syncookies.c (3753B)
1// SPDX-License-Identifier: GPL-2.0 2#include <linux/skbuff.h> 3 4#include "protocol.h" 5 6/* Syncookies do not work for JOIN requests. 7 * 8 * Unlike MP_CAPABLE, where the ACK cookie contains the needed MPTCP 9 * options to reconstruct the initial syn state, MP_JOIN does not contain 10 * the token to obtain the mptcp socket nor the server-generated nonce 11 * that was used in the cookie SYN/ACK response. 12 * 13 * Keep a small best effort state table to store the syn/synack data, 14 * indexed by skb hash. 15 * 16 * A MP_JOIN SYN packet handled by syn cookies is only stored if the 32bit 17 * token matches a known mptcp connection that can still accept more subflows. 18 * 19 * There is no timeout handling -- state is only re-constructed 20 * when the TCP ACK passed the cookie validation check. 21 */ 22 23struct join_entry { 24 u32 token; 25 u32 remote_nonce; 26 u32 local_nonce; 27 u8 join_id; 28 u8 local_id; 29 u8 backup; 30 u8 valid; 31}; 32 33#define COOKIE_JOIN_SLOTS 1024 34 35static struct join_entry join_entries[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp; 36static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp; 37 38static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net) 39{ 40 static u32 mptcp_join_hash_secret __read_mostly; 41 struct tcphdr *th = tcp_hdr(skb); 42 u32 seq, i; 43 44 net_get_random_once(&mptcp_join_hash_secret, 45 sizeof(mptcp_join_hash_secret)); 46 47 if (th->syn) 48 seq = TCP_SKB_CB(skb)->seq; 49 else 50 seq = TCP_SKB_CB(skb)->seq - 1; 51 52 i = jhash_3words(seq, net_hash_mix(net), 53 (__force __u32)th->source << 16 | (__force __u32)th->dest, 54 mptcp_join_hash_secret); 55 56 return i % ARRAY_SIZE(join_entries); 57} 58 59static void mptcp_join_store_state(struct join_entry *entry, 60 const struct mptcp_subflow_request_sock *subflow_req) 61{ 62 entry->token = subflow_req->token; 63 entry->remote_nonce = subflow_req->remote_nonce; 64 entry->local_nonce = subflow_req->local_nonce; 65 entry->backup = subflow_req->backup; 66 entry->join_id = subflow_req->remote_id; 67 entry->local_id = subflow_req->local_id; 68 entry->valid = 1; 69} 70 71void subflow_init_req_cookie_join_save(const struct mptcp_subflow_request_sock *subflow_req, 72 struct sk_buff *skb) 73{ 74 struct net *net = read_pnet(&subflow_req->sk.req.ireq_net); 75 u32 i = mptcp_join_entry_hash(skb, net); 76 77 /* No use in waiting if other cpu is already using this slot -- 78 * would overwrite the data that got stored. 79 */ 80 spin_lock_bh(&join_entry_locks[i]); 81 mptcp_join_store_state(&join_entries[i], subflow_req); 82 spin_unlock_bh(&join_entry_locks[i]); 83} 84 85/* Called for a cookie-ack with MP_JOIN option present. 86 * Look up the saved state based on skb hash & check token matches msk 87 * in same netns. 88 * 89 * Caller will check msk can still accept another subflow. The hmac 90 * present in the cookie ACK mptcp option space will be checked later. 91 */ 92bool mptcp_token_join_cookie_init_state(struct mptcp_subflow_request_sock *subflow_req, 93 struct sk_buff *skb) 94{ 95 struct net *net = read_pnet(&subflow_req->sk.req.ireq_net); 96 u32 i = mptcp_join_entry_hash(skb, net); 97 struct mptcp_sock *msk; 98 struct join_entry *e; 99 100 e = &join_entries[i]; 101 102 spin_lock_bh(&join_entry_locks[i]); 103 104 if (e->valid == 0) { 105 spin_unlock_bh(&join_entry_locks[i]); 106 return false; 107 } 108 109 e->valid = 0; 110 111 msk = mptcp_token_get_sock(net, e->token); 112 if (!msk) { 113 spin_unlock_bh(&join_entry_locks[i]); 114 return false; 115 } 116 117 subflow_req->remote_nonce = e->remote_nonce; 118 subflow_req->local_nonce = e->local_nonce; 119 subflow_req->backup = e->backup; 120 subflow_req->remote_id = e->join_id; 121 subflow_req->token = e->token; 122 subflow_req->msk = msk; 123 spin_unlock_bh(&join_entry_locks[i]); 124 return true; 125} 126 127void __init mptcp_join_cookie_init(void) 128{ 129 int i; 130 131 for (i = 0; i < COOKIE_JOIN_SLOTS; i++) 132 spin_lock_init(&join_entry_locks[i]); 133}