License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 15:07:57 +01:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2016-01-24 14:20:23 +01:00
|
|
|
#include <linux/crypto.h>
|
2012-08-31 14:29:11 +02:00
|
|
|
#include <linux/err.h>
|
2012-07-19 08:43:05 +02:00
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/kernel.h>
|
2012-08-31 14:29:11 +02:00
|
|
|
#include <linux/list.h>
|
|
|
|
|
#include <linux/tcp.h>
|
|
|
|
|
#include <linux/rcupdate.h>
|
|
|
|
|
#include <linux/rculist.h>
|
|
|
|
|
#include <net/inetpeer.h>
|
|
|
|
|
#include <net/tcp.h>
|
2012-07-19 08:43:05 +02:00
|
|
|
|
2017-09-27 05:35:42 +02:00
|
|
|
void tcp_fastopen_init_key_once(struct net *net)
|
2013-10-19 21:48:58 +02:00
|
|
|
{
|
2017-09-27 05:35:42 +02:00
|
|
|
u8 key[TCP_FASTOPEN_KEY_LENGTH];
|
|
|
|
|
struct tcp_fastopen_context *ctxt;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
|
|
|
|
|
if (ctxt) {
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
rcu_read_unlock();
|
2013-10-19 21:48:58 +02:00
|
|
|
|
|
|
|
|
/* tcp_fastopen_reset_cipher publishes the new context
|
|
|
|
|
* atomically, so we allow this race happening here.
|
|
|
|
|
*
|
|
|
|
|
* All call sites of tcp_fastopen_cookie_gen also check
|
|
|
|
|
* for a valid cookie, so this is an acceptable risk.
|
|
|
|
|
*/
|
2017-09-27 05:35:42 +02:00
|
|
|
get_random_bytes(key, sizeof(key));
|
2019-06-19 23:46:28 +02:00
|
|
|
tcp_fastopen_reset_cipher(net, NULL, key, NULL);
|
2013-10-19 21:48:58 +02:00
|
|
|
}
|
|
|
|
|
|
2012-08-31 14:29:11 +02:00
|
|
|
static void tcp_fastopen_ctx_free(struct rcu_head *head)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_context *ctx =
|
|
|
|
|
container_of(head, struct tcp_fastopen_context, rcu);
|
2019-05-29 18:33:57 +02:00
|
|
|
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
kzfree(ctx);
|
2012-08-31 14:29:11 +02:00
|
|
|
}
|
|
|
|
|
|
2017-10-18 20:22:51 +02:00
|
|
|
void tcp_fastopen_destroy_cipher(struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_context *ctx;
|
|
|
|
|
|
|
|
|
|
ctx = rcu_dereference_protected(
|
|
|
|
|
inet_csk(sk)->icsk_accept_queue.fastopenq.ctx, 1);
|
|
|
|
|
if (ctx)
|
|
|
|
|
call_rcu(&ctx->rcu, tcp_fastopen_ctx_free);
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-27 05:35:42 +02:00
|
|
|
void tcp_fastopen_ctx_destroy(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_context *ctxt;
|
|
|
|
|
|
|
|
|
|
spin_lock(&net->ipv4.tcp_fastopen_ctx_lock);
|
|
|
|
|
|
|
|
|
|
ctxt = rcu_dereference_protected(net->ipv4.tcp_fastopen_ctx,
|
|
|
|
|
lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock));
|
|
|
|
|
rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, NULL);
|
|
|
|
|
spin_unlock(&net->ipv4.tcp_fastopen_ctx_lock);
|
|
|
|
|
|
|
|
|
|
if (ctxt)
|
|
|
|
|
call_rcu(&ctxt->rcu, tcp_fastopen_ctx_free);
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-18 20:22:51 +02:00
|
|
|
int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
|
2019-06-19 23:46:28 +02:00
|
|
|
void *primary_key, void *backup_key)
|
2012-08-31 14:29:11 +02:00
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_context *ctx, *octx;
|
2017-10-18 20:22:51 +02:00
|
|
|
struct fastopen_queue *q;
|
2019-05-29 18:33:57 +02:00
|
|
|
int err = 0;
|
2012-08-31 14:29:11 +02:00
|
|
|
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
|
|
|
|
|
if (!ctx) {
|
|
|
|
|
err = -ENOMEM;
|
2019-05-29 18:33:57 +02:00
|
|
|
goto out;
|
2012-08-31 14:29:11 +02:00
|
|
|
}
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
|
2019-06-19 23:46:28 +02:00
|
|
|
ctx->key[0].key[0] = get_unaligned_le64(primary_key);
|
|
|
|
|
ctx->key[0].key[1] = get_unaligned_le64(primary_key + 8);
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
if (backup_key) {
|
2019-06-19 23:46:28 +02:00
|
|
|
ctx->key[1].key[0] = get_unaligned_le64(backup_key);
|
|
|
|
|
ctx->key[1].key[1] = get_unaligned_le64(backup_key + 8);
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
ctx->num = 2;
|
|
|
|
|
} else {
|
|
|
|
|
ctx->num = 1;
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-02 19:53:04 +01:00
|
|
|
spin_lock(&net->ipv4.tcp_fastopen_ctx_lock);
|
2017-10-18 20:22:51 +02:00
|
|
|
if (sk) {
|
|
|
|
|
q = &inet_csk(sk)->icsk_accept_queue.fastopenq;
|
|
|
|
|
octx = rcu_dereference_protected(q->ctx,
|
2017-11-02 19:53:04 +01:00
|
|
|
lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock));
|
2017-10-18 20:22:51 +02:00
|
|
|
rcu_assign_pointer(q->ctx, ctx);
|
|
|
|
|
} else {
|
|
|
|
|
octx = rcu_dereference_protected(net->ipv4.tcp_fastopen_ctx,
|
|
|
|
|
lockdep_is_held(&net->ipv4.tcp_fastopen_ctx_lock));
|
|
|
|
|
rcu_assign_pointer(net->ipv4.tcp_fastopen_ctx, ctx);
|
|
|
|
|
}
|
2017-11-02 19:53:04 +01:00
|
|
|
spin_unlock(&net->ipv4.tcp_fastopen_ctx_lock);
|
2012-08-31 14:29:11 +02:00
|
|
|
|
|
|
|
|
if (octx)
|
|
|
|
|
call_rcu(&octx->rcu, tcp_fastopen_ctx_free);
|
2019-05-29 18:33:57 +02:00
|
|
|
out:
|
2012-08-31 14:29:11 +02:00
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2020-08-10 19:38:39 +02:00
|
|
|
int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
|
|
|
|
|
u64 *key)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_context *ctx;
|
|
|
|
|
int n_keys = 0, i;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
if (icsk)
|
|
|
|
|
ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
|
|
|
|
|
else
|
|
|
|
|
ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
|
|
|
|
|
if (ctx) {
|
|
|
|
|
n_keys = tcp_fastopen_context_len(ctx);
|
|
|
|
|
for (i = 0; i < n_keys; i++) {
|
|
|
|
|
put_unaligned_le64(ctx->key[i].key[0], key + (i * 2));
|
|
|
|
|
put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
|
|
return n_keys;
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-29 18:33:56 +02:00
|
|
|
static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req,
|
|
|
|
|
struct sk_buff *syn,
|
2019-06-19 23:46:28 +02:00
|
|
|
const siphash_key_t *key,
|
2019-05-29 18:33:56 +02:00
|
|
|
struct tcp_fastopen_cookie *foc)
|
2012-08-31 14:29:11 +02:00
|
|
|
{
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
BUILD_BUG_ON(TCP_FASTOPEN_COOKIE_SIZE != sizeof(u64));
|
|
|
|
|
|
2019-05-29 18:33:56 +02:00
|
|
|
if (req->rsk_ops->family == AF_INET) {
|
|
|
|
|
const struct iphdr *iph = ip_hdr(syn);
|
2017-10-18 20:22:51 +02:00
|
|
|
|
2019-06-19 23:46:28 +02:00
|
|
|
foc->val[0] = cpu_to_le64(siphash(&iph->saddr,
|
|
|
|
|
sizeof(iph->saddr) +
|
|
|
|
|
sizeof(iph->daddr),
|
|
|
|
|
key));
|
2019-05-29 18:33:56 +02:00
|
|
|
foc->len = TCP_FASTOPEN_COOKIE_SIZE;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
|
|
|
if (req->rsk_ops->family == AF_INET6) {
|
|
|
|
|
const struct ipv6hdr *ip6h = ipv6_hdr(syn);
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
|
2019-06-19 23:46:28 +02:00
|
|
|
foc->val[0] = cpu_to_le64(siphash(&ip6h->saddr,
|
|
|
|
|
sizeof(ip6h->saddr) +
|
|
|
|
|
sizeof(ip6h->daddr),
|
|
|
|
|
key));
|
2012-08-31 14:29:11 +02:00
|
|
|
foc->len = TCP_FASTOPEN_COOKIE_SIZE;
|
2019-05-29 18:33:56 +02:00
|
|
|
return true;
|
2012-08-31 14:29:11 +02:00
|
|
|
}
|
2019-05-29 18:33:56 +02:00
|
|
|
#endif
|
|
|
|
|
return false;
|
2014-05-12 05:22:13 +02:00
|
|
|
}
|
|
|
|
|
|
net: ipv4: move tcp_fastopen server side code to SipHash library
Using a bare block cipher in non-crypto code is almost always a bad idea,
not only for security reasons (and we've seen some examples of this in
the kernel in the past), but also for performance reasons.
In the TCP fastopen case, we call into the bare AES block cipher one or
two times (depending on whether the connection is IPv4 or IPv6). On most
systems, this results in a call chain such as
crypto_cipher_encrypt_one(ctx, dst, src)
crypto_cipher_crt(tfm)->cit_encrypt_one(crypto_cipher_tfm(tfm), ...);
aesni_encrypt
kernel_fpu_begin();
aesni_enc(ctx, dst, src); // asm routine
kernel_fpu_end();
It is highly unlikely that the use of special AES instructions has a
benefit in this case, especially since we are doing the above twice
for IPv6 connections, instead of using a transform which can process
the entire input in one go.
We could switch to the cbcmac(aes) shash, which would at least get
rid of the duplicated overhead in *some* cases (i.e., today, only
arm64 has an accelerated implementation of cbcmac(aes), while x86 will
end up using the generic cbcmac template wrapping the AES-NI cipher,
which basically ends up doing exactly the above). However, in the given
context, it makes more sense to use a light-weight MAC algorithm that
is more suitable for the purpose at hand, such as SipHash.
Since the output size of SipHash already matches our chosen value for
TCP_FASTOPEN_COOKIE_SIZE, and given that it accepts arbitrary input
sizes, this greatly simplifies the code as well.
NOTE: Server farms backing a single server IP for load balancing purposes
and sharing a single fastopen key will be adversely affected by
this change unless all systems in the pool receive their kernel
upgrades at the same time.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-17 10:09:33 +02:00
|
|
|
/* Generate the fastopen cookie by applying SipHash to both the source and
|
|
|
|
|
* destination addresses.
|
2014-05-12 05:22:13 +02:00
|
|
|
*/
|
2019-05-29 18:33:57 +02:00
|
|
|
static void tcp_fastopen_cookie_gen(struct sock *sk,
|
2017-09-27 05:35:42 +02:00
|
|
|
struct request_sock *req,
|
2014-05-12 05:22:13 +02:00
|
|
|
struct sk_buff *syn,
|
|
|
|
|
struct tcp_fastopen_cookie *foc)
|
|
|
|
|
{
|
2019-05-29 18:33:56 +02:00
|
|
|
struct tcp_fastopen_context *ctx;
|
2014-05-12 05:22:13 +02:00
|
|
|
|
2019-05-29 18:33:56 +02:00
|
|
|
rcu_read_lock();
|
2019-05-29 18:33:57 +02:00
|
|
|
ctx = tcp_fastopen_get_ctx(sk);
|
2019-05-29 18:33:56 +02:00
|
|
|
if (ctx)
|
2019-06-19 23:46:28 +02:00
|
|
|
__tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[0], foc);
|
2019-05-29 18:33:56 +02:00
|
|
|
rcu_read_unlock();
|
2012-08-31 14:29:11 +02:00
|
|
|
}
|
2014-05-12 05:22:09 +02:00
|
|
|
|
2016-02-02 06:03:07 +01:00
|
|
|
/* If an incoming SYN or SYNACK frame contains a payload and/or FIN,
|
|
|
|
|
* queue this additional data / FIN.
|
|
|
|
|
*/
|
|
|
|
|
void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_sock *tp = tcp_sk(sk);
|
|
|
|
|
|
|
|
|
|
if (TCP_SKB_CB(skb)->end_seq == tp->rcv_nxt)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
skb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
|
if (!skb)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
skb_dst_drop(skb);
|
2016-03-14 18:52:15 +01:00
|
|
|
/* segs_in has been initialized to 1 in tcp_create_openreq_child().
|
|
|
|
|
* Hence, reset segs_in to 0 before calling tcp_segs_in()
|
|
|
|
|
* to avoid double counting. Also, tcp_segs_in() expects
|
|
|
|
|
* skb->len to include the tcp_hdrlen. Hence, it should
|
|
|
|
|
* be called before __skb_pull().
|
|
|
|
|
*/
|
|
|
|
|
tp->segs_in = 0;
|
|
|
|
|
tcp_segs_in(tp, skb);
|
2016-02-02 06:03:07 +01:00
|
|
|
__skb_pull(skb, tcp_hdrlen(skb));
|
2016-09-07 17:34:11 +02:00
|
|
|
sk_forced_mem_schedule(sk, skb->truesize);
|
2016-02-02 06:03:07 +01:00
|
|
|
skb_set_owner_r(skb, sk);
|
|
|
|
|
|
2016-02-02 06:03:08 +01:00
|
|
|
TCP_SKB_CB(skb)->seq++;
|
|
|
|
|
TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_SYN;
|
|
|
|
|
|
2016-02-02 06:03:07 +01:00
|
|
|
tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
|
|
|
|
|
__skb_queue_tail(&sk->sk_receive_queue, skb);
|
|
|
|
|
tp->syn_data_acked = 1;
|
|
|
|
|
|
|
|
|
|
/* u64_stats_update_begin(&tp->syncp) not needed here,
|
|
|
|
|
* as we certainly are not changing upper 32bit value (0)
|
|
|
|
|
*/
|
|
|
|
|
tp->bytes_received = skb->len;
|
2016-02-06 20:16:28 +01:00
|
|
|
|
|
|
|
|
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
|
|
|
|
|
tcp_fin(sk);
|
2016-02-02 06:03:07 +01:00
|
|
|
}
|
|
|
|
|
|
2019-05-29 18:33:57 +02:00
|
|
|
/* returns 0 - no key match, 1 for primary, 2 for backup */
|
|
|
|
|
static int tcp_fastopen_cookie_gen_check(struct sock *sk,
|
|
|
|
|
struct request_sock *req,
|
|
|
|
|
struct sk_buff *syn,
|
|
|
|
|
struct tcp_fastopen_cookie *orig,
|
|
|
|
|
struct tcp_fastopen_cookie *valid_foc)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_cookie search_foc = { .len = -1 };
|
|
|
|
|
struct tcp_fastopen_cookie *foc = valid_foc;
|
|
|
|
|
struct tcp_fastopen_context *ctx;
|
|
|
|
|
int i, ret = 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
ctx = tcp_fastopen_get_ctx(sk);
|
|
|
|
|
if (!ctx)
|
|
|
|
|
goto out;
|
|
|
|
|
for (i = 0; i < tcp_fastopen_context_len(ctx); i++) {
|
2019-06-19 23:46:28 +02:00
|
|
|
__tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[i], foc);
|
2019-05-29 18:33:57 +02:00
|
|
|
if (tcp_fastopen_cookie_match(foc, orig)) {
|
|
|
|
|
ret = i + 1;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
foc = &search_foc;
|
|
|
|
|
}
|
|
|
|
|
out:
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-25 02:16:05 +02:00
|
|
|
static struct sock *tcp_fastopen_create_child(struct sock *sk,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
struct request_sock *req)
|
2014-05-12 05:22:09 +02:00
|
|
|
{
|
2014-06-16 22:30:36 +02:00
|
|
|
struct tcp_sock *tp;
|
2014-05-12 05:22:09 +02:00
|
|
|
struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
|
|
|
|
|
struct sock *child;
|
2015-10-22 17:20:46 +02:00
|
|
|
bool own_req;
|
2014-05-12 05:22:09 +02:00
|
|
|
|
2015-10-22 17:20:46 +02:00
|
|
|
child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
|
|
|
|
|
NULL, &own_req);
|
2015-04-03 10:17:26 +02:00
|
|
|
if (!child)
|
2015-09-25 02:16:05 +02:00
|
|
|
return NULL;
|
2014-05-12 05:22:09 +02:00
|
|
|
|
2015-09-29 16:42:52 +02:00
|
|
|
spin_lock(&queue->fastopenq.lock);
|
|
|
|
|
queue->fastopenq.qlen++;
|
|
|
|
|
spin_unlock(&queue->fastopenq.lock);
|
2014-05-12 05:22:09 +02:00
|
|
|
|
|
|
|
|
/* Initialize the child socket. Have to fix some values to take
|
|
|
|
|
* into account the child is a Fast Open socket and is created
|
|
|
|
|
* only out of the bits carried in the SYN packet.
|
|
|
|
|
*/
|
|
|
|
|
tp = tcp_sk(child);
|
|
|
|
|
|
2019-10-11 05:17:38 +02:00
|
|
|
rcu_assign_pointer(tp->fastopen_rsk, req);
|
2015-03-18 02:32:29 +01:00
|
|
|
tcp_rsk(req)->tfo_listener = true;
|
2014-05-12 05:22:09 +02:00
|
|
|
|
|
|
|
|
/* RFC1323: The window in SYN & SYN/ACK segments is never
|
|
|
|
|
* scaled. So correct it appropriately.
|
|
|
|
|
*/
|
|
|
|
|
tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
|
2017-01-19 14:36:39 +01:00
|
|
|
tp->max_window = tp->snd_wnd;
|
2014-05-12 05:22:09 +02:00
|
|
|
|
|
|
|
|
/* Activate the retrans timer so that SYNACK can be retransmitted.
|
2015-10-02 20:43:35 +02:00
|
|
|
* The request socket is not added to the ehash
|
2014-05-12 05:22:09 +02:00
|
|
|
* because it's been added to the accept queue directly.
|
|
|
|
|
*/
|
|
|
|
|
inet_csk_reset_xmit_timer(child, ICSK_TIME_RETRANS,
|
|
|
|
|
TCP_TIMEOUT_INIT, TCP_RTO_MAX);
|
|
|
|
|
|
2017-06-30 12:08:01 +02:00
|
|
|
refcount_set(&req->rsk_refcnt, 2);
|
2014-05-12 05:22:09 +02:00
|
|
|
|
|
|
|
|
/* Now finish processing the fastopen child socket. */
|
tcp: uniform the set up of sockets after successful connection
Currently in the TCP code, the initialization sequence for cached
metrics, congestion control, BPF, etc, after successful connection
is very inconsistent. This introduces inconsistent bevhavior and is
prone to bugs. The current call sequence is as follows:
(1) for active case (tcp_finish_connect() case):
tcp_mtup_init(sk);
icsk->icsk_af_ops->rebuild_header(sk);
tcp_init_metrics(sk);
tcp_call_bpf(sk, BPF_SOCK_OPS_ACTIVE_ESTABLISHED_CB);
tcp_init_congestion_control(sk);
tcp_init_buffer_space(sk);
(2) for passive case (tcp_rcv_state_process() TCP_SYN_RECV case):
icsk->icsk_af_ops->rebuild_header(sk);
tcp_call_bpf(sk, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB);
tcp_init_congestion_control(sk);
tcp_mtup_init(sk);
tcp_init_buffer_space(sk);
tcp_init_metrics(sk);
(3) for TFO passive case (tcp_fastopen_create_child()):
inet_csk(child)->icsk_af_ops->rebuild_header(child);
tcp_init_congestion_control(child);
tcp_mtup_init(child);
tcp_init_metrics(child);
tcp_call_bpf(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB);
tcp_init_buffer_space(child);
This commit uniforms the above functions to have the following sequence:
tcp_mtup_init(sk);
icsk->icsk_af_ops->rebuild_header(sk);
tcp_init_metrics(sk);
tcp_call_bpf(sk, BPF_SOCK_OPS_ACTIVE/PASSIVE_ESTABLISHED_CB);
tcp_init_congestion_control(sk);
tcp_init_buffer_space(sk);
This sequence is the same as the (1) active case. We pick this sequence
because this order correctly allows BPF to override the settings
including congestion control module and initial cwnd, etc from
the route, and then allows the CC module to see those settings.
Suggested-by: Neal Cardwell <ncardwell@google.com>
Tested-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-04 19:03:44 +02:00
|
|
|
tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB);
|
2014-05-12 05:22:09 +02:00
|
|
|
|
2016-02-02 06:03:07 +01:00
|
|
|
tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
|
|
|
|
|
|
|
|
|
|
tcp_fastopen_add_skb(child, skb);
|
|
|
|
|
|
|
|
|
|
tcp_rsk(req)->rcv_nxt = tp->rcv_nxt;
|
2016-08-30 17:55:23 +02:00
|
|
|
tp->rcv_wup = tp->rcv_nxt;
|
2015-10-05 06:08:07 +02:00
|
|
|
/* tcp_conn_request() is sending the SYNACK,
|
|
|
|
|
* and queues the child into listener accept queue.
|
2015-09-25 02:16:05 +02:00
|
|
|
*/
|
|
|
|
|
return child;
|
2014-05-12 05:22:09 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool tcp_fastopen_queue_check(struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
struct fastopen_queue *fastopenq;
|
|
|
|
|
|
|
|
|
|
/* Make sure the listener has enabled fastopen, and we don't
|
|
|
|
|
* exceed the max # of pending TFO requests allowed before trying
|
|
|
|
|
* to validating the cookie in order to avoid burning CPU cycles
|
|
|
|
|
* unnecessarily.
|
|
|
|
|
*
|
|
|
|
|
* XXX (TFO) - The implication of checking the max_qlen before
|
|
|
|
|
* processing a cookie request is that clients can't differentiate
|
|
|
|
|
* between qlen overflow causing Fast Open to be disabled
|
|
|
|
|
* temporarily vs a server not supporting Fast Open at all.
|
|
|
|
|
*/
|
2015-09-29 16:42:52 +02:00
|
|
|
fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq;
|
|
|
|
|
if (fastopenq->max_qlen == 0)
|
2014-05-12 05:22:09 +02:00
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
if (fastopenq->qlen >= fastopenq->max_qlen) {
|
|
|
|
|
struct request_sock *req1;
|
|
|
|
|
spin_lock(&fastopenq->lock);
|
|
|
|
|
req1 = fastopenq->rskq_rst_head;
|
inet: get rid of central tcp/dccp listener timer
One of the major issue for TCP is the SYNACK rtx handling,
done by inet_csk_reqsk_queue_prune(), fired by the keepalive
timer of a TCP_LISTEN socket.
This function runs for awful long times, with socket lock held,
meaning that other cpus needing this lock have to spin for hundred of ms.
SYNACK are sent in huge bursts, likely to cause severe drops anyway.
This model was OK 15 years ago when memory was very tight.
We now can afford to have a timer per request sock.
Timer invocations no longer need to lock the listener,
and can be run from all cpus in parallel.
With following patch increasing somaxconn width to 32 bits,
I tested a listener with more than 4 million active request sockets,
and a steady SYNFLOOD of ~200,000 SYN per second.
Host was sending ~830,000 SYNACK per second.
This is ~100 times more what we could achieve before this patch.
Later, we will get rid of the listener hash and use ehash instead.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-03-20 03:04:20 +01:00
|
|
|
if (!req1 || time_after(req1->rsk_timer.expires, jiffies)) {
|
2016-04-28 01:44:39 +02:00
|
|
|
__NET_INC_STATS(sock_net(sk),
|
|
|
|
|
LINUX_MIB_TCPFASTOPENLISTENOVERFLOW);
|
2016-04-29 23:16:47 +02:00
|
|
|
spin_unlock(&fastopenq->lock);
|
2014-05-12 05:22:09 +02:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
fastopenq->rskq_rst_head = req1->dl_next;
|
|
|
|
|
fastopenq->qlen--;
|
|
|
|
|
spin_unlock(&fastopenq->lock);
|
2015-03-16 05:12:16 +01:00
|
|
|
reqsk_put(req1);
|
2014-05-12 05:22:09 +02:00
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-23 22:22:23 +02:00
|
|
|
static bool tcp_fastopen_no_cookie(const struct sock *sk,
|
|
|
|
|
const struct dst_entry *dst,
|
|
|
|
|
int flag)
|
|
|
|
|
{
|
|
|
|
|
return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) ||
|
|
|
|
|
tcp_sk(sk)->fastopen_no_cookie ||
|
|
|
|
|
(dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE));
|
|
|
|
|
}
|
|
|
|
|
|
2014-05-12 05:22:10 +02:00
|
|
|
/* Returns true if we should perform Fast Open on the SYN. The cookie (foc)
|
|
|
|
|
* may be updated and return the client in the SYN-ACK later. E.g., Fast Open
|
|
|
|
|
* cookie request (foc->len == 0).
|
|
|
|
|
*/
|
2015-09-25 02:16:05 +02:00
|
|
|
struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
|
|
|
|
|
struct request_sock *req,
|
2017-10-23 22:22:23 +02:00
|
|
|
struct tcp_fastopen_cookie *foc,
|
|
|
|
|
const struct dst_entry *dst)
|
2014-05-12 05:22:09 +02:00
|
|
|
{
|
2014-05-12 05:22:10 +02:00
|
|
|
bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
|
2017-09-27 05:35:40 +02:00
|
|
|
int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
|
|
|
|
|
struct tcp_fastopen_cookie valid_foc = { .len = -1 };
|
2015-09-25 02:16:05 +02:00
|
|
|
struct sock *child;
|
2019-05-29 18:33:57 +02:00
|
|
|
int ret = 0;
|
2014-05-12 05:22:09 +02:00
|
|
|
|
2015-02-09 21:35:23 +01:00
|
|
|
if (foc->len == 0) /* Client requests a cookie */
|
2016-04-29 23:16:47 +02:00
|
|
|
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENCOOKIEREQD);
|
2015-02-09 21:35:23 +01:00
|
|
|
|
2017-09-27 05:35:40 +02:00
|
|
|
if (!((tcp_fastopen & TFO_SERVER_ENABLE) &&
|
2014-05-12 05:22:10 +02:00
|
|
|
(syn_data || foc->len >= 0) &&
|
|
|
|
|
tcp_fastopen_queue_check(sk))) {
|
|
|
|
|
foc->len = -1;
|
2015-09-25 02:16:05 +02:00
|
|
|
return NULL;
|
2014-05-12 05:22:09 +02:00
|
|
|
}
|
|
|
|
|
|
tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD
[ Upstream commit e3faa49bcecdfcc80e94dd75709d6acb1a5d89f6 ]
Since the original TFO server code was implemented in commit
168a8f58059a22feb9e9a2dcc1b8053dbbbc12ef ("tcp: TCP Fast Open Server -
main code path") the TFO server code has supported the sysctl bit flag
TFO_SERVER_COOKIE_NOT_REQD. Currently, when the TFO_SERVER_ENABLE and
TFO_SERVER_COOKIE_NOT_REQD sysctl bit flags are set, a server connection
will accept a SYN with N bytes of data (N > 0) that has no TFO cookie,
create a new fast open connection, process the incoming data in the SYN,
and make the connection ready for accepting. After accepting, the
connection is ready for read()/recvmsg() to read the N bytes of data in
the SYN, ready for write()/sendmsg() calls and data transmissions to
transmit data.
This commit changes an edge case in this feature by changing this
behavior to apply to (N >= 0) bytes of data in the SYN rather than only
(N > 0) bytes of data in the SYN. Now, a server will accept a data-less
SYN without a TFO cookie if TFO_SERVER_COOKIE_NOT_REQD is set.
Caveat! While this enables a new kind of TFO (data-less empty-cookie
SYN), some firewall rules setup may not work if they assume such packets
are not legit TFOs and will filter them.
Signed-off-by: Luke Hsiao <lukehsiao@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20210816205105.2533289-1-luke.w.hsiao@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-08-16 22:51:06 +02:00
|
|
|
if (tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
|
2014-05-12 05:22:10 +02:00
|
|
|
goto fastopen;
|
|
|
|
|
|
2019-05-29 18:33:57 +02:00
|
|
|
if (foc->len == 0) {
|
|
|
|
|
/* Client requests a cookie. */
|
|
|
|
|
tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc);
|
|
|
|
|
} else if (foc->len > 0) {
|
|
|
|
|
ret = tcp_fastopen_cookie_gen_check(sk, req, skb, foc,
|
|
|
|
|
&valid_foc);
|
|
|
|
|
if (!ret) {
|
|
|
|
|
NET_INC_STATS(sock_net(sk),
|
|
|
|
|
LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
|
|
|
|
|
} else {
|
|
|
|
|
/* Cookie is valid. Create a (full) child socket to
|
|
|
|
|
* accept the data in SYN before returning a SYN-ACK to
|
|
|
|
|
* ack the data. If we fail to create the socket, fall
|
|
|
|
|
* back and ack the ISN only but includes the same
|
|
|
|
|
* cookie.
|
|
|
|
|
*
|
|
|
|
|
* Note: Data-less SYN with valid cookie is allowed to
|
|
|
|
|
* send data in SYN_RECV state.
|
|
|
|
|
*/
|
2014-05-12 05:22:10 +02:00
|
|
|
fastopen:
|
2019-05-29 18:33:57 +02:00
|
|
|
child = tcp_fastopen_create_child(sk, skb, req);
|
|
|
|
|
if (child) {
|
|
|
|
|
if (ret == 2) {
|
|
|
|
|
valid_foc.exp = foc->exp;
|
|
|
|
|
*foc = valid_foc;
|
|
|
|
|
NET_INC_STATS(sock_net(sk),
|
|
|
|
|
LINUX_MIB_TCPFASTOPENPASSIVEALTKEY);
|
|
|
|
|
} else {
|
|
|
|
|
foc->len = -1;
|
|
|
|
|
}
|
|
|
|
|
NET_INC_STATS(sock_net(sk),
|
|
|
|
|
LINUX_MIB_TCPFASTOPENPASSIVE);
|
|
|
|
|
return child;
|
|
|
|
|
}
|
2016-04-29 23:16:47 +02:00
|
|
|
NET_INC_STATS(sock_net(sk),
|
2019-05-29 18:33:57 +02:00
|
|
|
LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
|
2014-05-12 05:22:11 +02:00
|
|
|
}
|
2019-05-29 18:33:57 +02:00
|
|
|
}
|
2015-04-06 23:37:26 +02:00
|
|
|
valid_foc.exp = foc->exp;
|
2014-05-12 05:22:10 +02:00
|
|
|
*foc = valid_foc;
|
2015-09-25 02:16:05 +02:00
|
|
|
return NULL;
|
2014-05-12 05:22:09 +02:00
|
|
|
}
|
2017-01-23 19:59:20 +01:00
|
|
|
|
|
|
|
|
bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
|
|
|
|
|
struct tcp_fastopen_cookie *cookie)
|
|
|
|
|
{
|
2017-10-23 22:22:23 +02:00
|
|
|
const struct dst_entry *dst;
|
2017-01-23 19:59:20 +01:00
|
|
|
|
2017-12-12 22:10:40 +01:00
|
|
|
tcp_fastopen_cache_get(sk, mss, cookie);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
|
|
|
|
|
/* Firewall blackhole issue check */
|
|
|
|
|
if (tcp_fastopen_active_should_disable(sk)) {
|
|
|
|
|
cookie->len = -1;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-23 22:22:23 +02:00
|
|
|
dst = __sk_dst_get(sk);
|
|
|
|
|
|
|
|
|
|
if (tcp_fastopen_no_cookie(sk, dst, TFO_CLIENT_NO_COOKIE)) {
|
2017-01-23 19:59:20 +01:00
|
|
|
cookie->len = -1;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
return cookie->len > 0;
|
|
|
|
|
}
|
net/tcp-fastopen: Add new API support
This patch adds a new socket option, TCP_FASTOPEN_CONNECT, as an
alternative way to perform Fast Open on the active side (client). Prior
to this patch, a client needs to replace the connect() call with
sendto(MSG_FASTOPEN). This can be cumbersome for applications who want
to use Fast Open: these socket operations are often done in lower layer
libraries used by many other applications. Changing these libraries
and/or the socket call sequences are not trivial. A more convenient
approach is to perform Fast Open by simply enabling a socket option when
the socket is created w/o changing other socket calls sequence:
s = socket()
create a new socket
setsockopt(s, IPPROTO_TCP, TCP_FASTOPEN_CONNECT …);
newly introduced sockopt
If set, new functionality described below will be used.
Return ENOTSUPP if TFO is not supported or not enabled in the
kernel.
connect()
With cookie present, return 0 immediately.
With no cookie, initiate 3WHS with TFO cookie-request option and
return -1 with errno = EINPROGRESS.
write()/sendmsg()
With cookie present, send out SYN with data and return the number of
bytes buffered.
With no cookie, and 3WHS not yet completed, return -1 with errno =
EINPROGRESS.
No MSG_FASTOPEN flag is needed.
read()
Return -1 with errno = EWOULDBLOCK/EAGAIN if connect() is called but
write() is not called yet.
Return -1 with errno = EWOULDBLOCK/EAGAIN if connection is
established but no msg is received yet.
Return number of bytes read if socket is established and there is
msg received.
The new API simplifies life for applications that always perform a write()
immediately after a successful connect(). Such applications can now take
advantage of Fast Open by merely making one new setsockopt() call at the time
of creating the socket. Nothing else about the application's socket call
sequence needs to change.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-01-23 19:59:22 +01:00
|
|
|
|
|
|
|
|
/* This function checks if we want to defer sending SYN until the first
|
|
|
|
|
* write(). We defer under the following conditions:
|
|
|
|
|
* 1. fastopen_connect sockopt is set
|
|
|
|
|
* 2. we have a valid cookie
|
|
|
|
|
* Return value: return true if we want to defer until application writes data
|
|
|
|
|
* return false if we want to send out SYN immediately
|
|
|
|
|
*/
|
|
|
|
|
bool tcp_fastopen_defer_connect(struct sock *sk, int *err)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_fastopen_cookie cookie = { .len = 0 };
|
|
|
|
|
struct tcp_sock *tp = tcp_sk(sk);
|
|
|
|
|
u16 mss;
|
|
|
|
|
|
|
|
|
|
if (tp->fastopen_connect && !tp->fastopen_req) {
|
|
|
|
|
if (tcp_fastopen_cookie_check(sk, &mss, &cookie)) {
|
|
|
|
|
inet_sk(sk)->defer_connect = 1;
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Alloc fastopen_req in order for FO option to be included
|
|
|
|
|
* in SYN
|
|
|
|
|
*/
|
|
|
|
|
tp->fastopen_req = kzalloc(sizeof(*tp->fastopen_req),
|
|
|
|
|
sk->sk_allocation);
|
|
|
|
|
if (tp->fastopen_req)
|
|
|
|
|
tp->fastopen_req->cookie = cookie;
|
|
|
|
|
else
|
|
|
|
|
*err = -ENOBUFS;
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL(tcp_fastopen_defer_connect);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The following code block is to deal with middle box issues with TFO:
|
|
|
|
|
* Middlebox firewall issues can potentially cause server's data being
|
|
|
|
|
* blackholed after a successful 3WHS using TFO.
|
|
|
|
|
* The proposed solution is to disable active TFO globally under the
|
|
|
|
|
* following circumstances:
|
|
|
|
|
* 1. client side TFO socket receives out of order FIN
|
|
|
|
|
* 2. client side TFO socket receives out of order RST
|
2017-12-12 22:10:40 +01:00
|
|
|
* 3. client side TFO socket has timed out three times consecutively during
|
|
|
|
|
* or after handshake
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
* We disable active side TFO globally for 1hr at first. Then if it
|
|
|
|
|
* happens again, we disable it for 2h, then 4h, 8h, ...
|
|
|
|
|
* And we reset the timeout back to 1hr when we see a successful active
|
|
|
|
|
* TFO connection with data exchanges.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* Disable active TFO and record current jiffies and
|
|
|
|
|
* tfo_active_disable_times
|
|
|
|
|
*/
|
2017-04-20 23:45:47 +02:00
|
|
|
void tcp_fastopen_active_disable(struct sock *sk)
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
{
|
2017-09-27 05:35:43 +02:00
|
|
|
struct net *net = sock_net(sk);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
|
2021-07-19 11:12:18 +02:00
|
|
|
/* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
|
|
|
|
|
WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
|
|
|
|
|
|
|
|
|
|
/* Paired with smp_rmb() in tcp_fastopen_active_should_disable().
|
|
|
|
|
* We want net->ipv4.tfo_active_disable_stamp to be updated first.
|
|
|
|
|
*/
|
|
|
|
|
smp_mb__before_atomic();
|
2017-09-27 05:35:43 +02:00
|
|
|
atomic_inc(&net->ipv4.tfo_active_disable_times);
|
2021-07-19 11:12:18 +02:00
|
|
|
|
2017-09-27 05:35:43 +02:00
|
|
|
NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Calculate timeout for tfo active disable
|
|
|
|
|
* Return true if we are still in the active TFO disable period
|
|
|
|
|
* Return false if timeout already expired and we should use active TFO
|
|
|
|
|
*/
|
|
|
|
|
bool tcp_fastopen_active_should_disable(struct sock *sk)
|
|
|
|
|
{
|
2017-09-27 05:35:43 +02:00
|
|
|
unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
|
|
|
|
|
int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
unsigned long timeout;
|
2017-09-27 05:35:43 +02:00
|
|
|
int multiplier;
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
|
|
|
|
|
if (!tfo_da_times)
|
|
|
|
|
return false;
|
|
|
|
|
|
2021-07-19 11:12:18 +02:00
|
|
|
/* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */
|
|
|
|
|
smp_rmb();
|
|
|
|
|
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
/* Limit timout to max: 2^6 * initial timeout */
|
|
|
|
|
multiplier = 1 << min(tfo_da_times - 1, 6);
|
2021-07-19 11:12:18 +02:00
|
|
|
|
|
|
|
|
/* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */
|
|
|
|
|
timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) +
|
|
|
|
|
multiplier * tfo_bh_timeout * HZ;
|
|
|
|
|
if (time_before(jiffies, timeout))
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
return true;
|
|
|
|
|
|
|
|
|
|
/* Mark check bit so we can check for successful active TFO
|
|
|
|
|
* condition and reset tfo_active_disable_times
|
|
|
|
|
*/
|
|
|
|
|
tcp_sk(sk)->syn_fastopen_ch = 1;
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Disable active TFO if FIN is the only packet in the ofo queue
|
|
|
|
|
* and no data is received.
|
|
|
|
|
* Also check if we can reset tfo_active_disable_times if data is
|
|
|
|
|
* received successfully on a marked active TFO sockets opened on
|
|
|
|
|
* a non-loopback interface
|
|
|
|
|
*/
|
|
|
|
|
void tcp_fastopen_active_disable_ofo_check(struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
struct tcp_sock *tp = tcp_sk(sk);
|
|
|
|
|
struct dst_entry *dst;
|
2017-10-06 07:21:21 +02:00
|
|
|
struct sk_buff *skb;
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
|
|
|
|
|
if (!tp->syn_fastopen)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (!tp->data_segs_in) {
|
2017-10-06 07:21:21 +02:00
|
|
|
skb = skb_rb_first(&tp->out_of_order_queue);
|
|
|
|
|
if (skb && !skb_rb_next(skb)) {
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) {
|
2017-04-20 23:45:47 +02:00
|
|
|
tcp_fastopen_active_disable(sk);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else if (tp->syn_fastopen_ch &&
|
2017-09-27 05:35:43 +02:00
|
|
|
atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times)) {
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
dst = sk_dst_get(sk);
|
|
|
|
|
if (!(dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK)))
|
2017-09-27 05:35:43 +02:00
|
|
|
atomic_set(&sock_net(sk)->ipv4.tfo_active_disable_times, 0);
|
net/tcp_fastopen: Disable active side TFO in certain scenarios
Middlebox firewall issues can potentially cause server's data being
blackholed after a successful 3WHS using TFO. Following are the related
reports from Apple:
https://www.nanog.org/sites/default/files/Paasch_Network_Support.pdf
Slide 31 identifies an issue where the client ACK to the server's data
sent during a TFO'd handshake is dropped.
C ---> syn-data ---> S
C <--- syn/ack ----- S
C (accept & write)
C <---- data ------- S
C ----- ACK -> X S
[retry and timeout]
https://www.ietf.org/proceedings/94/slides/slides-94-tcpm-13.pdf
Slide 5 shows a similar situation that the server's data gets dropped
after 3WHS.
C ---- syn-data ---> S
C <--- syn/ack ----- S
C ---- ack --------> S
S (accept & write)
C? X <- data ------ S
[retry and timeout]
This is the worst failure b/c the client can not detect such behavior to
mitigate the situation (such as disabling TFO). Failing to proceed, the
application (e.g., SSL library) may simply timeout and retry with TFO
again, and the process repeats indefinitely.
The proposed solution is to disable active TFO globally under the
following circumstances:
1. client side TFO socket detects out of order FIN
2. client side TFO socket receives out of order RST
We disable active side TFO globally for 1hr at first. Then if it
happens again, we disable it for 2h, then 4h, 8h, ...
And we reset the timeout to 1hr if a client side TFO sockets not opened
on loopback has successfully received data segs from server.
And we examine this condition during close().
The rational behind it is that when such firewall issue happens,
application running on the client should eventually close the socket as
it is not able to get the data it is expecting. Or application running
on the server should close the socket as it is not able to receive any
response from client.
In both cases, out of order FIN or RST will get received on the client
given that the firewall will not block them as no data are in those
frames.
And we want to disable active TFO globally as it helps if the middle box
is very close to the client and most of the connections are likely to
fail.
Also, add a debug sysctl:
tcp_fastopen_blackhole_detect_timeout_sec:
the initial timeout to use when firewall blackhole issue happens.
This can be set and read.
When setting it to 0, it means to disable the active disable logic.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-20 23:45:46 +02:00
|
|
|
dst_release(dst);
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-12-12 22:10:40 +01:00
|
|
|
|
|
|
|
|
void tcp_fastopen_active_detect_blackhole(struct sock *sk, bool expired)
|
|
|
|
|
{
|
|
|
|
|
u32 timeouts = inet_csk(sk)->icsk_retransmits;
|
|
|
|
|
struct tcp_sock *tp = tcp_sk(sk);
|
|
|
|
|
|
|
|
|
|
/* Broken middle-boxes may black-hole Fast Open connection during or
|
|
|
|
|
* even after the handshake. Be extremely conservative and pause
|
|
|
|
|
* Fast Open globally after hitting the third consecutive timeout or
|
|
|
|
|
* exceeding the configured timeout limit.
|
|
|
|
|
*/
|
|
|
|
|
if ((tp->syn_fastopen || tp->syn_data || tp->syn_data_acked) &&
|
|
|
|
|
(timeouts == 2 || (timeouts < 2 && expired))) {
|
|
|
|
|
tcp_fastopen_active_disable(sk);
|
|
|
|
|
NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVEFAIL);
|
|
|
|
|
}
|
|
|
|
|
}
|
