Commit | Line | Data |
---|---|---|
9466a1cc FW |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #include <linux/skbuff.h> | |
3 | ||
4 | #include "protocol.h" | |
5 | ||
6 | /* Syncookies do not work for JOIN requests. | |
7 | * | |
8 | * Unlike MP_CAPABLE, where the ACK cookie contains the needed MPTCP | |
9 | * options to reconstruct the initial syn state, MP_JOIN does not contain | |
10 | * the token to obtain the mptcp socket nor the server-generated nonce | |
11 | * that was used in the cookie SYN/ACK response. | |
12 | * | |
13 | * Keep a small best effort state table to store the syn/synack data, | |
14 | * indexed by skb hash. | |
15 | * | |
16 | * A MP_JOIN SYN packet handled by syn cookies is only stored if the 32bit | |
17 | * token matches a known mptcp connection that can still accept more subflows. | |
18 | * | |
19 | * There is no timeout handling -- state is only re-constructed | |
20 | * when the TCP ACK passed the cookie validation check. | |
21 | */ | |
22 | ||
23 | struct join_entry { | |
24 | u32 token; | |
25 | u32 remote_nonce; | |
26 | u32 local_nonce; | |
27 | u8 join_id; | |
28 | u8 local_id; | |
29 | u8 backup; | |
30 | u8 valid; | |
31 | }; | |
32 | ||
33 | #define COOKIE_JOIN_SLOTS 1024 | |
34 | ||
35 | static struct join_entry join_entries[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp; | |
36 | static spinlock_t join_entry_locks[COOKIE_JOIN_SLOTS] __cacheline_aligned_in_smp; | |
37 | ||
38 | static u32 mptcp_join_entry_hash(struct sk_buff *skb, struct net *net) | |
39 | { | |
0c71929b JW |
40 | static u32 mptcp_join_hash_secret __read_mostly; |
41 | struct tcphdr *th = tcp_hdr(skb); | |
42 | u32 seq, i; | |
43 | ||
44 | net_get_random_once(&mptcp_join_hash_secret, | |
45 | sizeof(mptcp_join_hash_secret)); | |
46 | ||
47 | if (th->syn) | |
48 | seq = TCP_SKB_CB(skb)->seq; | |
49 | else | |
50 | seq = TCP_SKB_CB(skb)->seq - 1; | |
51 | ||
52 | i = jhash_3words(seq, net_hash_mix(net), | |
53 | (__force __u32)th->source << 16 | (__force __u32)th->dest, | |
54 | mptcp_join_hash_secret); | |
9466a1cc FW |
55 | |
56 | return i % ARRAY_SIZE(join_entries); | |
57 | } | |
58 | ||
59 | static void mptcp_join_store_state(struct join_entry *entry, | |
60 | const struct mptcp_subflow_request_sock *subflow_req) | |
61 | { | |
62 | entry->token = subflow_req->token; | |
63 | entry->remote_nonce = subflow_req->remote_nonce; | |
64 | entry->local_nonce = subflow_req->local_nonce; | |
65 | entry->backup = subflow_req->backup; | |
66 | entry->join_id = subflow_req->remote_id; | |
67 | entry->local_id = subflow_req->local_id; | |
68 | entry->valid = 1; | |
69 | } | |
70 | ||
71 | void subflow_init_req_cookie_join_save(const struct mptcp_subflow_request_sock *subflow_req, | |
72 | struct sk_buff *skb) | |
73 | { | |
74 | struct net *net = read_pnet(&subflow_req->sk.req.ireq_net); | |
75 | u32 i = mptcp_join_entry_hash(skb, net); | |
76 | ||
77 | /* No use in waiting if other cpu is already using this slot -- | |
78 | * would overwrite the data that got stored. | |
79 | */ | |
80 | spin_lock_bh(&join_entry_locks[i]); | |
81 | mptcp_join_store_state(&join_entries[i], subflow_req); | |
82 | spin_unlock_bh(&join_entry_locks[i]); | |
83 | } | |
84 | ||
85 | /* Called for a cookie-ack with MP_JOIN option present. | |
86 | * Look up the saved state based on skb hash & check token matches msk | |
87 | * in same netns. | |
88 | * | |
89 | * Caller will check msk can still accept another subflow. The hmac | |
90 | * present in the cookie ACK mptcp option space will be checked later. | |
91 | */ | |
92 | bool mptcp_token_join_cookie_init_state(struct mptcp_subflow_request_sock *subflow_req, | |
93 | struct sk_buff *skb) | |
94 | { | |
95 | struct net *net = read_pnet(&subflow_req->sk.req.ireq_net); | |
96 | u32 i = mptcp_join_entry_hash(skb, net); | |
97 | struct mptcp_sock *msk; | |
98 | struct join_entry *e; | |
99 | ||
100 | e = &join_entries[i]; | |
101 | ||
102 | spin_lock_bh(&join_entry_locks[i]); | |
103 | ||
104 | if (e->valid == 0) { | |
105 | spin_unlock_bh(&join_entry_locks[i]); | |
106 | return false; | |
107 | } | |
108 | ||
109 | e->valid = 0; | |
110 | ||
ea1300b9 | 111 | msk = mptcp_token_get_sock(net, e->token); |
9466a1cc FW |
112 | if (!msk) { |
113 | spin_unlock_bh(&join_entry_locks[i]); | |
114 | return false; | |
115 | } | |
116 | ||
9466a1cc FW |
117 | subflow_req->remote_nonce = e->remote_nonce; |
118 | subflow_req->local_nonce = e->local_nonce; | |
119 | subflow_req->backup = e->backup; | |
120 | subflow_req->remote_id = e->join_id; | |
121 | subflow_req->token = e->token; | |
122 | subflow_req->msk = msk; | |
123 | spin_unlock_bh(&join_entry_locks[i]); | |
124 | return true; | |
9466a1cc FW |
125 | } |
126 | ||
127 | void __init mptcp_join_cookie_init(void) | |
128 | { | |
129 | int i; | |
130 | ||
7126bd5c | 131 | for (i = 0; i < COOKIE_JOIN_SLOTS; i++) |
9466a1cc | 132 | spin_lock_init(&join_entry_locks[i]); |
9466a1cc | 133 | } |