iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

net/tcp: Only produce AO/MD5 logs if there are any keys

Browse Source 
User won't care about inproper hash options in the TCP header if they
don't use neither TCP-AO nor TCP-MD5. Yet, those logs can add up in
syslog, while not being a real concern to the host admin:
> kernel: TCP: TCP segment has incorrect auth options set for XX.20.239.12.54681->XX.XX.90.103.80 [S]

Keep silent and avoid logging when there aren't any keys in the system.

Side-note: I also defined static_branch_tcp_*() helpers to avoid more
ifdeffery, going to remove more ifdeffery further with their help.

Reported-by: Christian Kujau <lists@nerdbynature.de>
Closes: https://lore.kernel.org/all/f6b59324-1417-566f-a976-ff2402718a8d@nerdbynature.de/
Signed-off-by: Dmitry Safonov <dima@arista.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Fixes: 2717b5adea ("net/tcp: Add tcp_hash_fail() ratelimited logs")
Link: https://lore.kernel.org/r/20240104-tcp_hash_fail-logs-v1-1-ff3e1f6f9e72@arista.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Dmitry Safonov 2024-01-04 13:42:39 +00:00 committed by Jakub Kicinski
parent 2e957f9c32
commit 4c8530dc7d
2 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/net/tcp.h
View File

@ -1788,8 +1788,6 @@ struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk,
const struct sock *addr_sk); const struct sock *addr_sk);
#ifdef CONFIG_TCP_MD5SIG #ifdef CONFIG_TCP_MD5SIG
#include <linux/jump_label.h>
extern struct static_key_false_deferred tcp_md5_needed;
struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index, struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,
const union tcp_md5_addr *addr, const union tcp_md5_addr *addr,
int family, bool any_l3index); int family, bool any_l3index);

26
include/net/tcp_ao.h
View File

@ -127,12 +127,35 @@ struct tcp_ao_info {
struct rcu_head rcu; struct rcu_head rcu;
}; };
#ifdef CONFIG_TCP_MD5SIG
#include <linux/jump_label.h>
extern struct static_key_false_deferred tcp_md5_needed;
#define static_branch_tcp_md5() static_branch_unlikely(&tcp_md5_needed.key)
#else
#define static_branch_tcp_md5() false
#endif
#ifdef CONFIG_TCP_AO
/* TCP-AO structures and functions */
#include <linux/jump_label.h>
extern struct static_key_false_deferred tcp_ao_needed;
#define static_branch_tcp_ao() static_branch_unlikely(&tcp_ao_needed.key)
#else
#define static_branch_tcp_ao() false
#endif
static inline bool tcp_hash_should_produce_warnings(void)
{
return static_branch_tcp_md5() || static_branch_tcp_ao();
}
#define tcp_hash_fail(msg, family, skb, fmt, ...) \ #define tcp_hash_fail(msg, family, skb, fmt, ...) \
do { \ do { \
const struct tcphdr *th = tcp_hdr(skb); \ const struct tcphdr *th = tcp_hdr(skb); \
char hdr_flags[6]; \ char hdr_flags[6]; \
char *f = hdr_flags; \ char *f = hdr_flags; \
\ \
if (!tcp_hash_should_produce_warnings()) \
break; \
if (th->fin) \ if (th->fin) \
*f++ = 'F'; \ *f++ = 'F'; \
if (th->syn) \ if (th->syn) \
@ -159,9 +182,6 @@ do { \
#ifdef CONFIG_TCP_AO #ifdef CONFIG_TCP_AO
/* TCP-AO structures and functions */ /* TCP-AO structures and functions */
#include <linux/jump_label.h>
extern struct static_key_false_deferred tcp_ao_needed;
struct tcp4_ao_context { struct tcp4_ao_context {
__be32 saddr; __be32 saddr;
__be32 daddr; __be32 daddr;