From patchwork Wed Apr 6 12:41:12 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Mikityanskiy X-Patchwork-Id: 12803621 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id B03D4C433F5 for ; Wed, 6 Apr 2022 15:29:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236298AbiDFPbe (ORCPT ); Wed, 6 Apr 2022 11:31:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57618 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236136AbiDFPbX (ORCPT ); Wed, 6 Apr 2022 11:31:23 -0400 Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2064.outbound.protection.outlook.com [40.107.220.64]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 38AF669718F; Wed, 6 Apr 2022 05:42:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q57vXZK1fL3cMGE7Tj0VnH7U//UN9fuQUWg+jbtDuydIUuZvBxV5kTrSevga76dNsBDJucC9xNeYuXPWeSo7VEHjdPJBilcvCHAXBly8sxH7VK/utQBAmtLfOHAbAp0FkTxPXPKKMdEx0et5o+xgQf8+unWPRioGOvqEuvLPIe7FxCGU8uH6vRGqv5oWIMgDtAW2Ns0XYk7anEpR5CWlpyda6KCLUDtrHfzbzeBt5skHGs7NW4+CvbMUY3Y00XD2tPsfwIlHy5XOMMH8fuN9uU/zeyPXvY5uzGgHC7n2EFGu6Cg0U7zOlk1WrTesM15uUupVA4Cgg+J15xGRJW9xhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JyEmuYJyu3qzg30My0LkTXGWMVX0B3AzB57sjkGZChg=; b=L5fslhE7d7ol+PdLyiqc8wfiwMTcrjea4sOA9G3rbXv0p8wOx6HBqdbG3l4wpVqJ0HcuJmEU5Z6Vv9TcfyHFxFNV//9fQmQZlravkztMOKbFtBBiEjY2rkSBjFQ7G8I5BYmTi8u5jcAEF2KiPIEbQB9ucaTI3PNJB9XYsZHoVs+pNubg4zngSe+dJi0Vl8GCm+zEZiCl/gSxGE700BTwQqxwfo39Y3La2lVbdS6KJb1N/ZwhX+t4egDX8PAsgAcvJ7a5uBYwCK+iPYwt15+7vQqYfvjhkZKJ0dkeRZF3GPYE6HVGlLR1Dk6omLTs0lAtOMx3dCmK9CeCTzyBdjgxlA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.234) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JyEmuYJyu3qzg30My0LkTXGWMVX0B3AzB57sjkGZChg=; b=fFcZUv9uixlYO/2713KxMeYYrL/8OyuHVIo4x4BkZqslXK3aaxrvZh0Oufo0q6N7D8jOhB6mIUmUPNChP6tYNLUs04L2PeJqnasIS5zIRoML4s9pbS5AxEaCwJJECsXasCEfRnA0EzDATBafIIFINUbHqYz5dOGadrY7UEH7XJRZ4wHCWlwAHeWqt+DSia0GrascH8fTQxX8vcaLbzfgIiGAbehm3DmMo0FYCX6WKHeVJUcTpnrmGRvvSO0hWNILd+ePX22MuXCawNCsGSkmsslDEReRqQhYyXlRzsgq2YDybLLfkG3Wexk/Wo8mWcQNE++iXq2wuoePfEYA4HgXsQ== Received: from DM6PR03CA0088.namprd03.prod.outlook.com (2603:10b6:5:333::21) by DM6PR12MB3052.namprd12.prod.outlook.com (2603:10b6:5:11e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Wed, 6 Apr 2022 12:41:43 +0000 Received: from DM6NAM11FT015.eop-nam11.prod.protection.outlook.com (2603:10b6:5:333:cafe::f4) by DM6PR03CA0088.outlook.office365.com (2603:10b6:5:333::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21 via Frontend Transport; Wed, 6 Apr 2022 12:41:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.234) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.234 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.234; helo=mail.nvidia.com; Received: from mail.nvidia.com (12.22.5.234) by DM6NAM11FT015.mail.protection.outlook.com (10.13.172.133) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5144.20 via Frontend Transport; Wed, 6 Apr 2022 12:41:43 +0000 Received: from rnnvmail205.nvidia.com (10.129.68.10) by DRHQMAIL101.nvidia.com (10.27.9.10) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 6 Apr 2022 12:41:43 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail205.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Wed, 6 Apr 2022 05:41:42 -0700 Received: from vdi.nvidia.com (10.127.8.12) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.986.22 via Frontend Transport; Wed, 6 Apr 2022 05:41:37 -0700 From: Maxim Mikityanskiy To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Jakub Sitnicki , Arthur Fabre CC: , , , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S. Miller" , Jakub Kicinski , Shuah Khan , Jesper Dangaard Brouer , "Maxim Mikityanskiy" , Tariq Toukan Subject: [PATCH bpf v5 1/2] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie Date: Wed, 6 Apr 2022 15:41:12 +0300 Message-ID: <20220406124113.2795730-1-maximmi@nvidia.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 88f42e7e-5005-4f42-3fc0-08da17cace49 X-MS-TrafficTypeDiagnostic: DM6PR12MB3052:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: kAn+4pUK64ojKO5t/BtZeriGy1udGMN0JYM80SVeXcQEcNlwzzvFTD/7YfREG22tek10jiAN3aujP9nUWx26qLVfJ7klN4Djd0vneleMv5YC30qVV/XUCBwe7jQx18bOQdi1vpSIyHwAq134xgsPjbZ0kO2BcbNLWjcnaYYfIDGn8HYgP72bIPvoz6xIvK1jTxaFnLafIJufkRr3aR6XvQcjgAiU/Ivpm98PvC3Dtbu0N0b9Qt/dCYtbtH2FI0aeao3R9ThfOhz1DCeamyp6FraXwp+W4B5lEIs+LJ2e1A6x5ltj1lcJnDEpzo647fnff6rKtrwn4LBAOYpUnwWL/jI9eB46wraO82XiltkLBwTkU0fQjytZ8Zxt6aTvJhQbM6Cu4ydcdZ3CBB2Bs8uVjHGttZoVTH/g9XAf0Y6c/KM8utyHE7et/74SdOZFxCQPLaCsApbvqVlMv6uZDHKkZFnZtTUGNh8PiQSJllOtam3Cc981rJKgoIIXIk5LVsZwdVTcOIwes3DPFiokKHRqxKEZ2NIa7ZLfTYitHkjWVIgtfrKqIila/I1wL3IwrPZ/+kpkGlFOdWEPeSOu+Mgv2533huj98BSZwib9ao7MbO9ee8Bc9mA6m+96G4ZL8WDeKgxgP+wQmXCPcbjsiuGm5C5o0ngJh/8/B8kGu6kWg0IqykD4RiP+ry+R4CGigJb8JZ5wWrrQmudEVPF2skk7nw== X-Forefront-Antispam-Report: CIP:12.22.5.234;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:mail.nvidia.com;PTR:InfoNoRecords;CAT:NONE;SFS:(13230001)(4636009)(40470700004)(46966006)(36840700001)(6666004)(82310400005)(40460700003)(186003)(83380400001)(1076003)(47076005)(86362001)(316002)(26005)(336012)(508600001)(7416002)(5660300002)(426003)(8676002)(36860700001)(70586007)(36756003)(70206006)(7696005)(4326008)(8936002)(81166007)(107886003)(110136005)(54906003)(2616005)(356005)(2906002)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 12:41:43.6992 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 88f42e7e-5005-4f42-3fc0-08da17cace49 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[12.22.5.234];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: DM6NAM11FT015.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB3052 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net bpf_tcp_gen_syncookie looks at the IP version in the IP header and validates the address family of the socket. It supports IPv4 packets in AF_INET6 dual-stack sockets. On the other hand, bpf_tcp_check_syncookie looks only at the address family of the socket, ignoring the real IP version in headers, and validates only the packet size. This implementation has some drawbacks: 1. Packets are not validated properly, allowing a BPF program to trick bpf_tcp_check_syncookie into handling an IPv6 packet on an IPv4 socket. 2. Dual-stack sockets fail the checks on IPv4 packets. IPv4 clients end up receiving a SYNACK with the cookie, but the following ACK gets dropped. This patch fixes these issues by changing the checks in bpf_tcp_check_syncookie to match the ones in bpf_tcp_gen_syncookie. IP version from the header is taken into account, and it is validated properly with address family. Fixes: 399040847084 ("bpf: add helper to check for a valid SYN cookie") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Acked-by: Arthur Fabre --- net/core/filter.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index a7044e98765e..64470a727ef7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -7016,24 +7016,33 @@ BPF_CALL_5(bpf_tcp_check_syncookie, struct sock *, sk, void *, iph, u32, iph_len if (!th->ack || th->rst || th->syn) return -ENOENT; + if (unlikely(iph_len < sizeof(struct iphdr))) + return -EINVAL; + if (tcp_synq_no_recent_overflow(sk)) return -ENOENT; cookie = ntohl(th->ack_seq) - 1; - switch (sk->sk_family) { - case AF_INET: - if (unlikely(iph_len < sizeof(struct iphdr))) + /* Both struct iphdr and struct ipv6hdr have the version field at the + * same offset so we can cast to the shorter header (struct iphdr). + */ + switch (((struct iphdr *)iph)->version) { + case 4: + if (sk->sk_family == AF_INET6 && ipv6_only_sock(sk)) return -EINVAL; ret = __cookie_v4_check((struct iphdr *)iph, th, cookie); break; #if IS_BUILTIN(CONFIG_IPV6) - case AF_INET6: + case 6: if (unlikely(iph_len < sizeof(struct ipv6hdr))) return -EINVAL; + if (sk->sk_family != AF_INET6) + return -EINVAL; + ret = __cookie_v6_check((struct ipv6hdr *)iph, th, cookie); break; #endif /* CONFIG_IPV6 */ From patchwork Wed Apr 6 12:41:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxim Mikityanskiy X-Patchwork-Id: 12803623 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 262D1C433EF for ; Wed, 6 Apr 2022 15:31:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236060AbiDFPdc (ORCPT ); Wed, 6 Apr 2022 11:33:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236191AbiDFPdO (ORCPT ); Wed, 6 Apr 2022 11:33:14 -0400 Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2089.outbound.protection.outlook.com [40.107.92.89]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B28364BDACB; Wed, 6 Apr 2022 05:42:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Q878cRs4//0C9Kud4vo/wW1AFKbYnIGxgHWMtrgt3umA0MKqJsvc5dN/xe2dwPoetUyhLEgP2Nc/yf9nogFM+mCU5aGUbJyjphfdRgAjsD4sp+v8wl/g7ROAgucK2bWdzjB25aQ1LamEgZVrIBkZSo3E1zCR3xLjPd625cgzvMlVwMPAxor4R3A6cz3HRWwcimJchAW61rYpF/1qyV060NJ7LDNnhKA9tIIxkEBe/rxZkSgBT7FxU3Q3Lfeq+DsS7yixVaw0J+tjlm8REi8OEcrk4wezXcHfgNgW01Q+qYronUpErTci9k0qi5tvNTUDn/eMr7LI58bEYGoEXWsnwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=TTWuh4pIIul7EGJ/M/YyW67bt48nhB3Usbkemo/n3h8=; b=MmZpt5PMVcv5MeBUs1rPmWZVd8GYWRP6MEPYDvhqhbxdiCjggqRkJuwQvUJEgnHlUAdlx+N05OINj95cWhDZhwRKlzOg3uYv0jW/TCq/o3usYqVrrgXTfvSo97j/XV1ozWAcprwPu68hV3USzCD2aQJZ+CAy1r2IuceOYM2wEkv27+N+okfOx+J3Ny/6y9yLmpYFj5p7pQVi/Z2xRWNKYSvIRoOrHhgZ2yz/d/be9sTzKnbc7P39ZANs1o1LC8Bsu/ZYGKL2TNFjTvf3ir+8kZsU6pCg8lx9jK0wFlDAQ2tIO3aQBRFsTzCxHGr8iCDoYWfGP4WlgLX/lKbRgQ4AqA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 12.22.5.235) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TTWuh4pIIul7EGJ/M/YyW67bt48nhB3Usbkemo/n3h8=; b=OzOJgxE8RFAkeo/kP4gVKYSPYfu5TGZYlXEaHUvRPDy+W2fmO1tIBAmxKdElo0Z4gN1sAgTrx9wdUv5jS/zpzKJReIymEfHFYio54JgInvGdXCIfla1IF5AGZBcgyNRmJhUbIJmNgrt3E02t3bIqoA/iezymSY+8VHJonsEUQP6+RQYXd6MHdDByBmV4ghgv1w1VMd9Ap6YeRrpBRZYzuPzufAXjb2dHJKTCXAbEG02QacCctvjOeE08fDa6rT5M3LHszm/I2M+70sDMJfixQ1EeX4Ko0+uBHG0HRz7D3jQVKPLgXuosPesqJObSpeW4vWLzqC7l6nSuk1tTZpt+ig== Received: from BN9P222CA0008.NAMP222.PROD.OUTLOOK.COM (2603:10b6:408:10c::13) by BN6PR12MB1810.namprd12.prod.outlook.com (2603:10b6:404:107::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5144.21; Wed, 6 Apr 2022 12:41:49 +0000 Received: from BN8NAM11FT010.eop-nam11.prod.protection.outlook.com (2603:10b6:408:10c:cafe::db) by BN9P222CA0008.outlook.office365.com (2603:10b6:408:10c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.13 via Frontend Transport; Wed, 6 Apr 2022 12:41:49 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 12.22.5.235) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 12.22.5.235 as permitted sender) receiver=protection.outlook.com; client-ip=12.22.5.235; helo=mail.nvidia.com; Received: from mail.nvidia.com (12.22.5.235) by BN8NAM11FT010.mail.protection.outlook.com (10.13.177.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.5144.20 via Frontend Transport; Wed, 6 Apr 2022 12:41:48 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by DRHQMAIL107.nvidia.com (10.27.9.16) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Wed, 6 Apr 2022 12:41:48 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Wed, 6 Apr 2022 05:41:47 -0700 Received: from vdi.nvidia.com (10.127.8.12) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server id 15.2.986.22 via Frontend Transport; Wed, 6 Apr 2022 05:41:42 -0700 From: Maxim Mikityanskiy To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Jakub Sitnicki , Arthur Fabre CC: , , , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S. Miller" , Jakub Kicinski , Shuah Khan , Jesper Dangaard Brouer , "Maxim Mikityanskiy" Subject: [PATCH bpf v5 2/2] bpf: Adjust bpf_tcp_check_syncookie selftest to test dual-stack sockets Date: Wed, 6 Apr 2022 15:41:13 +0300 Message-ID: <20220406124113.2795730-2-maximmi@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220406124113.2795730-1-maximmi@nvidia.com> References: <20220406124113.2795730-1-maximmi@nvidia.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: d0c8dbfc-1e34-4a14-f4db-08da17cad167 X-MS-TrafficTypeDiagnostic: BN6PR12MB1810:EE_ X-Microsoft-Antispam-PRVS: X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yYamxIOrRdqnE+ZBmETUqo1nRpWNE8n/Ro83pQuJX9g7vP0D7U7qIW2pZCl7y3I++Yb4CwEIsmx06fkEoApluMy9JExeS5Hj9ZnJFNOPHKiIkZ/OwX0OFrmLlYvksCzBb+QEhRYPHhcK/YSvlpktjBKTHCL6xa0TKq4syxrQAIxuXNI9VLkjeC+Feg9rLzYAQEApddp2iIfHlb4xJAiYzeixXTsW080CJC3WCk1L+srYlygX3J0U+Od91BeIWTD/d24HObPNyYnXe9Y2AZMwN+bNeZrAJ6EdJ1tMlkPy2RgFEh6m5vcFHLGHWEPJZB+Gf6gv4VH+lt9YiQH4+ls6RZgDH2U7McdAjwMJWQ2WEJNWckd64wlgzRbYBk0fAcFMf0VB0kd5DZYsu4syKmu88sbD+R3A0fOz4Vg2mjMMohjDZpUAWLLiFpqipYJULWnOyG6Y9i3kUNCsn15K1dlf8g8hV/aRjGGZxEFGAK/jN4ytAD0FwR7COOJHi4wjG7a6yXKnilw1pmcxlM1Opv0sZnwzO02MLUfN1T8a/gPNnK5IyBY1sh9Hgj+M4asJAIgMAA5TXkO6x7YmRKyTrVqhauEQj0Q+PizuqvHU8g7vcUpvk7gdgBbjIp0fCAASaAGah8d8Ejjinl1B+ndvCou4WefKmMKfBI+amgzBQw6rk8A67ahWoHfgQMBICjfiNodbzHnBxH5MU/8eTD9mlnNmaQ== X-Forefront-Antispam-Report: CIP:12.22.5.235;CTRY:US;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:mail.nvidia.com;PTR:InfoNoRecords;CAT:NONE;SFS:(13230001)(4636009)(46966006)(40470700004)(36840700001)(7696005)(6666004)(426003)(36860700001)(2616005)(47076005)(83380400001)(107886003)(26005)(186003)(336012)(1076003)(7416002)(8936002)(4326008)(36756003)(70206006)(81166007)(5660300002)(82310400005)(356005)(8676002)(2906002)(316002)(508600001)(110136005)(40460700003)(54906003)(86362001)(70586007)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Apr 2022 12:41:48.8711 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: d0c8dbfc-1e34-4a14-f4db-08da17cad167 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[12.22.5.235];Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT010.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR12MB1810 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net The previous commit fixed support for dual-stack sockets in bpf_tcp_check_syncookie. This commit adjusts the selftest to verify the fixed functionality. Signed-off-by: Maxim Mikityanskiy Acked-by: Arthur Fabre --- .../bpf/test_tcp_check_syncookie_user.c | 78 ++++++++++++++----- 1 file changed, 59 insertions(+), 19 deletions(-) diff --git a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c index b9e991d43155..e7775d3bbe08 100644 --- a/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c +++ b/tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c @@ -18,8 +18,9 @@ #include "bpf_rlimit.h" #include "cgroup_helpers.h" -static int start_server(const struct sockaddr *addr, socklen_t len) +static int start_server(const struct sockaddr *addr, socklen_t len, bool dual) { + int mode = !dual; int fd; fd = socket(addr->sa_family, SOCK_STREAM, 0); @@ -28,6 +29,14 @@ static int start_server(const struct sockaddr *addr, socklen_t len) goto out; } + if (addr->sa_family == AF_INET6) { + if (setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&mode, + sizeof(mode)) == -1) { + log_err("Failed to set the dual-stack mode"); + goto close_out; + } + } + if (bind(fd, addr, len) == -1) { log_err("Failed to bind server socket"); goto close_out; @@ -47,24 +56,17 @@ static int start_server(const struct sockaddr *addr, socklen_t len) return fd; } -static int connect_to_server(int server_fd) +static int connect_to_server(const struct sockaddr *addr, socklen_t len) { - struct sockaddr_storage addr; - socklen_t len = sizeof(addr); int fd = -1; - if (getsockname(server_fd, (struct sockaddr *)&addr, &len)) { - log_err("Failed to get server addr"); - goto out; - } - - fd = socket(addr.ss_family, SOCK_STREAM, 0); + fd = socket(addr->sa_family, SOCK_STREAM, 0); if (fd == -1) { log_err("Failed to create client socket"); goto out; } - if (connect(fd, (const struct sockaddr *)&addr, len) == -1) { + if (connect(fd, (const struct sockaddr *)addr, len) == -1) { log_err("Fail to connect to server"); goto close_out; } @@ -116,7 +118,8 @@ static int get_map_fd_by_prog_id(int prog_id, bool *xdp) return map_fd; } -static int run_test(int server_fd, int results_fd, bool xdp) +static int run_test(int server_fd, int results_fd, bool xdp, + const struct sockaddr *addr, socklen_t len) { int client = -1, srv_client = -1; int ret = 0; @@ -142,7 +145,7 @@ static int run_test(int server_fd, int results_fd, bool xdp) goto err; } - client = connect_to_server(server_fd); + client = connect_to_server(addr, len); if (client == -1) goto err; @@ -199,12 +202,30 @@ static int run_test(int server_fd, int results_fd, bool xdp) return ret; } +static bool get_port(int server_fd, in_port_t *port) +{ + struct sockaddr_in addr; + socklen_t len = sizeof(addr); + + if (getsockname(server_fd, (struct sockaddr *)&addr, &len)) { + log_err("Failed to get server addr"); + return false; + } + + /* sin_port and sin6_port are located at the same offset. */ + *port = addr.sin_port; + return true; +} + int main(int argc, char **argv) { struct sockaddr_in addr4; struct sockaddr_in6 addr6; + struct sockaddr_in addr4dual; + struct sockaddr_in6 addr6dual; int server = -1; int server_v6 = -1; + int server_dual = -1; int results = -1; int err = 0; bool xdp; @@ -224,25 +245,43 @@ int main(int argc, char **argv) addr4.sin_family = AF_INET; addr4.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr4.sin_port = 0; + memcpy(&addr4dual, &addr4, sizeof(addr4dual)); memset(&addr6, 0, sizeof(addr6)); addr6.sin6_family = AF_INET6; addr6.sin6_addr = in6addr_loopback; addr6.sin6_port = 0; - server = start_server((const struct sockaddr *)&addr4, sizeof(addr4)); - if (server == -1) + memset(&addr6dual, 0, sizeof(addr6dual)); + addr6dual.sin6_family = AF_INET6; + addr6dual.sin6_addr = in6addr_any; + addr6dual.sin6_port = 0; + + server = start_server((const struct sockaddr *)&addr4, sizeof(addr4), + false); + if (server == -1 || !get_port(server, &addr4.sin_port)) goto err; server_v6 = start_server((const struct sockaddr *)&addr6, - sizeof(addr6)); - if (server_v6 == -1) + sizeof(addr6), false); + if (server_v6 == -1 || !get_port(server_v6, &addr6.sin6_port)) + goto err; + + server_dual = start_server((const struct sockaddr *)&addr6dual, + sizeof(addr6dual), true); + if (server_dual == -1 || !get_port(server_dual, &addr4dual.sin_port)) + goto err; + + if (run_test(server, results, xdp, + (const struct sockaddr *)&addr4, sizeof(addr4))) goto err; - if (run_test(server, results, xdp)) + if (run_test(server_v6, results, xdp, + (const struct sockaddr *)&addr6, sizeof(addr6))) goto err; - if (run_test(server_v6, results, xdp)) + if (run_test(server_dual, results, xdp, + (const struct sockaddr *)&addr4dual, sizeof(addr4dual))) goto err; printf("ok\n"); @@ -252,6 +291,7 @@ int main(int argc, char **argv) out: close(server); close(server_v6); + close(server_dual); close(results); return err; }