeof(struct iphdr)))
+ return -EINVAL;
+
+ /* Both struct iphdr and struct ipv6hdr have the version field at the
+ * same offset so we can cast to the shorter header (struct iphdr).
+ */
+ switch (((struct iphdr *)iph)->version) {
+ case 4:
+ mss = tcp_parse_mss_option(th, 0) ?: TCP_MSS_DEFAULT;
+ cookie = __cookie_v4_init_sequence(iph, th, &mss);
+ break;
+
+#if IS_BUILTIN(CONFIG_IPV6)
+ case 6: {
+ const u16 mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
+
+ if (unlikely(iph_len < sizeof(struct ipv6hdr)))
+ return -EINVAL;
+
+ mss = tcp_parse_mss_option(th, 0) ?: mss_clamp;
+ cookie = __cookie_v6_init_sequence(iph, th, &mss);
+ break;
+ }
+#endif /* CONFIG_IPV6 */
+
+ default:
+ return -EPROTONOSUPPORT;
+ }
+
+ return cookie | ((u64)mss << 32);
+#else
+ return -EOPNOTSUPP;
+#endif /* CONFIG_SYN_COOKIES */
+}
+
+static const struct bpf_func_proto bpf_tcp_raw_gen_syncookie_proto = {
+ .func = bpf_tcp_raw_gen_syncookie,
+ .gpl_only = true, /* __cookie_v*_init_sequence() is GPL */
+ .pkt_access = true,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_MEM,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_PTR_TO_MEM,
+ .arg4_type = ARG_CONST_SIZE,
+};
+
+BPF_CALL_4(bpf_tcp_raw_check_syncookie, void *, iph, u32, iph_len,
+ struct tcphdr *, th, u32, th_len)
+{
+#ifdef CONFIG_SYN_COOKIES
+ u32 cookie;
+ int ret;
+
+ if (!th->ack || th->rst || th->syn)
+ return -ENOENT;
+
+ cookie = ntohl(th->ack_seq) - 1;
+
+ if (unlikely(iph_len < sizeof(struct iphdr)))
+ return -EINVAL;
+
+ /* Both struct iphdr and struct ipv6hdr have the version field at the
+ * same offset so we can cast to the shorter header (struct iphdr).
+ */
+ switch (((struct iphdr *)iph)->version) {
+ case 4:
+ ret = __cookie_v4_check((struct iphdr *)iph, th, cookie);
+ break;
+
+#if IS_BUILTIN(CONFIG_IPV6)
+ case 6:
+ if (unlikely(iph_len < sizeof(struct ipv6hdr)))
+ return -EINVAL;
+
+ ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie);
+ break;
+#endif /* CONFIG_IPV6 */
+
+ default:
+ return -EPROTONOSUPPORT;
+ }
+
+ if (ret > 0)
+ return 0;
+
+ return -ENOENT;
+#else
+ return -EOPNOTSUPP;
+#endif
+}
+
+static const struct bpf_func_proto bpf_tcp_raw_check_syncookie_proto = {
+ .func = bpf_tcp_raw_check_syncookie,
+ .gpl_only = true, /* __cookie_v*_check is GPL */
+ .pkt_access = true,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_PTR_TO_MEM,
+ .arg2_type = ARG_CONST_SIZE,
+ .arg3_type = ARG_PTR_TO_MEM,
+ .arg4_type = ARG_CONST_SIZE,
+};
+
#endif /* CONFIG_INET */
bool bpf_helper_changes_pkt_data(void *func)
@@ -6355,6 +6470,10 @@ bool bpf_helper_changes_pkt_data(void *func)
case BPF_FUNC_ct_lookup_tcp:
return &bpf_xdp_ct_lookup_tcp_proto;
#endif
+ case BPF_FUNC_tcp_raw_gen_syncookie:
+ return &bpf_tcp_raw_gen_syncookie_proto;
+ case BPF_FUNC_tcp_raw_check_syncookie:
+ return &bpf_tcp_raw_check_syncookie_proto;
#endif
default:
return bpf_base_func_proto(func_id);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a1768de..7499100 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -3810,7 +3810,7 @@ static void smc_parse_options(const struct tcphdr *th,
/* Try to parse the MSS option from the TCP header. Return 0 on failure, clamped
* value on success.
*/
-static u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss)
+u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss)
{
const unsigned char *ptr = (const unsigned char *)(th + 1);
int length = (th->doff * 4) - sizeof(struct tcphdr);
@@ -3849,6 +3849,7 @@ static u16 tcp_parse_mss_option(const struct tcphdr *th, u16 user_mss)
}
return mss;
}
+EXPORT_SYMBOL_GPL(tcp_parse_mss_option);
/* Look for tcp options. Normally only called on SYN and SYNACK packets.
* But, this can also be called on packets in the established flow when
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 14ffd42..6fb29c34 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -2767,6 +2767,55 @@ struct bpf_stack_build_id {
* **-EINVAL** input arguments are invalid.
*
* **-ENOENT** the connection is not known to conntrack.
+ *
+ * s64 bpf_tcp_raw_gen_syncookie(void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ * Description
+ * Try to issue a SYN cookie for the packet with corresponding
+ * IP/TCP headers, *iph* and *th*, without depending on a listening
+ * socket.
+ *
+ * *iph* points to the start of the IPv4 or IPv6 header, while
+ * *iph_len* contains **sizeof**\ (**struct iphdr**) or
+ * **sizeof**\ (**struct ip6hdr**).
+ *
+ * *th* points to the start of the TCP header, while *th_len*
+ * contains the length of the TCP header.
+ *
+ * Return
+ * On success, lower 32 bits hold the generated SYN cookie in
+ * followed by 16 bits which hold the MSS value for that cookie,
+ * and the top 16 bits are unused.
+ *
+ * On failure, the returned value is one of the following:
+ *
+ * **-EINVAL** input arguments are invalid
+ *
+ * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
+ *
+ * **-EPROTONOSUPPORT** IP packet version is not 4 or 6
+ *
+ * int bpf_tcp_raw_check_syncookie(void *iph, u32 iph_len, struct tcphdr *th, u32 th_len)
+ * Description
+ * Check whether *iph* and *th* contain a valid SYN cookie ACK
+ * without depending on a listening socket.
+ *
+ * *iph* points to the start of the IPv4 or IPv6 header, while
+ * *iph_len* contains **sizeof**\ (**struct iphdr**) or
+ * **sizeof**\ (**struct ip6hdr**).
+ *
+ * *th* points to the start of the TCP header, while *th_len*
+ * contains **sizeof**\ (**struct tcphdr**).
+ *
+ * Return
+ * On success, 0.
+ *
+ * On failure, the returned value is one of the following:
+ *
+ * **-EINVAL** input arguments are invalid
+ *
+ * **-ENOENT** the packet is not a valid ACK packet
+ *
+ * **-EOPNOTSUPP** kernel configuration does not enable SYN cookies
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -2881,6 +2930,8 @@ struct bpf_stack_build_id {
FN(send_signal), \
FN(tcp_gen_syncookie), \
FN(ct_lookup_tcp), \
+ FN(tcp_raw_gen_syncookie), \
+ FN(tcp_raw_check_syncookie), \
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
index 9f1e2ac..78ab538 100644
--- a/tools/testing/selftests/bpf/bpf_helpers.h
+++ b/tools/testing/selftests/bpf/bpf_helpers.h
@@ -236,6 +236,12 @@ static long long (*bpf_tcp_gen_syncookie)(struct bpf_sock *sk, void *ip,
static long (*bpf_ct_lookup_tcp)(void *ctx, struct bpf_sock_tuple *tuple,
__u32 tuple_size, __u64 netns, __u64 flags) =
(void *) BPF_FUNC_ct_lookup_tcp;
+static __s64 (*bpf_tcp_raw_gen_syncookie)(void *iph, __u32 iph_len,
+ struct tcphdr *th, __u32 th_len) =
+ (void *) BPF_FUNC_tcp_raw_gen_syncookie;
+static int (*bpf_tcp_raw_check_syncookie)(void *iph, __u32 iph_len,
+ struct tcphdr *th, __u32 th_len) =
+ (void *) BPF_FUNC_tcp_raw_check_syncookie;
/* llvm builtin functions that eBPF C program may use to
* emit BPF_LD_ABS and BPF_LD_IND instructions
--
1.8.3.1
More information about the kernel-team
mailing list