Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 71c02379 authored by Christoph Paasch's avatar Christoph Paasch Committed by David S. Miller
Browse files

tcp: Configure TFO without cookie per socket and/or per route 



We already allow to enable TFO without a cookie by using the
fastopen-sysctl and setting it to TFO_SERVER_COOKIE_NOT_REQD (or
TFO_CLIENT_NO_COOKIE).
This is safe to do in certain environments where we know that there
isn't a malicous host (aka., data-centers) or when the
application-protocol already provides an authentication mechanism in the
first flight of data.

A server however might be providing multiple services or talking to both
sides (public Internet and data-center). So, this server would want to
enable cookie-less TFO for certain services and/or for connections that
go to the data-center.

This patch exposes a socket-option and a per-route attribute to enable such
fine-grained configurations.

Signed-off-by: default avatarChristoph Paasch <cpaasch@apple.com>
Reviewed-by: default avatarYuchung Cheng <ycheng@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent b6f4f848

include/linux/tcp.h

+2 −1
Original line number Diff line number Diff line
@@ -215,7 +215,8 @@ struct tcp_sock { 
	u8	chrono_type:2,	/* current chronograph type */

		rate_app_limited:1,  /* rate_{delivered,interval_us} limited? */

		fastopen_connect:1, /* FASTOPEN_CONNECT sockopt */

		unused:4;

		fastopen_no_cookie:1, /* Allow send/recv SYN+data without a cookie */

		unused:3;

	u8	nonagle     : 4,/* Disable Nagle algorithm?             */

		thin_lto    : 1,/* Use linear timeouts for thin streams */

		unused1	    : 1,

include/net/tcp.h

+2 −1
Original line number Diff line number Diff line
@@ -1567,7 +1567,8 @@ int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk, 
void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb);

struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,

			      struct request_sock *req,

			      struct tcp_fastopen_cookie *foc);

			      struct tcp_fastopen_cookie *foc,

			      const struct dst_entry *dst);

void tcp_fastopen_init_key_once(struct net *net);

bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,

			     struct tcp_fastopen_cookie *cookie);

include/uapi/linux/rtnetlink.h

+2 −0
Original line number Diff line number Diff line
@@ -430,6 +430,8 @@ enum { 
#define RTAX_QUICKACK RTAX_QUICKACK

	RTAX_CC_ALGO,

#define RTAX_CC_ALGO RTAX_CC_ALGO

	RTAX_FASTOPEN_NO_COOKIE,

#define RTAX_FASTOPEN_NO_COOKIE RTAX_FASTOPEN_NO_COOKIE

	__RTAX_MAX

};

include/uapi/linux/tcp.h

+1 −0
Original line number Diff line number Diff line
@@ -120,6 +120,7 @@ enum { 
#define TCP_ULP			31	/* Attach a ULP to a TCP connection */

#define TCP_MD5SIG_EXT		32	/* TCP MD5 Signature with extensions */

#define TCP_FASTOPEN_KEY	33	/* Set the key for Fast Open (cookie) */

#define TCP_FASTOPEN_NO_COOKIE	34	/* Enable TFO without a TFO cookie */



struct tcp_repair_opt {

	__u32	opt_code;

net/ipv4/tcp.c

+12 −0
Original line number Diff line number Diff line
@@ -2836,6 +2836,14 @@ static int do_tcp_setsockopt(struct sock *sk, int level, 
			err = -EOPNOTSUPP;

		}

		break;

	case TCP_FASTOPEN_NO_COOKIE:

		if (val > 1 || val < 0)

			err = -EINVAL;

		else if (!((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)))

			err = -EINVAL;

		else

			tp->fastopen_no_cookie = val;

		break;

	case TCP_TIMESTAMP:

		if (!tp->repair)

			err = -EPERM;
@@ -3256,6 +3264,10 @@ static int do_tcp_getsockopt(struct sock *sk, int level, 
		val = tp->fastopen_connect;

		break;



	case TCP_FASTOPEN_NO_COOKIE:

		val = tp->fastopen_no_cookie;

		break;



	case TCP_TIMESTAMP:

		val = tcp_time_stamp_raw() + tp->tsoffset;

		break;