Received: by 10.192.165.148 with SMTP id m20csp712164imm; Wed, 9 May 2018 22:22:30 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoqlerJ5MPsumuWlWwVsT2TogrfLzov0ilOrJmlnwMzMtk57QS08PcT7tZyyMUVj+t4ez+J X-Received: by 2002:a17:902:380c:: with SMTP id l12-v6mr36476530plc.19.1525929750666; Wed, 09 May 2018 22:22:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525929750; cv=none; d=google.com; s=arc-20160816; b=koTwQm3s9ZcCoVtOSfJo3YRlR2pmi1E7YgkIle+nS4OoU4Ai/SsQzjrXA42KsDJk5g 12VhkuuPnHurffwGoKDiDRiPYAuenfwV/3TRI7nk/YWKZHTkA6BxmcnCkZ2u9aSSAUGz Zeq5P8CFicotDkhf4QoMlsrA6tSXdnBOTKeHJQgbvj65jlZL6QVLtQ04HJl8+eO1T4H9 RSs2ZxaiVErOVYHL6iNkpDNW9MSRL+s9IuTfz3Q/69QrRXL4ZHe9xURfaAugY6Ro65Hn t8kUe1T1kejhHiNtqq8ezH9/rQSumJc4X53jddpDZRnKtyAiAqwhzzmhkpqiuf1KHy+0 pjeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=; b=IMFX2yfY0vDBjT8ajuUdkmMjpEXyAwBDXJMBowYCth0bIrSLw0vdYMZDCeuATwzrRz eYVRQt13wOWeCNNmgbgc1ALLhwAa5HSzJDRR1XWVJgs4nih6slvczmJwTBT0I/6t5tj8 OJxdkcDZmNbVY4FTbQsS8HgoPJJOMrfTlNw9L2mN9z24mFjL2i/wSpaaWMEcCYSlhlZo AXlsAWCKqep9oIUOy8Kqus5Ih4ejAXA2hC5eV+A01GNDZ+KZXy2VKuSZquGvWQfTJXyM LWNi6UXbKf0qvy6ZoZIPngWl0y0Yrl+jagr4TZvLZtBhpMLSxsvHpV25x6mmP5Fskjme 3hsg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rg2qH17O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1-v6si8247211pgt.358.2018.05.09.22.22.15; Wed, 09 May 2018 22:22:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=rg2qH17O; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756630AbeEJFWB (ORCPT + 99 others); Thu, 10 May 2018 01:22:01 -0400 Received: from mail-pf0-f195.google.com ([209.85.192.195]:46112 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756569AbeEJFV5 (ORCPT ); Thu, 10 May 2018 01:21:57 -0400 Received: by mail-pf0-f195.google.com with SMTP id p12-v6so489119pff.13; Wed, 09 May 2018 22:21:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=; b=rg2qH17OvKzbpnznO6Tu6SoM2JOpNi9c2v+5CiimNt+WU+skvfQDixInS/zUEzGbeH v4JKrUDf8LbsrPlVUf3SUss7uXxcJI0PmqrexJYfTP2eHRGJqTGk+ajbej3nR+YyhS1a Yl/RcNrmt/LdjobF0G2UuEFnU5fPn8scy3VCDAajtzcavzSt5MlotHMkrkJZfMdmyT1D 1y+ZsYlvQumQSBSkNiX8+Sw+Mk5lkM64b8zxKQ/NHa1m81EIHe6M0y30j5hdgGs2DPhc 3EpYiw3SNdqoxIM4asYbZif3Te5KU7+Ln1hEKxCUj6KIOrj3SP+nh3BM1AXmMwUlZeE6 BZHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=SShF6S5n+uyiY9ICZMlSJHvycWTOpKFazxUQWpDWodM=; b=qDHxAcOQ50So6+mGlADRsjl/aU2gg6aAXbJmPRrtdnprG4W+boUID28wFbiRAN3ga/ 93djSJMtNG+PGsE3L9iD2Emw2AwHiIi1CFFudwX5foCirAhnSSuMijr0SpTjv1qKdzwW f5F3piqtt8v7m5RY1VmT2gn+lVidpVNbT6QfqJgtx/AOOdVd4FqokdzRtClmWz7goxos RFopJ2M5z3+VX9OCJPIJZn4RwtfGSjmB5UQeQ6oikvn3DYa6RHU1eSGjo7uB6oK3ubKX H2XUcrhdYjaKSdH5jH2vJgcUe5aP5DMpD2LFsPkhVmzyIp9kMTB9VTsonU+UeeZfOERb 4vow== X-Gm-Message-State: ALQs6tDjvEi+B5Y0wt3kRneQu8b7Db8525z0ngIpgA12eQT4kkZ1aPyW elLHgA0M/nCAgE7nbPhAOm0WSKJ/ X-Received: by 10.98.201.135 with SMTP id l7mr45615635pfk.221.1525929716970; Wed, 09 May 2018 22:21:56 -0700 (PDT) Received: from 192-168-1-116.tpgi.com.com (110-175-8-199.static.tpgi.com.au. [110.175.8.199]) by smtp.gmail.com with ESMTPSA id 76sm75766788pfm.178.2018.05.09.22.21.53 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 09 May 2018 22:21:55 -0700 (PDT) From: Jon Maxwell To: davem@davemloft.net Cc: kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, jmaxwell@redhat.com Subject: [PATCH net-next v1] tcp: Add mark for TIMEWAIT sockets Date: Thu, 10 May 2018 15:21:11 +1000 Message-Id: <20180510052111.17886-1-jmaxwell37@gmail.com> X-Mailer: git-send-email 2.13.6 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This version has some suggestions by Eric Dumazet: - Use a local variable for the mark in IPv6 instead of ctl_sk to avoid SMP races. - Use the more elegant "IP4_REPLY_MARK(net, skb->mark) ?: sk->sk_mark" statement. Aidan McGurn from Openwave Mobility systems reported the following bug: "Marked routing is broken on customer deployment. Its effects are large increase in Uplink retransmissions caused by the client never receiving the final ACK to their FINACK - this ACK misses the mark and routes out of the incorrect route." Currently marks are added to sk_buffs for replies when the "fwmark_reflect" sysctl is enabled. But not for TW sockets that had sk->sk_mark set via setsockopt(SO_MARK..). Fix this in IPv4/v6 by adding tw->tw_mark for TIME_WAIT sockets. Copy the the original sk->sk_mark in __inet_twsk_hashdance() to the new tw->tw_mark location. Then progate this so that the skb gets sent with the correct mark. Do the same for resets. Give the "fwmark_reflect" sysctl precedence over sk->sk_mark so that netfilter rules are still honored. Signed-off-by: Jon Maxwell --- include/net/inet_timewait_sock.h | 1 + net/ipv4/ip_output.c | 2 +- net/ipv4/tcp_ipv4.c | 18 ++++++++++++++++-- net/ipv4/tcp_minisocks.c | 1 + net/ipv6/tcp_ipv6.c | 7 ++++++- 5 files changed, 25 insertions(+), 4 deletions(-) diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h index c7be1ca8e562..659d8ed5a3bc 100644 --- a/include/net/inet_timewait_sock.h +++ b/include/net/inet_timewait_sock.h @@ -62,6 +62,7 @@ struct inet_timewait_sock { #define tw_dr __tw_common.skc_tw_dr int tw_timeout; + __u32 tw_mark; volatile unsigned char tw_substate; unsigned char tw_rcv_wscale; diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 95adb171f852..b5e21eb198d8 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c @@ -1561,7 +1561,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb, oif = skb->skb_iif; flowi4_init_output(&fl4, oif, - IP4_REPLY_MARK(net, skb->mark), + IP4_REPLY_MARK(net, skb->mark) ?: sk->sk_mark, RT_TOS(arg->tos), RT_SCOPE_UNIVERSE, ip_hdr(skb)->protocol, ip_reply_arg_flowi_flags(arg), diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index f70586b50838..fbee36579c83 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -621,6 +621,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) struct sock *sk1 = NULL; #endif struct net *net; + struct sock *ctl_sk; /* Never send a reset in response to a reset. */ if (th->rst) @@ -723,11 +724,17 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) arg.tos = ip_hdr(skb)->tos; arg.uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL); local_bh_disable(); - ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), + ctl_sk = *this_cpu_ptr(net->ipv4.tcp_sk); + if (sk && sk->sk_state == TCP_TIME_WAIT) + ctl_sk->sk_mark = inet_twsk(sk)->tw_mark; + else if (sk && sk_fullsock(sk)) + ctl_sk->sk_mark = sk->sk_mark; + ip_send_unicast_reply(ctl_sk, skb, &TCP_SKB_CB(skb)->header.h4.opt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, &arg, arg.iov[0].iov_len); + ctl_sk->sk_mark = 0; __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); __TCP_INC_STATS(net, TCP_MIB_OUTRSTS); local_bh_enable(); @@ -759,6 +766,7 @@ static void tcp_v4_send_ack(const struct sock *sk, } rep; struct net *net = sock_net(sk); struct ip_reply_arg arg; + struct sock *ctl_sk; memset(&rep.th, 0, sizeof(struct tcphdr)); memset(&arg, 0, sizeof(arg)); @@ -809,11 +817,17 @@ static void tcp_v4_send_ack(const struct sock *sk, arg.tos = tos; arg.uid = sock_net_uid(net, sk_fullsock(sk) ? sk : NULL); local_bh_disable(); - ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), + ctl_sk = *this_cpu_ptr(net->ipv4.tcp_sk); + if (sk && sk->sk_state == TCP_TIME_WAIT) + ctl_sk->sk_mark = inet_twsk(sk)->tw_mark; + else if (sk && sk_fullsock(sk)) + ctl_sk->sk_mark = sk->sk_mark; + ip_send_unicast_reply(ctl_sk, skb, &TCP_SKB_CB(skb)->header.h4.opt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, &arg, arg.iov[0].iov_len); + ctl_sk->sk_mark = 0; __TCP_INC_STATS(net, TCP_MIB_OUTSEGS); local_bh_enable(); } diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index 57b5468b5139..f867658b4b30 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c @@ -263,6 +263,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo) struct inet_sock *inet = inet_sk(sk); tw->tw_transparent = inet->transparent; + tw->tw_mark = sk->sk_mark; tw->tw_rcv_wscale = tp->rx_opt.rcv_wscale; tcptw->tw_rcv_nxt = tp->rcv_nxt; tcptw->tw_snd_nxt = tp->snd_nxt; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 6d664d83cd16..9b1ecdc1722e 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -803,6 +803,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 unsigned int tot_len = sizeof(struct tcphdr); struct dst_entry *dst; __be32 *topt; + __u32 mark = 0; if (tsecr) tot_len += TCPOLEN_TSTAMP_ALIGNED; @@ -871,7 +872,11 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 fl6.flowi6_oif = oif; } - fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark); + if (sk && sk->sk_state == TCP_TIME_WAIT) + mark = inet_twsk(sk)->tw_mark; + else if (sk && sk_fullsock(sk)) + mark = sk->sk_mark; + fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark) ?: mark; fl6.fl6_dport = t1->dest; fl6.fl6_sport = t1->source; fl6.flowi6_uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL); -- 2.13.6