Commit da40b613 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: add drop reason support to tcp_validate_incoming() 



Creates four new drop reasons for the following cases:

1) packet being rejected by RFC 7323 PAWS check
2) packet being rejected by SEQUENCE check
3) Invalid RST packet
4) Invalid SYN packet

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b5ec1e62

include/linux/skbuff.h

+6 −0
Original line number Diff line number Diff line
@@ -381,6 +381,12 @@ enum skb_drop_reason { 
					 * the ofo queue, corresponding to

					 * LINUX_MIB_TCPOFOMERGE

					 */

	SKB_DROP_REASON_TCP_RFC7323_PAWS, /* PAWS check, corresponding to

					   * LINUX_MIB_PAWSESTABREJECTED

					   */

	SKB_DROP_REASON_TCP_INVALID_SEQUENCE, /* Not acceptable SEQ field */

	SKB_DROP_REASON_TCP_RESET,	/* Invalid RST packet */

	SKB_DROP_REASON_TCP_INVALID_SYN, /* Incoming packet has unexpected SYN flag */

	SKB_DROP_REASON_IP_OUTNOROUTES,	/* route lookup failed */

	SKB_DROP_REASON_BPF_CGROUP_EGRESS,	/* dropped by

						 * BPF_PROG_TYPE_CGROUP_SKB

include/trace/events/skb.h

+5 −0
Original line number Diff line number Diff line
@@ -37,6 +37,11 @@ 
	EM(SKB_DROP_REASON_TCP_OLD_DATA, TCP_OLD_DATA)		\

	EM(SKB_DROP_REASON_TCP_OVERWINDOW, TCP_OVERWINDOW)	\

	EM(SKB_DROP_REASON_TCP_OFOMERGE, TCP_OFOMERGE)		\

	EM(SKB_DROP_REASON_TCP_RFC7323_PAWS, TCP_RFC7323_PAWS)	\

	EM(SKB_DROP_REASON_TCP_INVALID_SEQUENCE,		\

	   TCP_INVALID_SEQUENCE)				\

	EM(SKB_DROP_REASON_TCP_RESET, TCP_RESET)		\

	EM(SKB_DROP_REASON_TCP_INVALID_SYN, TCP_INVALID_SYN)	\

	EM(SKB_DROP_REASON_IP_OUTNOROUTES, IP_OUTNOROUTES)	\

	EM(SKB_DROP_REASON_BPF_CGROUP_EGRESS,			\

	   BPF_CGROUP_EGRESS)					\

net/ipv4/tcp_input.c

+6 −1
Original line number Diff line number Diff line
@@ -5667,6 +5667,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
				  const struct tcphdr *th, int syn_inerr)

{

	struct tcp_sock *tp = tcp_sk(sk);

	SKB_DR(reason);



	/* RFC1323: H1. Apply PAWS check first. */

	if (tcp_fast_parse_options(sock_net(sk), skb, th, tp) &&
@@ -5678,6 +5679,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
						  LINUX_MIB_TCPACKSKIPPEDPAWS,

						  &tp->last_oow_ack_time))

				tcp_send_dupack(sk, skb);

			SKB_DR_SET(reason, TCP_RFC7323_PAWS);

			goto discard;

		}

		/* Reset is accepted even if it did not pass PAWS. */
@@ -5701,6 +5703,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
		} else if (tcp_reset_check(sk, skb)) {

			goto reset;

		}

		SKB_DR_SET(reason, TCP_INVALID_SEQUENCE);

		goto discard;

	}
@@ -5743,6 +5746,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
		    sk->sk_state == TCP_ESTABLISHED)

			tcp_fastopen_active_disable(sk);

		tcp_send_challenge_ack(sk);

		SKB_DR_SET(reason, TCP_RESET);

		goto discard;

	}
@@ -5757,6 +5761,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
			TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);

		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNCHALLENGE);

		tcp_send_challenge_ack(sk);

		SKB_DR_SET(reason, TCP_INVALID_SYN);

		goto discard;

	}
@@ -5765,7 +5770,7 @@ static bool tcp_validate_incoming(struct sock *sk, struct sk_buff *skb, 
	return true;



discard:

	tcp_drop(sk, skb);

	tcp_drop_reason(sk, skb, reason);

	return false;



reset: