TCPCT part 1d: define TCP cookie option, extend existing struct's

Data structures are carefully composed to require minimal additions. For example, the struct tcp_options_received cookie_plus variable fits between existing 16-bit and 8-bit variables, requiring no additional space (taking alignment into consideration). There are no additions to tcp_request_sock, and only 1 pointer in tcp_sock. This is a significantly revised implementation of an earlier (year-old) patch that no longer applies cleanly, with permission of the original author (Adam Langley): http://thread.gmane.org/gmane.linux.network/102586 The principle difference is using a TCP option to carry the cookie nonce, instead of a user configured offset in the data. This is more flexible and less subject to user configuration error. Such a cookie option has been suggested for many years, and is also useful without SYN data, allowing several related concepts to use the same extension option. "Re: SYN floods (was: does history repeat itself?)", September 9, 1996. http://www.merit.net/mail.archives/nanog/1996-09/msg00235.html "Re: what a new TCP header might look like", May 12, 1998. ftp://ftp.isi.edu/end2end/end2end-interest-1998.mail These functions will also be used in subsequent patches that implement additional features. Requires: TCPCT part 1a: add request_values parameter for sending SYNACK TCPCT part 1b: generate Responder Cookie secret TCPCT part 1c: sysctl_tcp_cookie_size, socket option TCP_COOKIE_TRANSACTIONS Signed-off-by: William.Allen.Simpson@gmail.com Signed-off-by: David S. Miller <davem@davemloft.net>
author: William Allen Simpson <william.allen.simpson@gmail.com> 2009-12-02 13:17:05 -0500
committer: David S. Miller <davem@davemloft.net> 2009-12-03 01:07:25 -0500
commit: 435cf559f02ea3a3159eb316f97dc88bdebe9432 (patch)
tree: 0b2a7e9110c46b193176b0a59fe5689eae7c18f3 /include/net
parent: 519855c508b9a17878c0977a3cdefc09b59b30df (diff)
1 files changed, 83 insertions, 0 deletions
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 738b65f01e26..f9abd9becabd 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -30,6 +30,7 @@
 #include <linux/dmaengine.h>
 #include <linux/crypto.h>
 #include <linux/cryptohash.h>
+#include <linux/kref.h>
 #include <net/inet_connection_sock.h>
 #include <net/inet_timewait_sock.h>
@@ -164,6 +165,7 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo);
 #define TCPOPT_SACK             5       /* SACK Block */
 #define TCPOPT_TIMESTAMP        8       /* Better RTT estimations/PAWS */
 #define TCPOPT_MD5SIG           19      /* MD5 Signature (RFC2385) */
+#define TCPOPT_COOKIE           253     /* Cookie extension (experimental) */
 /*
 *     TCP option lengths
@@ -174,6 +176,10 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo);
 #define TCPOLEN_SACK_PERM      2
 #define TCPOLEN_TIMESTAMP      10
 #define TCPOLEN_MD5SIG         18
+#define TCPOLEN_COOKIE_BASE    2        /* Cookie-less header extension */
+#define TCPOLEN_COOKIE_PAIR    3        /* Cookie pair header extension */
+#define TCPOLEN_COOKIE_MIN     (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MIN)
+#define TCPOLEN_COOKIE_MAX     (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MAX)
 /* But this is what stacks really send out. */
 #define TCPOLEN_TSTAMP_ALIGNED          12
@@ -1482,6 +1488,83 @@ struct tcp_request_sock_ops {
 extern int tcp_cookie_generator(u32 *bakery);
+/**
+ *      struct tcp_cookie_values - each socket needs extra space for the
+ *      cookies, together with (optional) space for any SYN data.
+ *
+ *      A tcp_sock contains a pointer to the current value, and this is
+ *      cloned to the tcp_timewait_sock.
+ *
+ * @cookie_pair:        variable data from the option exchange.
+ *
+ * @cookie_desired:     user specified tcpct_cookie_desired.  Zero
+ *                      indicates default (sysctl_tcp_cookie_size).
+ *                      After cookie sent, remembers size of cookie.
+ *                      Range 0, TCP_COOKIE_MIN to TCP_COOKIE_MAX.
+ *
+ * @s_data_desired:     user specified tcpct_s_data_desired.  When the
+ *                      constant payload is specified (@s_data_constant),
+ *                      holds its length instead.
+ *                      Range 0 to TCP_MSS_DESIRED.
+ *
+ * @s_data_payload:     constant data that is to be included in the
+ *                      payload of SYN or SYNACK segments when the
+ *                      cookie option is present.
+ */
+struct tcp_cookie_values {
+        struct kref     kref;
+        u8              cookie_pair[TCP_COOKIE_PAIR_SIZE];
+        u8              cookie_pair_size;
+        u8              cookie_desired;
+        u16             s_data_desired:11,
+                        s_data_constant:1,
+                        s_data_in:1,
+                        s_data_out:1,
+                        s_data_unused:2;
+        u8              s_data_payload[0];
+};
+static inline void tcp_cookie_values_release(struct kref *kref)
+{
+        kfree(container_of(kref, struct tcp_cookie_values, kref));
+}
+/* The length of constant payload data.  Note that s_data_desired is
+ * overloaded, depending on s_data_constant: either the length of constant
+ * data (returned here) or the limit on variable data.
+ */
+static inline int tcp_s_data_size(const struct tcp_sock *tp)
+{
+        return (tp->cookie_values != NULL && tp->cookie_values->s_data_constant)
+                ? tp->cookie_values->s_data_desired
+                : 0;
+}
+/**
+ *      struct tcp_extend_values - tcp_ipv?.c to tcp_output.c workspace.
+ *
+ *      As tcp_request_sock has already been extended in other places, the
+ *      only remaining method is to pass stack values along as function
+ *      parameters.  These parameters are not needed after sending SYNACK.
+ *
+ * @cookie_bakery:      cryptographic secret and message workspace.
+ *
+ * @cookie_plus:        bytes in authenticator/cookie option, copied from
+ *                      struct tcp_options_received (above).
+ */
+struct tcp_extend_values {
+        struct request_values           rv;
+        u32                             cookie_bakery[COOKIE_WORKSPACE_WORDS];
+        u8                              cookie_plus:6,
+                                        cookie_out_never:1,
+                                        cookie_in_always:1;
+};
+static inline struct tcp_extend_values *tcp_xv(struct request_values *rvp)
+{
+        return (struct tcp_extend_values *)rvp;
+}
 extern void tcp_v4_init(void);
 extern void tcp_init(void);
author	William Allen Simpson <william.allen.simpson@gmail.com>	2009-12-02 13:17:05 -0500
committer	David S. Miller <davem@davemloft.net>	2009-12-03 01:07:25 -0500
commit	435cf559f02ea3a3159eb316f97dc88bdebe9432 (patch)
tree	0b2a7e9110c46b193176b0a59fe5689eae7c18f3 /include/net
parent	519855c508b9a17878c0977a3cdefc09b59b30df (diff)

diff --git a/include/net/tcp.h b/include/net/tcp.h index 738b65f01e26..f9abd9becabd 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h
@@ -30,6 +30,7 @@
30	#include <linux/dmaengine.h>	30	#include <linux/dmaengine.h>
31	#include <linux/crypto.h>	31	#include <linux/crypto.h>
32	#include <linux/cryptohash.h>	32	#include <linux/cryptohash.h>
		33	#include <linux/kref.h>
33		34
34	#include <net/inet_connection_sock.h>	35	#include <net/inet_connection_sock.h>
35	#include <net/inet_timewait_sock.h>	36	#include <net/inet_timewait_sock.h>
@@ -164,6 +165,7 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo);
164	#define TCPOPT_SACK 5 /* SACK Block */	165	#define TCPOPT_SACK 5 /* SACK Block */
165	#define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */	166	#define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
166	#define TCPOPT_MD5SIG 19 /* MD5 Signature (RFC2385) */	167	#define TCPOPT_MD5SIG 19 /* MD5 Signature (RFC2385) */
		168	#define TCPOPT_COOKIE 253 /* Cookie extension (experimental) */
167		169
168	/*	170	/*
169	* TCP option lengths	171	* TCP option lengths
@@ -174,6 +176,10 @@ extern void tcp_time_wait(struct sock *sk, int state, int timeo);
174	#define TCPOLEN_SACK_PERM 2	176	#define TCPOLEN_SACK_PERM 2
175	#define TCPOLEN_TIMESTAMP 10	177	#define TCPOLEN_TIMESTAMP 10
176	#define TCPOLEN_MD5SIG 18	178	#define TCPOLEN_MD5SIG 18
		179	#define TCPOLEN_COOKIE_BASE 2 /* Cookie-less header extension */
		180	#define TCPOLEN_COOKIE_PAIR 3 /* Cookie pair header extension */
		181	#define TCPOLEN_COOKIE_MIN (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MIN)
		182	#define TCPOLEN_COOKIE_MAX (TCPOLEN_COOKIE_BASE+TCP_COOKIE_MAX)
177		183
178	/* But this is what stacks really send out. */	184	/* But this is what stacks really send out. */
179	#define TCPOLEN_TSTAMP_ALIGNED 12	185	#define TCPOLEN_TSTAMP_ALIGNED 12
@@ -1482,6 +1488,83 @@ struct tcp_request_sock_ops {
1482		1488
1483	extern int tcp_cookie_generator(u32 *bakery);	1489	extern int tcp_cookie_generator(u32 *bakery);
1484		1490
		1491	/**
		1492	* struct tcp_cookie_values - each socket needs extra space for the
		1493	* cookies, together with (optional) space for any SYN data.
		1494	*
		1495	* A tcp_sock contains a pointer to the current value, and this is
		1496	* cloned to the tcp_timewait_sock.
		1497	*
		1498	* @cookie_pair: variable data from the option exchange.
		1499	*
		1500	* @cookie_desired: user specified tcpct_cookie_desired. Zero
		1501	* indicates default (sysctl_tcp_cookie_size).
		1502	* After cookie sent, remembers size of cookie.
		1503	* Range 0, TCP_COOKIE_MIN to TCP_COOKIE_MAX.
		1504	*
		1505	* @s_data_desired: user specified tcpct_s_data_desired. When the
		1506	* constant payload is specified (@s_data_constant),
		1507	* holds its length instead.
		1508	* Range 0 to TCP_MSS_DESIRED.
		1509	*
		1510	* @s_data_payload: constant data that is to be included in the
		1511	* payload of SYN or SYNACK segments when the
		1512	* cookie option is present.
		1513	*/
		1514	struct tcp_cookie_values {
		1515	struct kref kref;
		1516	u8 cookie_pair[TCP_COOKIE_PAIR_SIZE];
		1517	u8 cookie_pair_size;
		1518	u8 cookie_desired;
		1519	u16 s_data_desired:11,
		1520	s_data_constant:1,
		1521	s_data_in:1,
		1522	s_data_out:1,
		1523	s_data_unused:2;
		1524	u8 s_data_payload[0];
		1525	};
		1526
		1527	static inline void tcp_cookie_values_release(struct kref *kref)
		1528	{
		1529	kfree(container_of(kref, struct tcp_cookie_values, kref));
		1530	}
		1531
		1532	/* The length of constant payload data. Note that s_data_desired is
		1533	* overloaded, depending on s_data_constant: either the length of constant
		1534	* data (returned here) or the limit on variable data.
		1535	*/
		1536	static inline int tcp_s_data_size(const struct tcp_sock *tp)
		1537	{
		1538	return (tp->cookie_values != NULL && tp->cookie_values->s_data_constant)
		1539	? tp->cookie_values->s_data_desired
		1540	: 0;
		1541	}
		1542
		1543	/**
		1544	* struct tcp_extend_values - tcp_ipv?.c to tcp_output.c workspace.
		1545	*
		1546	* As tcp_request_sock has already been extended in other places, the
		1547	* only remaining method is to pass stack values along as function
		1548	* parameters. These parameters are not needed after sending SYNACK.
		1549	*
		1550	* @cookie_bakery: cryptographic secret and message workspace.
		1551	*
		1552	* @cookie_plus: bytes in authenticator/cookie option, copied from
		1553	* struct tcp_options_received (above).
		1554	*/
		1555	struct tcp_extend_values {
		1556	struct request_values rv;
		1557	u32 cookie_bakery[COOKIE_WORKSPACE_WORDS];
		1558	u8 cookie_plus:6,
		1559	cookie_out_never:1,
		1560	cookie_in_always:1;
		1561	};
		1562
		1563	static inline struct tcp_extend_values tcp_xv(struct request_values rvp)
		1564	{
		1565	return (struct tcp_extend_values *)rvp;
		1566	}
		1567
1485	extern void tcp_v4_init(void);	1568	extern void tcp_v4_init(void);
1486	extern void tcp_init(void);	1569	extern void tcp_init(void);
1487		1570