[v1] mptcp: pm: nl: announce deny-join-id0 attribute

[PATCH mptcp-net 0/7] mptcp: pm: nl: announce deny-join-id0 attribute

Posted by Matthieu Baerts (NGI0) 2 weeks, 4 days ago

During the connection establishment, a peer can tell the other that it
cannot establish new subflows to the initial IP address and port by
setting the 'C' flag [1]. Doing so makes sense when the sender is behind
a strict NAT, operating behind a legacy Layer 4 load balancer, or using
anycast IP address for example.

When this 'C' flag is set, the path-managers must then not try to
establish new subflow to the other peer's initial IP address and port.
The in-kernel PM has access to this info, but the userspace PM didn't.

The last patch is adding the new attribute in the Netlink events. Please
see the note with a question about how to add this new attribute.

But before that, a few fixes have been added:

- Patch 1: add remote_deny_join_id0 info on passive connections. A fix
  for v5.14.

- Patch 2: respect the deny_join_id0 attribute by blocking the creation
  of new subflows to the initial IP address and port if set. A fix for
  v5.19.

- Patch 3: record the deny_join_id0 info when TFO is used. A fix for
  v6.2.

- Patch 4: fix a wrong attribute type in the Netlink MPTCP specs. A fix
  for v6.7.

- Patch 5: stop mentioning net.mptcp.pm_type in the doc as it is
  deprecated. A fix for v6.15.

- Patch 6: support Shellcheck v0.11.0 in the MPTCP selftests.

Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
---
Matthieu Baerts (NGI0) (7):
      mptcp: set remote_deny_join_id0 on SYN recv
      mptcp: pm: userspace: respect deny_join_id0 attr
      mptcp: tfo: record 'deny join id0' info
      netlink: specs: mptcp: fix if-idx attribute type
      doc: mptcp: net.mptcp.pm_type is deprecated
      selftests: mptcp: shellcheck: support v0.11.0
      [RFC] mptcp: pm: nl: announce deny-join-id0 attribute

 Documentation/netlink/specs/mptcp_pm.yaml          | 9 ++++++---
 Documentation/networking/mptcp.rst                 | 8 ++++----
 include/uapi/linux/mptcp_pm.h                      | 5 +++--
 net/mptcp/options.c                                | 6 +++---
 net/mptcp/pm_netlink.c                             | 4 ++++
 net/mptcp/pm_userspace.c                           | 6 ++++++
 net/mptcp/subflow.c                                | 4 ++++
 tools/testing/selftests/net/mptcp/diag.sh          | 2 +-
 tools/testing/selftests/net/mptcp/mptcp_connect.sh | 2 +-
 tools/testing/selftests/net/mptcp/mptcp_join.sh    | 2 +-
 tools/testing/selftests/net/mptcp/mptcp_sockopt.sh | 2 +-
 tools/testing/selftests/net/mptcp/pm_netlink.sh    | 5 +++--
 tools/testing/selftests/net/mptcp/simult_flows.sh  | 2 +-
 tools/testing/selftests/net/mptcp/userspace_pm.sh  | 2 +-
 14 files changed, 39 insertions(+), 20 deletions(-)
---
base-commit: 569dfa7d27f329168b34177931080efc317511b1
change-id: 20250720-mptcp-pm-user-c-flag-a7d5d7a00c6f

Best regards,
-- 
Matthieu Baerts (NGI0) <matttbe@kernel.org>

Re: [PATCH mptcp-net 0/7] mptcp: pm: nl: announce deny-join-id0 attribute

Posted by Matthieu Baerts 1 week, 1 day ago

Hello,

On 29/08/2025 22:33, Matthieu Baerts (NGI0) wrote:
> During the connection establishment, a peer can tell the other that it
> cannot establish new subflows to the initial IP address and port by
> setting the 'C' flag [1]. Doing so makes sense when the sender is behind
> a strict NAT, operating behind a legacy Layer 4 load balancer, or using
> anycast IP address for example.
> 
> When this 'C' flag is set, the path-managers must then not try to
> establish new subflow to the other peer's initial IP address and port.
> The in-kernel PM has access to this info, but the userspace PM didn't.
> 
> The last patch is adding the new attribute in the Netlink events. Please
> see the note with a question about how to add this new attribute.
> 
> But before that, a few fixes have been added:
> 
> - Patch 1: add remote_deny_join_id0 info on passive connections. A fix
>   for v5.14.
> 
> - Patch 2: respect the deny_join_id0 attribute by blocking the creation
>   of new subflows to the initial IP address and port if set. A fix for
>   v5.19.
> 
> - Patch 3: record the deny_join_id0 info when TFO is used. A fix for
>   v6.2.
> 
> - Patch 4: fix a wrong attribute type in the Netlink MPTCP specs. A fix
>   for v6.7.
> 
> - Patch 5: stop mentioning net.mptcp.pm_type in the doc as it is
>   deprecated. A fix for v6.15.
> 
> - Patch 6: support Shellcheck v0.11.0 in the MPTCP selftests.
> 
> Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
> ---
> Matthieu Baerts (NGI0) (7):
>       mptcp: set remote_deny_join_id0 on SYN recv
>       mptcp: pm: userspace: respect deny_join_id0 attr
>       mptcp: tfo: record 'deny join id0' info

>       netlink: specs: mptcp: fix if-idx attribute type
>       doc: mptcp: net.mptcp.pm_type is deprecated
>       selftests: mptcp: shellcheck: support v0.11.0

I just applied these last 3 patches, reviewed by Geliang (Thanks)

New patches for t/upstream-net and t/upstream:
- 7dae247dbfe1: netlink: specs: mptcp: fix if-idx attribute type
- ef0f22271156: doc: mptcp: net.mptcp.pm_type is deprecated
- f44e77b81e04: selftests: mptcp: shellcheck: support v0.11.0
- Results: 64d8ee7c00d0..d449a1cf7863 (export-net)
- Results: 64f95ae49169..f6a1bd069542 (export)

Tests are now in progress:

- export-net:
https://github.com/multipath-tcp/mptcp_net-next/commit/bdfdb385586b1310d7789298f64a9a4075d879c5/checks
- export:
https://github.com/multipath-tcp/mptcp_net-next/commit/9c5417b6ec48952bda958c08960c129f69f0314a/checks

Cheers,
Matt
-- 
Sponsored by the NGI0 Core fund.

Re: [PATCH mptcp-net 0/7] mptcp: pm: nl: announce deny-join-id0 attribute

Posted by MPTCP CI 2 weeks, 4 days ago

Hi Matthieu,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal: Unstable: 1 failed test(s): selftest_mptcp_connect 🔴
- KVM Validation: debug: Unstable: 3 failed test(s): packetdrill_dss selftest_mptcp_connect_checksum selftest_mptcp_join 🔴
- KVM Validation: btf-normal (only bpftest_all): Success! ✅
- KVM Validation: btf-debug (only bpftest_all): Success! ✅
- Task: https://github.com/multipath-tcp/mptcp_net-next/actions/runs/17334080753

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/1fe573a443a0
Patchwork: https://patchwork.kernel.org/project/mptcp/list/?series=997044


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-normal

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (NGI0 Core)