net/tcp: Add tcp_hash_fail() ratelimited logs

+12 -2

include/net/tcp.h

··· 2748 2748 int l3index; 2749 2749 2750 2750 /* Invalid option or two times meet any of auth options */ 2751 - if (tcp_parse_auth_options(th, &md5_location, &aoh)) 2751 + if (tcp_parse_auth_options(th, &md5_location, &aoh)) { 2752 + tcp_hash_fail("TCP segment has incorrect auth options set", 2753 + family, skb, ""); 2752 2754 return SKB_DROP_REASON_TCP_AUTH_HDR; 2755 + } 2753 2756 2754 2757 if (req) { 2755 2758 if (tcp_rsk_used_ao(req) != !!aoh) { 2756 2759 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); 2760 + tcp_hash_fail("TCP connection can't start/end using TCP-AO", 2761 + family, skb, "%s", 2762 + !aoh ? "missing AO" : "AO signed"); 2757 2763 return SKB_DROP_REASON_TCP_AOFAILURE; 2758 2764 } 2759 2765 } ··· 2776 2770 * the last key is impossible to remove, so there's 2777 2771 * always at least one current_key. 2778 2772 */ 2779 - if (tcp_ao_required(sk, saddr, family, true)) 2773 + if (tcp_ao_required(sk, saddr, family, true)) { 2774 + tcp_hash_fail("AO hash is required, but not found", 2775 + family, skb, "L3 index %d", l3index); 2780 2776 return SKB_DROP_REASON_TCP_AONOTFOUND; 2777 + } 2781 2778 if (unlikely(tcp_md5_do_lookup(sk, l3index, saddr, family))) { 2782 2779 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND); 2780 + tcp_hash_fail("MD5 Hash not found", family, skb, ""); 2783 2781 return SKB_DROP_REASON_TCP_MD5NOTFOUND; 2784 2782 } 2785 2783 return SKB_NOT_DROPPED_YET;

+29

include/net/tcp_ao.h

··· 118 118 struct rcu_head rcu; 119 119 }; 120 120 121 + #define tcp_hash_fail(msg, family, skb, fmt, ...) \ 122 + do { \ 123 + const struct tcphdr *th = tcp_hdr(skb); \ 124 + char hdr_flags[5] = {}; \ 125 + char *f = hdr_flags; \ 126 + \ 127 + if (th->fin) \ 128 + *f++ = 'F'; \ 129 + if (th->syn) \ 130 + *f++ = 'S'; \ 131 + if (th->rst) \ 132 + *f++ = 'R'; \ 133 + if (th->ack) \ 134 + *f++ = 'A'; \ 135 + if (f != hdr_flags) \ 136 + *f = ' '; \ 137 + if ((family) == AF_INET) { \ 138 + net_info_ratelimited("%s for (%pI4, %d)->(%pI4, %d) %s" fmt "\n", \ 139 + msg, &ip_hdr(skb)->saddr, ntohs(th->source), \ 140 + &ip_hdr(skb)->daddr, ntohs(th->dest), \ 141 + hdr_flags, ##__VA_ARGS__); \ 142 + } else { \ 143 + net_info_ratelimited("%s for [%pI6c]:%u->[%pI6c]:%u %s" fmt "\n", \ 144 + msg, &ipv6_hdr(skb)->saddr, ntohs(th->source), \ 145 + &ipv6_hdr(skb)->daddr, ntohs(th->dest), \ 146 + hdr_flags, ##__VA_ARGS__); \ 147 + } \ 148 + } while (0) 149 + 121 150 #ifdef CONFIG_TCP_AO 122 151 /* TCP-AO structures and functions */ 123 152

+13 -10

net/ipv4/tcp.c

··· 4383 4383 * o MD5 hash and we're not expecting one. 4384 4384 * o MD5 hash and its wrong. 4385 4385 */ 4386 - const struct tcphdr *th = tcp_hdr(skb); 4387 4386 const struct tcp_sock *tp = tcp_sk(sk); 4388 4387 struct tcp_md5sig_key *key; 4389 4388 u8 newhash[16]; ··· 4392 4393 4393 4394 if (!key && hash_location) { 4394 4395 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED); 4396 + tcp_hash_fail("Unexpected MD5 Hash found", family, skb, ""); 4395 4397 return SKB_DROP_REASON_TCP_MD5UNEXPECTED; 4396 4398 } 4397 4399 ··· 4408 4408 if (genhash || memcmp(hash_location, newhash, 16) != 0) { 4409 4409 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE); 4410 4410 if (family == AF_INET) { 4411 - net_info_ratelimited("MD5 Hash failed for (%pI4, %d)->(%pI4, %d)%s L3 index %d\n", 4412 - saddr, ntohs(th->source), 4413 - daddr, ntohs(th->dest), 4414 - genhash ? " tcp_v4_calc_md5_hash failed" 4415 - : "", l3index); 4411 + tcp_hash_fail("MD5 Hash failed", AF_INET, skb, "%s L3 index %d", 4412 + genhash ? "tcp_v4_calc_md5_hash failed" 4413 + : "", l3index); 4416 4414 } else { 4417 - net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u L3 index %d\n", 4418 - genhash ? "failed" : "mismatch", 4419 - saddr, ntohs(th->source), 4420 - daddr, ntohs(th->dest), l3index); 4415 + if (genhash) { 4416 + tcp_hash_fail("MD5 Hash failed", 4417 + AF_INET6, skb, "L3 index %d", 4418 + l3index); 4419 + } else { 4420 + tcp_hash_fail("MD5 Hash mismatch", 4421 + AF_INET6, skb, "L3 index %d", 4422 + l3index); 4423 + } 4421 4424 } 4422 4425 return SKB_DROP_REASON_TCP_MD5FAILURE; 4423 4426 }

+7

net/ipv4/tcp_ao.c

··· 800 800 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); 801 801 atomic64_inc(&info->counters.pkt_bad); 802 802 atomic64_inc(&key->pkt_bad); 803 + tcp_hash_fail("AO hash wrong length", family, skb, 804 + "%u != %d", maclen, tcp_ao_maclen(key)); 803 805 return SKB_DROP_REASON_TCP_AOFAILURE; 804 806 } 805 807 ··· 816 814 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOBAD); 817 815 atomic64_inc(&info->counters.pkt_bad); 818 816 atomic64_inc(&key->pkt_bad); 817 + tcp_hash_fail("AO hash mismatch", family, skb, ""); 819 818 kfree(hash_buf); 820 819 return SKB_DROP_REASON_TCP_AOFAILURE; 821 820 } ··· 844 841 info = rcu_dereference(tcp_sk(sk)->ao_info); 845 842 if (!info) { 846 843 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); 844 + tcp_hash_fail("AO key not found", family, skb, 845 + "keyid: %u", aoh->keyid); 847 846 return SKB_DROP_REASON_TCP_AOUNEXPECTED; 848 847 } 849 848 ··· 947 942 key_not_found: 948 943 NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPAOKEYNOTFOUND); 949 944 atomic64_inc(&info->counters.key_not_found); 945 + tcp_hash_fail("Requested by the peer AO key id not found", 946 + family, skb, ""); 950 947 return SKB_DROP_REASON_TCP_AOKEYNOTFOUND; 951 948 } 952 949

Configure Feed

Configure Feed