From nobody Thu Dec 18 07:32:44 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 386AEC04FE1 for ; Tue, 15 Aug 2023 19:16:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239997AbjHOTQP (ORCPT ); Tue, 15 Aug 2023 15:16:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35108 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239908AbjHOTPc (ORCPT ); Tue, 15 Aug 2023 15:15:32 -0400 Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C5E8DBF for ; Tue, 15 Aug 2023 12:15:27 -0700 (PDT) Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-3fe24dd8898so53945665e9.2 for ; Tue, 15 Aug 2023 12:15:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=google; t=1692126926; x=1692731726; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=f90hW5TIK4p5Lu5wkUgxZ3d6w0bTu/yMRfeKuzd3/hY=; b=C2Yi2FAQdSdL1rXhCbLCKVFWt2VHfGNf1ooTG/6DulC8ikTs+rx+N2cgB4jEqGiqD+ VaDMr+HJlp5JyPUkbRhGYDHXml5WRa10Va6BZwmVkVKxMPaN+X71N+LhfC+D/x83ninQ Pzba7gO3aXRl/8fRuf3WR64Z/g/gxHWaxlGsGcdWeQ1eE8aqRqPKtqpP1n9cS+35Oyb2 ahPsTvESteTUAXyixc+M+3IVhOB0cB1TC1V00JfRaFUnES2xMDyzdAezY9lcSpIItKjC C4cb9BFjm5zY2/eMJR2Cv4SH10DNWp1rqci0jCHpi65qvMPVSs4Mjr57AGTg21Y6OPim /d/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692126926; x=1692731726; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=f90hW5TIK4p5Lu5wkUgxZ3d6w0bTu/yMRfeKuzd3/hY=; b=GxmMCt4IbtnpUBOYUDUD0ByqfWfYBfI4+itFqgMygGdgG9jJMq2mZh/+1vR9e+QYba D0050BiwBMWsnJwgPtFG48gSR+w9NJVqPjBwOv/e3ltt4G0zHzjE9zilJ845t/Q5tCeu SPgUzVt9vRCYqxf7C3N8oa0MQ33tKw0OwMMko94bPwFiTE6xJBaBGcVJs9nTp5GnBLN1 W50ri51wSQDsng4G0pLnETHHg/z9zmibVQGHTjDCwWhSumConlJKNEUtJ8iG8hnctLP9 IRtaPVlevDJ9unzmxmYCFbf3Ec0Qb1blRuXBqIumCT04qGMTerW4kn4mEaNXAQdFbp6q ZaCg== X-Gm-Message-State: AOJu0YyYwS3lqykRBY77L0o0H7VlkRb2PoQ/lzNmMpj70VpmdIA+o+MH V4DA1YypanitsHwSCkncAbTzIw== X-Google-Smtp-Source: AGHT+IE2bhBzltgdY5fipIAjZ3h4cAIXx6unNpEOaG8cPVWu+UqhaY40zWiyZsHXljyW4fgt+JqClw== X-Received: by 2002:a7b:cc85:0:b0:3fe:108d:7f88 with SMTP id p5-20020a7bcc85000000b003fe108d7f88mr9905605wma.36.1692126926284; Tue, 15 Aug 2023 12:15:26 -0700 (PDT) Received: from Mindolluin.ire.aristanetworks.com ([217.173.96.166]) by smtp.gmail.com with ESMTPSA id q9-20020a1ce909000000b003fbbe41fd78sm18779737wmc.10.2023.08.15.12.15.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Aug 2023 12:15:25 -0700 (PDT) From: Dmitry Safonov To: David Ahern , Eric Dumazet , Paolo Abeni , Jakub Kicinski , "David S. Miller" Cc: linux-kernel@vger.kernel.org, Dmitry Safonov , Andy Lutomirski , Ard Biesheuvel , Bob Gilligan , Dan Carpenter , David Laight , Dmitry Safonov <0x7f454c46@gmail.com>, Donald Cassidy , Eric Biggers , "Eric W. Biederman" , Francesco Ruggeri , "Gaillardetz, Dominik" , Herbert Xu , Hideaki YOSHIFUJI , Ivan Delalande , Leonard Crestez , "Nassiri, Mohammad" , Salam Noureddine , Simon Horman , "Tetreault, Francois" , netdev@vger.kernel.org Subject: [PATCH v10 net-next 13/23] net/tcp: Add TCP-AO segments counters Date: Tue, 15 Aug 2023 20:14:42 +0100 Message-ID: <20230815191455.1872316-14-dima@arista.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230815191455.1872316-1-dima@arista.com> References: <20230815191455.1872316-1-dima@arista.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" Introduce segment counters that are useful for troubleshooting/debugging as well as for writing tests. Now there are global snmp counters as well as per-socket and per-key. Co-developed-by: Francesco Ruggeri Signed-off-by: Francesco Ruggeri Co-developed-by: Salam Noureddine Signed-off-by: Salam Noureddine Signed-off-by: Dmitry Safonov Acked-by: David Ahern --- include/net/dropreason-core.h | 15 +++++++++++---- include/net/tcp.h | 15 +++++++++++---- include/net/tcp_ao.h | 10 ++++++++++ include/uapi/linux/snmp.h | 4 ++++ include/uapi/linux/tcp.h | 8 +++++++- net/ipv4/proc.c | 4 ++++ net/ipv4/tcp_ao.c | 30 +++++++++++++++++++++++++++--- net/ipv4/tcp_ipv4.c | 2 +- net/ipv6/tcp_ipv6.c | 4 ++-- 9 files changed, 77 insertions(+), 15 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 1de089ab73fd..f93ab108df4e 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -166,17 +166,24 @@ enum skb_drop_reason { */ SKB_DROP_REASON_TCP_MD5FAILURE, /** - * @SKB_DROP_REASON_TCP_AONOTFOUND: no TCP-AO hash and one was expected + * @SKB_DROP_REASON_TCP_AONOTFOUND: no TCP-AO hash and one was expected, + * corresponding to LINUX_MIB_TCPAOREQUIRED */ SKB_DROP_REASON_TCP_AONOTFOUND, /** * @SKB_DROP_REASON_TCP_AOUNEXPECTED: TCP-AO hash is present and it - * was not expected. + * was not expected, corresponding to LINUX_MIB_TCPAOKEYNOTFOUND */ SKB_DROP_REASON_TCP_AOUNEXPECTED, - /** @SKB_DROP_REASON_TCP_AOKEYNOTFOUND: TCP-AO key is unknown */ + /** + * @SKB_DROP_REASON_TCP_AOKEYNOTFOUND: TCP-AO key is unknown, + * corresponding to LINUX_MIB_TCPAOKEYNOTFOUND + */ SKB_DROP_REASON_TCP_AOKEYNOTFOUND, - /** @SKB_DROP_REASON_TCP_AOFAILURE: TCP-AO hash is wrong */ + /** + * @SKB_DROP_REASON_TCP_AOFAILURE: TCP-AO hash is wrong, + * corresponding to LINUX_MIB_TCPAOBAD + */ SKB_DROP_REASON_TCP_AOFAILURE, /** * @SKB_DROP_REASON_SOCKET_BACKLOG: failed to add skb to socket backlog ( diff --git a/include/net/tcp.h b/include/net/tcp.h index 684d6757e26f..a71e6a6f5192 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2606,7 +2606,7 @@ static inline int tcp_parse_auth_options(const struct= tcphdr *th, } =20 static inline bool tcp_ao_required(struct sock *sk, const void *saddr, - int family) + int family, bool stat_inc) { #ifdef CONFIG_TCP_AO struct tcp_ao_info *ao_info; @@ -2618,8 +2618,13 @@ static inline bool tcp_ao_required(struct sock *sk, = const void *saddr, return false; =20 ao_key =3D tcp_ao_do_lookup(sk, saddr, family, -1, -1); - if (ao_info->ao_required || ao_key) + if (ao_info->ao_required || ao_key) { + if (stat_inc) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOREQUIRED); + atomic64_inc(&ao_info->counters.ao_required); + } return true; + } #endif return false; } @@ -2641,8 +2646,10 @@ tcp_inbound_hash(struct sock *sk, const struct reque= st_sock *req, return SKB_DROP_REASON_TCP_AUTH_HDR; =20 if (req) { - if (tcp_rsk_used_ao(req) !=3D !!aoh) + if (tcp_rsk_used_ao(req) !=3D !!aoh) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); return SKB_DROP_REASON_TCP_AOFAILURE; + } } =20 /* sdif set, means packet ingressed via a device @@ -2657,7 +2664,7 @@ tcp_inbound_hash(struct sock *sk, const struct reques= t_sock *req, * the last key is impossible to remove, so there's * always at least one current_key. */ - if (tcp_ao_required(sk, saddr, family)) + if (tcp_ao_required(sk, saddr, family, true)) return SKB_DROP_REASON_TCP_AONOTFOUND; if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); diff --git a/include/net/tcp_ao.h b/include/net/tcp_ao.h index e6cf7b1e74db..9fa8ff89f5e4 100644 --- a/include/net/tcp_ao.h +++ b/include/net/tcp_ao.h @@ -19,6 +19,13 @@ struct tcp_ao_hdr { u8 rnext_keyid; }; =20 +struct tcp_ao_counters { + atomic64_t pkt_good; + atomic64_t pkt_bad; + atomic64_t key_not_found; + atomic64_t ao_required; +}; + struct tcp_ao_key { struct hlist_node node; union tcp_ao_addr addr; @@ -33,6 +40,8 @@ struct tcp_ao_key { u8 rcvid; u8 maclen; struct rcu_head rcu; + atomic64_t pkt_good; + atomic64_t pkt_bad; u8 traffic_keys[]; }; =20 @@ -81,6 +90,7 @@ struct tcp_ao_info { */ struct tcp_ao_key *current_key; struct tcp_ao_key *rnext_key; + struct tcp_ao_counters counters; u32 ao_required :1, __unused :31; __be32 lisn; diff --git a/include/uapi/linux/snmp.h b/include/uapi/linux/snmp.h index 26f33a4c253d..06ddf4cd295c 100644 --- a/include/uapi/linux/snmp.h +++ b/include/uapi/linux/snmp.h @@ -296,6 +296,10 @@ enum LINUX_MIB_TCPMIGRATEREQSUCCESS, /* TCPMigrateReqSuccess */ LINUX_MIB_TCPMIGRATEREQFAILURE, /* TCPMigrateReqFailure */ LINUX_MIB_TCPPLBREHASH, /* TCPPLBRehash */ + LINUX_MIB_TCPAOREQUIRED, /* TCPAORequired */ + LINUX_MIB_TCPAOBAD, /* TCPAOBad */ + LINUX_MIB_TCPAOKEYNOTFOUND, /* TCPAOKeyNotFound */ + LINUX_MIB_TCPAOGOOD, /* TCPAOGood */ __LINUX_MIB_MAX }; =20 diff --git a/include/uapi/linux/tcp.h b/include/uapi/linux/tcp.h index 250e0ce2cc38..3fe0612ec59a 100644 --- a/include/uapi/linux/tcp.h +++ b/include/uapi/linux/tcp.h @@ -391,9 +391,15 @@ struct tcp_ao_info_opt { /* setsockopt(TCP_AO_INFO) */ __u32 set_current :1, /* corresponding ::current_key */ set_rnext :1, /* corresponding ::rnext */ ao_required :1, /* don't accept non-AO connects */ - reserved :29; /* must be 0 */ + set_counters :1, /* set/clear ::pkt_* counters */ + reserved :28; /* must be 0 */ + __u16 reserved2; /* padding, must be 0 */ __u8 current_key; /* KeyID to set as Current_key */ __u8 rnext; /* KeyID to set as Rnext_key */ + __u64 pkt_good; /* verified segments */ + __u64 pkt_bad; /* failed verification */ + __u64 pkt_key_not_found; /* could not find a key to verify */ + __u64 pkt_ao_required; /* segments missing TCP-AO sign */ } __attribute__((aligned(8))); =20 /* setsockopt(fd, IPPROTO_TCP, TCP_ZEROCOPY_RECEIVE, ...) */ diff --git a/net/ipv4/proc.c b/net/ipv4/proc.c index eaf1d3113b62..3f643cd29cfe 100644 --- a/net/ipv4/proc.c +++ b/net/ipv4/proc.c @@ -298,6 +298,10 @@ static const struct snmp_mib snmp4_net_list[] =3D { SNMP_MIB_ITEM("TCPMigrateReqSuccess", LINUX_MIB_TCPMIGRATEREQSUCCESS), SNMP_MIB_ITEM("TCPMigrateReqFailure", LINUX_MIB_TCPMIGRATEREQFAILURE), SNMP_MIB_ITEM("TCPPLBRehash", LINUX_MIB_TCPPLBREHASH), + SNMP_MIB_ITEM("TCPAORequired", LINUX_MIB_TCPAOREQUIRED), + SNMP_MIB_ITEM("TCPAOBad", LINUX_MIB_TCPAOBAD), + SNMP_MIB_ITEM("TCPAOKeyNotFound", LINUX_MIB_TCPAOKEYNOTFOUND), + SNMP_MIB_ITEM("TCPAOGood", LINUX_MIB_TCPAOGOOD), SNMP_MIB_SENTINEL }; =20 diff --git a/net/ipv4/tcp_ao.c b/net/ipv4/tcp_ao.c index d7686586c9c4..88f32b163e0e 100644 --- a/net/ipv4/tcp_ao.c +++ b/net/ipv4/tcp_ao.c @@ -182,6 +182,8 @@ static struct tcp_ao_key *tcp_ao_copy_key(struct sock *= sk, *new_key =3D *key; INIT_HLIST_NODE(&new_key->node); tcp_sigpool_get(new_key->tcp_sigpool_id); + atomic64_set(&new_key->pkt_good, 0); + atomic64_set(&new_key->pkt_bad, 0); =20 return new_key; } @@ -738,8 +740,12 @@ tcp_ao_verify_hash(const struct sock *sk, const struct= sk_buff *skb, const struct tcphdr *th =3D tcp_hdr(skb); void *hash_buf =3D NULL; =20 - if (maclen !=3D tcp_ao_maclen(key)) + if (maclen !=3D tcp_ao_maclen(key)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); + atomic64_inc(&info->counters.pkt_bad); + atomic64_inc(&key->pkt_bad); return SKB_DROP_REASON_TCP_AOFAILURE; + } =20 hash_buf =3D kmalloc(tcp_ao_digest_size(key), GFP_ATOMIC); if (!hash_buf) @@ -749,9 +755,15 @@ tcp_ao_verify_hash(const struct sock *sk, const struct= sk_buff *skb, tcp_ao_hash_skb(family, hash_buf, key, sk, skb, traffic_key, (phash - (u8 *)th), sne); if (memcmp(phash, hash_buf, maclen)) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); + atomic64_inc(&info->counters.pkt_bad); + atomic64_inc(&key->pkt_bad); kfree(hash_buf); return SKB_DROP_REASON_TCP_AOFAILURE; } + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOGOOD); + atomic64_inc(&info->counters.pkt_good); + atomic64_inc(&key->pkt_good); kfree(hash_buf); return SKB_NOT_DROPPED_YET; } @@ -771,8 +783,10 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_b= uff *skb, u32 sne =3D 0; =20 info =3D rcu_dereference(tcp_sk(sk)->ao_info); - if (!info) + if (!info) { + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); return SKB_DROP_REASON_TCP_AOUNEXPECTED; + } =20 if (unlikely(th->syn)) { sisn =3D th->seq; @@ -868,6 +882,8 @@ tcp_inbound_ao_hash(struct sock *sk, const struct sk_bu= ff *skb, return ret; =20 key_not_found: + NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); + atomic64_inc(&info->counters.key_not_found); return SKB_DROP_REASON_TCP_AOKEYNOTFOUND; } =20 @@ -1435,6 +1451,8 @@ static int tcp_ao_add_cmd(struct sock *sk, unsigned s= hort int family, key->keyflags =3D cmd.keyflags; key->sndid =3D cmd.sndid; key->rcvid =3D cmd.rcvid; + atomic64_set(&key->pkt_good, 0); + atomic64_set(&key->pkt_bad, 0); =20 ret =3D tcp_ao_parse_crypto(&cmd, key); if (ret < 0) @@ -1651,7 +1669,7 @@ static int tcp_ao_info_cmd(struct sock *sk, unsigned = short int family, return -EINVAL; } =20 - if (cmd.reserved !=3D 0) + if (cmd.reserved !=3D 0 || cmd.reserved2 !=3D 0) return -EINVAL; =20 ao_info =3D setsockopt_ao_info(sk); @@ -1686,6 +1704,12 @@ static int tcp_ao_info_cmd(struct sock *sk, unsigned= short int family, goto out; } } + if (cmd.set_counters) { + atomic64_set(&ao_info->counters.pkt_good, cmd.pkt_good); + atomic64_set(&ao_info->counters.pkt_bad, cmd.pkt_bad); + atomic64_set(&ao_info->counters.key_not_found, cmd.pkt_key_not_found); + atomic64_set(&ao_info->counters.ao_required, cmd.pkt_ao_required); + } =20 ao_info->ao_required =3D cmd.ao_required; if (new_current) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index d15bdaf2dff1..883fa4403de7 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1526,7 +1526,7 @@ static int tcp_v4_parse_md5_keys(struct sock *sk, int= optname, /* Don't allow keys for peers that have a matching TCP-AO key. * See the comment in tcp_ao_add_cmd() */ - if (tcp_ao_required(sk, addr, AF_INET)) + if (tcp_ao_required(sk, addr, AF_INET, false)) return -EKEYREJECTED; =20 return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags, diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index bd4422064923..fd3402fe77af 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -660,7 +660,7 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int o= ptname, /* Don't allow keys for peers that have a matching TCP-AO key. * See the comment in tcp_ao_add_cmd() */ - if (tcp_ao_required(sk, addr, AF_INET)) + if (tcp_ao_required(sk, addr, AF_INET, false)) return -EKEYREJECTED; return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags, @@ -672,7 +672,7 @@ static int tcp_v6_parse_md5_keys(struct sock *sk, int o= ptname, /* Don't allow keys for peers that have a matching TCP-AO key. * See the comment in tcp_ao_add_cmd() */ - if (tcp_ao_required(sk, addr, AF_INET6)) + if (tcp_ao_required(sk, addr, AF_INET6, false)) return -EKEYREJECTED; =20 return tcp_md5_do_add(sk, addr, AF_INET6, prefixlen, l3index, flags, --=20 2.41.0