Merge branch 'tcp-fastopen-ipv6'

Yuchung Cheng says: ==================== tcp: IPv6 support for fastopen server This patch series add IPv6 support for fastopen server. To minimize code duplication in IPv4 and IPv6, the current v4 only code is refactored and common code is moved into net/ipv4/tcp_fastopen.c. Also the current code uses a different function from tcp_v4_send_synack() to send the first SYN-ACK in fastopen. The new code eliminates this separate function by refactoring the child-socket and syn-ack creation code. After these refactoring in the first four patches, we can easily add the fastopen code in IPv6 by changing corresponding IPv6 functions. Note Fast Open client already supports IPv6. This patch is for the server-side (passive open) IPv6 support only. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-05-13 17:53:46 -0400
committer: David S. Miller <davem@davemloft.net> 2014-05-13 17:53:46 -0400
commit: ae8b42c6fc37ca1b7eb30898f5a65196bbb47291 (patch)
tree: a5e44c9427f0c6a5cb0e6252e3ccbd5ef4f7a50e /net/ipv4/tcp_fastopen.c
parent: 4b9734e547aaa947e56480ecf6d509cf9cc307cc (diff)
parent: 3a19ce0eec32667b835d8dc887002019fc6b3a02 (diff)
1 files changed, 209 insertions, 10 deletions
diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c
index f195d9316e55..62e48cf84e60 100644
--- a/net/ipv4/tcp_fastopen.c
+++ b/net/ipv4/tcp_fastopen.c
@@ -72,25 +72,224 @@ error:		kfree(ctx);
        return err;
 }
-/* Computes the fastopen cookie for the IP path.
+static bool __tcp_fastopen_cookie_gen(const void *path,
- * The path is a 128 bits long (pad with zeros for IPv4).
+                                      struct tcp_fastopen_cookie *foc)
- *
- * The caller must check foc->len to determine if a valid cookie
- * has been generated successfully.
-*/
-void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,
-                             struct tcp_fastopen_cookie *foc)
 {
-        __be32 path[4] = { src, dst, 0, 0 };
        struct tcp_fastopen_context *ctx;
+        bool ok = false;
        tcp_fastopen_init_key_once(true);
        rcu_read_lock();
        ctx = rcu_dereference(tcp_fastopen_ctx);
        if (ctx) {
-                crypto_cipher_encrypt_one(ctx->tfm, foc->val, (__u8 *)path);
+                crypto_cipher_encrypt_one(ctx->tfm, foc->val, path);
                foc->len = TCP_FASTOPEN_COOKIE_SIZE;
+                ok = true;
        }
        rcu_read_unlock();
+        return ok;
+}
+/* Generate the fastopen cookie by doing aes128 encryption on both
+ * the source and destination addresses. Pad 0s for IPv4 or IPv4-mapped-IPv6
+ * addresses. For the longer IPv6 addresses use CBC-MAC.
+ *
+ * XXX (TFO) - refactor when TCP_FASTOPEN_COOKIE_SIZE != AES_BLOCK_SIZE.
+ */
+static bool tcp_fastopen_cookie_gen(struct request_sock *req,
+                                    struct sk_buff *syn,
+                                    struct tcp_fastopen_cookie *foc)
+{
+        if (req->rsk_ops->family == AF_INET) {
+                const struct iphdr *iph = ip_hdr(syn);
+                __be32 path[4] = { iph->saddr, iph->daddr, 0, 0 };
+                return __tcp_fastopen_cookie_gen(path, foc);
+        }
+#if IS_ENABLED(CONFIG_IPV6)
+        if (req->rsk_ops->family == AF_INET6) {
+                const struct ipv6hdr *ip6h = ipv6_hdr(syn);
+                struct tcp_fastopen_cookie tmp;
+                if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) {
+                        struct in6_addr *buf = (struct in6_addr *) tmp.val;
+                        int i = 4;
+                        for (i = 0; i < 4; i++)
+                                buf->s6_addr32[i] ^= ip6h->daddr.s6_addr32[i];
+                        return __tcp_fastopen_cookie_gen(buf, foc);
+                }
+        }
+#endif
+        return false;
+}
+static bool tcp_fastopen_create_child(struct sock *sk,
+                                      struct sk_buff *skb,
+                                      struct dst_entry *dst,
+                                      struct request_sock *req)
+{
+        struct tcp_sock *tp = tcp_sk(sk);
+        struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
+        struct sock *child;
+        req->num_retrans = 0;
+        req->num_timeout = 0;
+        req->sk = NULL;
+        child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL);
+        if (child == NULL)
+                return false;
+        spin_lock(&queue->fastopenq->lock);
+        queue->fastopenq->qlen++;
+        spin_unlock(&queue->fastopenq->lock);
+        /* Initialize the child socket. Have to fix some values to take
+         * into account the child is a Fast Open socket and is created
+         * only out of the bits carried in the SYN packet.
+         */
+        tp = tcp_sk(child);
+        tp->fastopen_rsk = req;
+        /* Do a hold on the listner sk so that if the listener is being
+         * closed, the child that has been accepted can live on and still
+         * access listen_lock.
+         */
+        sock_hold(sk);
+        tcp_rsk(req)->listener = sk;
+        /* RFC1323: The window in SYN & SYN/ACK segments is never
+         * scaled. So correct it appropriately.
+         */
+        tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
+        /* Activate the retrans timer so that SYNACK can be retransmitted.
+         * The request socket is not added to the SYN table of the parent
+         * because it's been added to the accept queue directly.
+         */
+        inet_csk_reset_xmit_timer(child, ICSK_TIME_RETRANS,
+                                  TCP_TIMEOUT_INIT, TCP_RTO_MAX);
+        /* Add the child socket directly into the accept queue */
+        inet_csk_reqsk_queue_add(sk, req, child);
+        /* Now finish processing the fastopen child socket. */
+        inet_csk(child)->icsk_af_ops->rebuild_header(child);
+        tcp_init_congestion_control(child);
+        tcp_mtup_init(child);
+        tcp_init_metrics(child);
+        tcp_init_buffer_space(child);
+        /* Queue the data carried in the SYN packet. We need to first
+         * bump skb's refcnt because the caller will attempt to free it.
+         *
+         * XXX (TFO) - we honor a zero-payload TFO request for now,
+         * (any reason not to?) but no need to queue the skb since
+         * there is no data. How about SYN+FIN?
+         */
+        if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1) {
+                skb = skb_get(skb);
+                skb_dst_drop(skb);
+                __skb_pull(skb, tcp_hdr(skb)->doff * 4);
+                skb_set_owner_r(skb, child);
+                __skb_queue_tail(&child->sk_receive_queue, skb);
+                tp->syn_data_acked = 1;
+        }
+        tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
+        sk->sk_data_ready(sk);
+        bh_unlock_sock(child);
+        sock_put(child);
+        WARN_ON(req->sk == NULL);
+        return true;
+}
+EXPORT_SYMBOL(tcp_fastopen_create_child);
+static bool tcp_fastopen_queue_check(struct sock *sk)
+{
+        struct fastopen_queue *fastopenq;
+        /* Make sure the listener has enabled fastopen, and we don't
+         * exceed the max # of pending TFO requests allowed before trying
+         * to validating the cookie in order to avoid burning CPU cycles
+         * unnecessarily.
+         *
+         * XXX (TFO) - The implication of checking the max_qlen before
+         * processing a cookie request is that clients can't differentiate
+         * between qlen overflow causing Fast Open to be disabled
+         * temporarily vs a server not supporting Fast Open at all.
+         */
+        fastopenq = inet_csk(sk)->icsk_accept_queue.fastopenq;
+        if (fastopenq == NULL || fastopenq->max_qlen == 0)
+                return false;
+        if (fastopenq->qlen >= fastopenq->max_qlen) {
+                struct request_sock *req1;
+                spin_lock(&fastopenq->lock);
+                req1 = fastopenq->rskq_rst_head;
+                if ((req1 == NULL) || time_after(req1->expires, jiffies)) {
+                        spin_unlock(&fastopenq->lock);
+                        NET_INC_STATS_BH(sock_net(sk),
+                                         LINUX_MIB_TCPFASTOPENLISTENOVERFLOW);
+                        return false;
+                }
+                fastopenq->rskq_rst_head = req1->dl_next;
+                fastopenq->qlen--;
+                spin_unlock(&fastopenq->lock);
+                reqsk_free(req1);
+        }
+        return true;
+}
+/* Returns true if we should perform Fast Open on the SYN. The cookie (foc)
+ * may be updated and return the client in the SYN-ACK later. E.g., Fast Open
+ * cookie request (foc->len == 0).
+ */
+bool tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
+                      struct request_sock *req,
+                      struct tcp_fastopen_cookie *foc,
+                      struct dst_entry *dst)
+{
+        struct tcp_fastopen_cookie valid_foc = { .len = -1 };
+        bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
+        if (!((sysctl_tcp_fastopen & TFO_SERVER_ENABLE) &&
+              (syn_data || foc->len >= 0) &&
+              tcp_fastopen_queue_check(sk))) {
+                foc->len = -1;
+                return false;
+        }
+        if (syn_data && (sysctl_tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD))
+                goto fastopen;
+        if (tcp_fastopen_cookie_gen(req, skb, &valid_foc) &&
+            foc->len == TCP_FASTOPEN_COOKIE_SIZE &&
+            foc->len == valid_foc.len &&
+            !memcmp(foc->val, valid_foc.val, foc->len)) {
+                /* Cookie is valid. Create a (full) child socket to accept
+                 * the data in SYN before returning a SYN-ACK to ack the
+                 * data. If we fail to create the socket, fall back and
+                 * ack the ISN only but includes the same cookie.
+                 *
+                 * Note: Data-less SYN with valid cookie is allowed to send
+                 * data in SYN_RECV state.
+                 */
+fastopen:
+                if (tcp_fastopen_create_child(sk, skb, dst, req)) {
+                        foc->len = -1;
+                        NET_INC_STATS_BH(sock_net(sk),
+                                         LINUX_MIB_TCPFASTOPENPASSIVE);
+                        return true;
+                }
+        }
+        NET_INC_STATS_BH(sock_net(sk), foc->len ?
+                         LINUX_MIB_TCPFASTOPENPASSIVEFAIL :
+                         LINUX_MIB_TCPFASTOPENCOOKIEREQD);
+        *foc = valid_foc;
+        return false;
 }
+EXPORT_SYMBOL(tcp_try_fastopen);
author	David S. Miller <davem@davemloft.net>	2014-05-13 17:53:46 -0400
committer	David S. Miller <davem@davemloft.net>	2014-05-13 17:53:46 -0400
commit	ae8b42c6fc37ca1b7eb30898f5a65196bbb47291 (patch)
tree	a5e44c9427f0c6a5cb0e6252e3ccbd5ef4f7a50e /net/ipv4/tcp_fastopen.c
parent	4b9734e547aaa947e56480ecf6d509cf9cc307cc (diff)
parent	3a19ce0eec32667b835d8dc887002019fc6b3a02 (diff)

diff --git a/net/ipv4/tcp_fastopen.c b/net/ipv4/tcp_fastopen.c index f195d9316e55..62e48cf84e60 100644 --- a/net/ipv4/tcp_fastopen.c +++ b/net/ipv4/tcp_fastopen.c
@@ -72,25 +72,224 @@ error: kfree(ctx);
72	return err;	72	return err;
73	}	73	}
74		74
75	/* Computes the fastopen cookie for the IP path.	75	static bool __tcp_fastopen_cookie_gen(const void *path,
76	* The path is a 128 bits long (pad with zeros for IPv4).	76	struct tcp_fastopen_cookie *foc)
77	*
78	* The caller must check foc->len to determine if a valid cookie
79	* has been generated successfully.
80	*/
81	void tcp_fastopen_cookie_gen(__be32 src, __be32 dst,
82	struct tcp_fastopen_cookie *foc)
83	{	77	{
84	__be32 path[4] = { src, dst, 0, 0 };
85	struct tcp_fastopen_context *ctx;	78	struct tcp_fastopen_context *ctx;
		79	bool ok = false;
86		80
87	tcp_fastopen_init_key_once(true);	81	tcp_fastopen_init_key_once(true);
88		82
89	rcu_read_lock();	83	rcu_read_lock();
90	ctx = rcu_dereference(tcp_fastopen_ctx);	84	ctx = rcu_dereference(tcp_fastopen_ctx);
91	if (ctx) {	85	if (ctx) {
92	crypto_cipher_encrypt_one(ctx->tfm, foc->val, (__u8 *)path);	86	crypto_cipher_encrypt_one(ctx->tfm, foc->val, path);
93	foc->len = TCP_FASTOPEN_COOKIE_SIZE;	87	foc->len = TCP_FASTOPEN_COOKIE_SIZE;
		88	ok = true;
94	}	89	}
95	rcu_read_unlock();	90	rcu_read_unlock();
		91	return ok;
		92	}
		93
		94	/* Generate the fastopen cookie by doing aes128 encryption on both
		95	* the source and destination addresses. Pad 0s for IPv4 or IPv4-mapped-IPv6
		96	* addresses. For the longer IPv6 addresses use CBC-MAC.
		97	*
		98	* XXX (TFO) - refactor when TCP_FASTOPEN_COOKIE_SIZE != AES_BLOCK_SIZE.
		99	*/
		100	static bool tcp_fastopen_cookie_gen(struct request_sock *req,
		101	struct sk_buff *syn,
		102	struct tcp_fastopen_cookie *foc)
		103	{
		104	if (req->rsk_ops->family == AF_INET) {
		105	const struct iphdr *iph = ip_hdr(syn);
		106
		107	__be32 path[4] = { iph->saddr, iph->daddr, 0, 0 };
		108	return __tcp_fastopen_cookie_gen(path, foc);
		109	}
		110
		111	#if IS_ENABLED(CONFIG_IPV6)
		112	if (req->rsk_ops->family == AF_INET6) {
		113	const struct ipv6hdr *ip6h = ipv6_hdr(syn);
		114	struct tcp_fastopen_cookie tmp;
		115
		116	if (__tcp_fastopen_cookie_gen(&ip6h->saddr, &tmp)) {
		117	struct in6_addr buf = (struct in6_addr ) tmp.val;
		118	int i = 4;
		119
		120	for (i = 0; i < 4; i++)
		121	buf->s6_addr32[i] ^= ip6h->daddr.s6_addr32[i];
		122	return __tcp_fastopen_cookie_gen(buf, foc);
		123	}
		124	}
		125	#endif
		126	return false;
		127	}
		128
		129	static bool tcp_fastopen_create_child(struct sock *sk,
		130	struct sk_buff *skb,
		131	struct dst_entry *dst,
		132	struct request_sock *req)
		133	{
		134	struct tcp_sock *tp = tcp_sk(sk);
		135	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
		136	struct sock *child;
		137
		138	req->num_retrans = 0;
		139	req->num_timeout = 0;
		140	req->sk = NULL;
		141
		142	child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL);
		143	if (child == NULL)
		144	return false;
		145
		146	spin_lock(&queue->fastopenq->lock);
		147	queue->fastopenq->qlen++;
		148	spin_unlock(&queue->fastopenq->lock);
		149
		150	/* Initialize the child socket. Have to fix some values to take
		151	* into account the child is a Fast Open socket and is created
		152	* only out of the bits carried in the SYN packet.
		153	*/
		154	tp = tcp_sk(child);
		155
		156	tp->fastopen_rsk = req;
		157	/* Do a hold on the listner sk so that if the listener is being
		158	* closed, the child that has been accepted can live on and still
		159	* access listen_lock.
		160	*/
		161	sock_hold(sk);
		162	tcp_rsk(req)->listener = sk;
		163
		164	/* RFC1323: The window in SYN & SYN/ACK segments is never
		165	* scaled. So correct it appropriately.
		166	*/
		167	tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
		168
		169	/* Activate the retrans timer so that SYNACK can be retransmitted.
		170	* The request socket is not added to the SYN table of the parent
		171	* because it's been added to the accept queue directly.
		172	*/
		173	inet_csk_reset_xmit_timer(child, ICSK_TIME_RETRANS,
		174	TCP_TIMEOUT_INIT, TCP_RTO_MAX);
		175
		176	/* Add the child socket directly into the accept queue */
		177	inet_csk_reqsk_queue_add(sk, req, child);
		178
		179	/* Now finish processing the fastopen child socket. */
		180	inet_csk(child)->icsk_af_ops->rebuild_header(child);
		181	tcp_init_congestion_control(child);
		182	tcp_mtup_init(child);
		183	tcp_init_metrics(child);
		184	tcp_init_buffer_space(child);
		185
		186	/* Queue the data carried in the SYN packet. We need to first
		187	* bump skb's refcnt because the caller will attempt to free it.
		188	*
		189	* XXX (TFO) - we honor a zero-payload TFO request for now,
		190	* (any reason not to?) but no need to queue the skb since
		191	* there is no data. How about SYN+FIN?
		192	*/
		193	if (TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1) {
		194	skb = skb_get(skb);
		195	skb_dst_drop(skb);
		196	__skb_pull(skb, tcp_hdr(skb)->doff * 4);
		197	skb_set_owner_r(skb, child);
		198	__skb_queue_tail(&child->sk_receive_queue, skb);
		199	tp->syn_data_acked = 1;
		200	}
		201	tcp_rsk(req)->rcv_nxt = tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
		202	sk->sk_data_ready(sk);
		203	bh_unlock_sock(child);
		204	sock_put(child);
		205	WARN_ON(req->sk == NULL);
		206	return true;
		207	}
		208	EXPORT_SYMBOL(tcp_fastopen_create_child);
		209
		210	static bool tcp_fastopen_queue_check(struct sock *sk)
		211	{
		212	struct fastopen_queue *fastopenq;
		213
		214	/* Make sure the listener has enabled fastopen, and we don't
		215	* exceed the max # of pending TFO requests allowed before trying
		216	* to validating the cookie in order to avoid burning CPU cycles
		217	* unnecessarily.
		218	*
		219	* XXX (TFO) - The implication of checking the max_qlen before
		220	* processing a cookie request is that clients can't differentiate
		221	* between qlen overflow causing Fast Open to be disabled
		222	* temporarily vs a server not supporting Fast Open at all.
		223	*/
		224	fastopenq = inet_csk(sk)->icsk_accept_queue.fastopenq;
		225	if (fastopenq == NULL \|\| fastopenq->max_qlen == 0)
		226	return false;
		227
		228	if (fastopenq->qlen >= fastopenq->max_qlen) {
		229	struct request_sock *req1;
		230	spin_lock(&fastopenq->lock);
		231	req1 = fastopenq->rskq_rst_head;
		232	if ((req1 == NULL) \|\| time_after(req1->expires, jiffies)) {
		233	spin_unlock(&fastopenq->lock);
		234	NET_INC_STATS_BH(sock_net(sk),
		235	LINUX_MIB_TCPFASTOPENLISTENOVERFLOW);
		236	return false;
		237	}
		238	fastopenq->rskq_rst_head = req1->dl_next;
		239	fastopenq->qlen--;
		240	spin_unlock(&fastopenq->lock);
		241	reqsk_free(req1);
		242	}
		243	return true;
		244	}
		245
		246	/* Returns true if we should perform Fast Open on the SYN. The cookie (foc)
		247	* may be updated and return the client in the SYN-ACK later. E.g., Fast Open
		248	* cookie request (foc->len == 0).
		249	*/
		250	bool tcp_try_fastopen(struct sock sk, struct sk_buff skb,
		251	struct request_sock *req,
		252	struct tcp_fastopen_cookie *foc,
		253	struct dst_entry *dst)
		254	{
		255	struct tcp_fastopen_cookie valid_foc = { .len = -1 };
		256	bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
		257
		258	if (!((sysctl_tcp_fastopen & TFO_SERVER_ENABLE) &&
		259	(syn_data \|\| foc->len >= 0) &&
		260	tcp_fastopen_queue_check(sk))) {
		261	foc->len = -1;
		262	return false;
		263	}
		264
		265	if (syn_data && (sysctl_tcp_fastopen & TFO_SERVER_COOKIE_NOT_REQD))
		266	goto fastopen;
		267
		268	if (tcp_fastopen_cookie_gen(req, skb, &valid_foc) &&
		269	foc->len == TCP_FASTOPEN_COOKIE_SIZE &&
		270	foc->len == valid_foc.len &&
		271	!memcmp(foc->val, valid_foc.val, foc->len)) {
		272	/* Cookie is valid. Create a (full) child socket to accept
		273	* the data in SYN before returning a SYN-ACK to ack the
		274	* data. If we fail to create the socket, fall back and
		275	* ack the ISN only but includes the same cookie.
		276	*
		277	* Note: Data-less SYN with valid cookie is allowed to send
		278	* data in SYN_RECV state.
		279	*/
		280	fastopen:
		281	if (tcp_fastopen_create_child(sk, skb, dst, req)) {
		282	foc->len = -1;
		283	NET_INC_STATS_BH(sock_net(sk),
		284	LINUX_MIB_TCPFASTOPENPASSIVE);
		285	return true;
		286	}
		287	}
		288
		289	NET_INC_STATS_BH(sock_net(sk), foc->len ?
		290	LINUX_MIB_TCPFASTOPENPASSIVEFAIL :
		291	LINUX_MIB_TCPFASTOPENCOOKIEREQD);
		292	*foc = valid_foc;
		293	return false;
96	}	294	}
		295	EXPORT_SYMBOL(tcp_try_fastopen);