Received: by 10.192.165.148 with SMTP id m20csp712164imm;
        Wed, 9 May 2018 22:22:30 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZoqlerJ5MPsumuWlWwVsT2TogrfLzov0ilOrJmlnwMzMtk57QS08PcT7tZyyMUVj+t4ez+J
X-Received: by 2002:a17:902:380c:: with SMTP id l12-v6mr36476530plc.19.1525929750666;
        Wed, 09 May 2018 22:22:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525929750; cv=none;
        d=google.com; s=arc-20160816;
        b=koTwQm3s9ZcCoVtOSfJo3YRlR2pmi1E7YgkIle+nS4OoU4Ai/SsQzjrXA42KsDJk5g
         12VhkuuPnHurffwGoKDiDRiPYAuenfwV/3TRI7nk/YWKZHTkA6BxmcnCkZ2u9aSSAUGz
         Zeq5P8CFicotDkhf4QoMlsrA6tSXdnBOTKeHJQgbvj65jlZL6QVLtQ04HJl8+eO1T4H9
         RSs2ZxaiVErOVYHL6iNkpDNW9MSRL+s9IuTfz3Q/69QrRXL4ZHe9xURfaAugY6Ro65Hn
         t8kUe1T1kejhHiNtqq8ezH9/rQSumJc4X53jddpDZRnKtyAiAqwhzzmhkpqiuf1KHy+0
         pjeA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=;
        b=IMFX2yfY0vDBjT8ajuUdkmMjpEXyAwBDXJMBowYCth0bIrSLw0vdYMZDCeuATwzrRz
         eYVRQt13wOWeCNNmgbgc1ALLhwAa5HSzJDRR1XWVJgs4nih6slvczmJwTBT0I/6t5tj8
         OJxdkcDZmNbVY4FTbQsS8HgoPJJOMrfTlNw9L2mN9z24mFjL2i/wSpaaWMEcCYSlhlZo
         AXlsAWCKqep9oIUOy8Kqus5Ih4ejAXA2hC5eV+A01GNDZ+KZXy2VKuSZquGvWQfTJXyM
         LWNi6UXbKf0qvy6ZoZIPngWl0y0Yrl+jagr4TZvLZtBhpMLSxsvHpV25x6mmP5Fskjme
         3hsg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rg2qH17O;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i1-v6si8247211pgt.358.2018.05.09.22.22.15;
        Wed, 09 May 2018 22:22:30 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=rg2qH17O;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1756630AbeEJFWB (ORCPT <rfc822;gklkml16@gmail.com> + 99 others);
        Thu, 10 May 2018 01:22:01 -0400
Received: from mail-pf0-f195.google.com ([209.85.192.195]:46112 "EHLO
        mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1756569AbeEJFV5 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 May 2018 01:21:57 -0400
Received: by mail-pf0-f195.google.com with SMTP id p12-v6so489119pff.13;
        Wed, 09 May 2018 22:21:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=;
        b=rg2qH17OvKzbpnznO6Tu6SoM2JOpNi9c2v+5CiimNt+WU+skvfQDixInS/zUEzGbeH
         v4JKrUDf8LbsrPlVUf3SUss7uXxcJI0PmqrexJYfTP2eHRGJqTGk+ajbej3nR+YyhS1a
         Yl/RcNrmt/LdjobF0G2UuEFnU5fPn8scy3VCDAajtzcavzSt5MlotHMkrkJZfMdmyT1D
         1y+ZsYlvQumQSBSkNiX8+Sw+Mk5lkM64b8zxKQ/NHa1m81EIHe6M0y30j5hdgGs2DPhc
         3EpYiw3SNdqoxIM4asYbZif3Te5KU7+Ln1hEKxCUj6KIOrj3SP+nh3BM1AXmMwUlZeE6
         BZHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=;
        b=qDHxAcOQ50So6+mGlADRsjl/aU2gg6aAXbJmPRrtdnprG4W+boUID28wFbiRAN3ga/
         93djSJMtNG+PGsE3L9iD2Emw2AwHiIi1CFFudwX5foCirAhnSSuMijr0SpTjv1qKdzwW
         f5F3piqtt8v7m5RY1VmT2gn+lVidpVNbT6QfqJgtx/AOOdVd4FqokdzRtClmWz7goxos
         RFopJ2M5z3+VX9OCJPIJZn4RwtfGSjmB5UQeQ6oikvn3DYa6RHU1eSGjo7uB6oK3ubKX
         H2XUcrhdYjaKSdH5jH2vJgcUe5aP5DMpD2LFsPkhVmzyIp9kMTB9VTsonU+UeeZfOERb
         4vow==
X-Gm-Message-State: ALQs6tDjvEi+B5Y0wt3kRneQu8b7Db8525z0ngIpgA12eQT4kkZ1aPyW
        elLHgA0M/nCAgE7nbPhAOm0WSKJ/
X-Received: by 10.98.201.135 with SMTP id l7mr45615635pfk.221.1525929716970;
        Wed, 09 May 2018 22:21:56 -0700 (PDT)
Received: from 192-168-1-116.tpgi.com.com (110-175-8-199.static.tpgi.com.au. [110.175.8.199])
        by smtp.gmail.com with ESMTPSA id 76sm75766788pfm.178.2018.05.09.22.21.53
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 09 May 2018 22:21:55 -0700 (PDT)
From:   Jon Maxwell <jmaxwell37@gmail.com>
To:     davem@davemloft.net
Cc:     kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        jmaxwell@redhat.com
Subject: [PATCH net-next v1] tcp: Add mark for TIMEWAIT sockets
Date:   Thu, 10 May 2018 15:21:11 +1000
Message-Id: <20180510052111.17886-1-jmaxwell37@gmail.com>
X-Mailer: git-send-email 2.13.6
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This version has some suggestions by Eric Dumazet:

- Use a local variable for the mark in IPv6 instead of ctl_sk to avoid SMP 
races. 
- Use the more elegant "IP4_REPLY_MARK(net, skb->mark) ?: sk->sk_mark"
statement. 

Aidan McGurn from Openwave Mobility systems reported the following bug:

"Marked routing is broken on customer deployment. Its effects are large 
increase in Uplink retransmissions caused by the client never receiving 
the final ACK to their FINACK - this ACK misses the mark and routes out 
of the incorrect route."

Currently marks are added to sk_buffs for replies when the "fwmark_reflect" 
sysctl is enabled. But not for TW sockets that had sk->sk_mark set via 
setsockopt(SO_MARK..).  

Fix this in IPv4/v6 by adding tw->tw_mark for TIME_WAIT sockets. Copy the the 
original sk->sk_mark in __inet_twsk_hashdance() to the new tw->tw_mark location. 
Then progate this so that the skb gets sent with the correct mark. Do the same 
for resets. Give the "fwmark_reflect" sysctl precedence over sk->sk_mark so that
netfilter rules are still honored.

Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
---
 include/net/inet_timewait_sock.h |  1 +
 net/ipv4/ip_output.c             |  2 +-
 net/ipv4/tcp_ipv4.c              | 18 ++++++++++++++++--
 net/ipv4/tcp_minisocks.c         |  1 +
 net/ipv6/tcp_ipv6.c              |  7 ++++++-
 5 files changed, 25 insertions(+), 4 deletions(-)

diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h
index c7be1ca8e562..659d8ed5a3bc 100644
--- a/include/net/inet_timewait_sock.h
+++ b/include/net/inet_timewait_sock.h
@@ -62,6 +62,7 @@ struct inet_timewait_sock {
 #define tw_dr			__tw_common.skc_tw_dr
 
 	int			tw_timeout;
+	__u32			tw_mark;
 	volatile unsigned char	tw_substate;
 	unsigned char		tw_rcv_wscale;
 
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 95adb171f852..b5e21eb198d8 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1561,7 +1561,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
 		oif = skb->skb_iif;
 
 	flowi4_init_output(&fl4, oif,
-			   IP4_REPLY_MARK(net, skb->mark),
+			   IP4_REPLY_MARK(net, skb->mark) ?: sk->sk_mark,
 			   RT_TOS(arg->tos),
 			   RT_SCOPE_UNIVERSE, ip_hdr(skb)->protocol,
 			   ip_reply_arg_flowi_flags(arg),
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index f70586b50838..fbee36579c83 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -621,6 +621,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
 	struct sock *sk1 = NULL;
 #endif
 	struct net *net;
+	struct sock *ctl_sk;
 
 	/* Never send a reset in response to a reset. */
 	if (th->rst)
@@ -723,11 +724,17 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
 	arg.tos = ip_hdr(skb)->tos;
 	arg.uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL);
 	local_bh_disable();
-	ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
+	ctl_sk = *this_cpu_ptr(net->ipv4.tcp_sk);
+	if (sk && sk->sk_state == TCP_TIME_WAIT)
+		ctl_sk->sk_mark = inet_twsk(sk)->tw_mark;
+	else if (sk && sk_fullsock(sk))
+		ctl_sk->sk_mark = sk->sk_mark;
+	ip_send_unicast_reply(ctl_sk,
 			      skb, &TCP_SKB_CB(skb)->header.h4.opt,
 			      ip_hdr(skb)->saddr, ip_hdr(skb)->daddr,
 			      &arg, arg.iov[0].iov_len);
 
+	ctl_sk->sk_mark = 0;
 	__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
 	__TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
 	local_bh_enable();
@@ -759,6 +766,7 @@ static void tcp_v4_send_ack(const struct sock *sk,
 	} rep;
 	struct net *net = sock_net(sk);
 	struct ip_reply_arg arg;
+	struct sock *ctl_sk;
 
 	memset(&rep.th, 0, sizeof(struct tcphdr));
 	memset(&arg, 0, sizeof(arg));
@@ -809,11 +817,17 @@ static void tcp_v4_send_ack(const struct sock *sk,
 	arg.tos = tos;
 	arg.uid = sock_net_uid(net, sk_fullsock(sk) ? sk : NULL);
 	local_bh_disable();
-	ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk),
+	ctl_sk = *this_cpu_ptr(net->ipv4.tcp_sk);
+	if (sk && sk->sk_state == TCP_TIME_WAIT)
+		ctl_sk->sk_mark = inet_twsk(sk)->tw_mark;
+	else if (sk && sk_fullsock(sk))
+		ctl_sk->sk_mark = sk->sk_mark;
+	ip_send_unicast_reply(ctl_sk,
 			      skb, &TCP_SKB_CB(skb)->header.h4.opt,
 			      ip_hdr(skb)->saddr, ip_hdr(skb)->daddr,
 			      &arg, arg.iov[0].iov_len);
 
+	ctl_sk->sk_mark = 0;
 	__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
 	local_bh_enable();
 }
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 57b5468b5139..f867658b4b30 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -263,6 +263,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
 		struct inet_sock *inet = inet_sk(sk);
 
 		tw->tw_transparent	= inet->transparent;
+		tw->tw_mark		= sk->sk_mark;
 		tw->tw_rcv_wscale	= tp->rx_opt.rcv_wscale;
 		tcptw->tw_rcv_nxt	= tp->rcv_nxt;
 		tcptw->tw_snd_nxt	= tp->snd_nxt;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6d664d83cd16..9b1ecdc1722e 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -803,6 +803,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
 	unsigned int tot_len = sizeof(struct tcphdr);
 	struct dst_entry *dst;
 	__be32 *topt;
+	__u32 mark = 0;
 
 	if (tsecr)
 		tot_len += TCPOLEN_TSTAMP_ALIGNED;
@@ -871,7 +872,11 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
 		fl6.flowi6_oif = oif;
 	}
 
-	fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark);
+	if (sk && sk->sk_state == TCP_TIME_WAIT)
+		mark = inet_twsk(sk)->tw_mark;
+	else if (sk && sk_fullsock(sk))
+		mark = sk->sk_mark;
+	fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark) ?: mark;
 	fl6.fl6_dport = t1->dest;
 	fl6.fl6_sport = t1->source;
 	fl6.flowi6_uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL);
-- 
2.13.6