mbox series

[v3,mptcp-next,0/3] more sockopts for ephemeral ports

Message ID 20231211120309.20752-1-max@internet.ru (mailing list archive)
Headers show
Series more sockopts for ephemeral ports | expand

Message

Maxim Galaganov Dec. 11, 2023, 12:03 p.m. UTC
Support useful sockopts that allow fine control over ephemeral port
usage.

v3:
 - Change patch 2/3 with regards to commit d9f28735af87 ("Use
   READ/WRITE_ONCE() for IP local_port_range.")
 - Drop Mat's Reviewed-By tag in patch 2/3 because of changes
v2:
 - Add patch 1/3 with function name change (Mat)
 - Fixup checkpatch errors in patch 2/3 (Mat)

Maxim Galaganov (3):
  mptcp: rename mptcp_setsockopt_sol_ip_set_transparent()
  mptcp: sockopt: support IP_LOCAL_PORT_RANGE and
    IP_BIND_ADDRESS_NO_PORT
  selftests/net: add MPTCP coverage for IP_LOCAL_PORT_RANGE

 net/mptcp/sockopt.c                           | 27 ++++++++++++++++---
 .../selftests/net/ip_local_port_range.c       | 12 +++++++++
 2 files changed, 35 insertions(+), 4 deletions(-)

Comments

Matthieu Baerts (NGI0) Dec. 15, 2023, 1:56 p.m. UTC | #1
Hi Maxim, Mat,

On 11/12/2023 13:03, Maxim Galaganov wrote:
> Support useful sockopts that allow fine control over ephemeral port
> usage.
> 
> v3:
>  - Change patch 2/3 with regards to commit d9f28735af87 ("Use
>    READ/WRITE_ONCE() for IP local_port_range.")
>  - Drop Mat's Reviewed-By tag in patch 2/3 because of changes

Thank you for the patches and the reviews!

Please note that 'b4' is telling me that your emails are not properly
signed by your SMTP server:

  BADSIG: DKIM/internet.ru

That's not blocking here, but it could be a sign someone is trying to
forge the sender address.

These patches have been added in our tree: feat. for net-next.

New patches for t/upstream:
- 250382904050: mptcp: rename mptcp_setsockopt_sol_ip_set_transparent()
- be6fee83fad1: mptcp: sockopt: support IP_LOCAL_PORT_RANGE and
IP_BIND_ADDRESS_NO_PORT
- 5df30926310b: selftests/net: add MPTCP coverage for IP_LOCAL_PORT_RANGE
- Results: e2b8a59f008f..84d8fb414b2a (export)

Tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20231215T134806

Cheers,
Matt
Maxim Galaganov Dec. 15, 2023, 2:15 p.m. UTC | #2
On 15.12.2023 16:56, Matthieu Baerts wrote:
> Hi Maxim, Mat,
> 
> On 11/12/2023 13:03, Maxim Galaganov wrote:
>> Support useful sockopts that allow fine control over ephemeral port
>> usage.
>>
>> v3:
>>   - Change patch 2/3 with regards to commit d9f28735af87 ("Use
>>     READ/WRITE_ONCE() for IP local_port_range.")
>>   - Drop Mat's Reviewed-By tag in patch 2/3 because of changes
> 
> Thank you for the patches and the reviews!
> 
> Please note that 'b4' is telling me that your emails are not properly
> signed by your SMTP server:
> 
>    BADSIG: DKIM/internet.ru
> 
> That's not blocking here, but it could be a sign someone is trying to
> forge the sender address.

This is because of DKIM expiration (DKIM-Signature header contains t= 
and x= tags, that make signature invalid after some time). It is 
reasonably effective to prevent DKIM replay attacks, also can be done by 
rotating DKIM selectors (gmail does that, IIRC).

Running b4 with -d flag tells:
DKIM: x= value is past (b'1702386232')

Otherwise header and body hashes should verify OK here..

> 
> These patches have been added in our tree: feat. for net-next.
> 
> New patches for t/upstream:
> - 250382904050: mptcp: rename mptcp_setsockopt_sol_ip_set_transparent()
> - be6fee83fad1: mptcp: sockopt: support IP_LOCAL_PORT_RANGE and
> IP_BIND_ADDRESS_NO_PORT
> - 5df30926310b: selftests/net: add MPTCP coverage for IP_LOCAL_PORT_RANGE
> - Results: e2b8a59f008f..84d8fb414b2a (export)
> 
> Tests are now in progress:
> 
> https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20231215T134806
> 
> Cheers,
> Matt
Matthieu Baerts (NGI0) Dec. 15, 2023, 2:28 p.m. UTC | #3
Hi Maxim,

On 15/12/2023 15:15, Maxim Galaganov wrote:
> On 15.12.2023 16:56, Matthieu Baerts wrote:
>> Hi Maxim, Mat,
>>
>> On 11/12/2023 13:03, Maxim Galaganov wrote:
>>> Support useful sockopts that allow fine control over ephemeral port
>>> usage.
>>>
>>> v3:
>>>   - Change patch 2/3 with regards to commit d9f28735af87 ("Use
>>>     READ/WRITE_ONCE() for IP local_port_range.")
>>>   - Drop Mat's Reviewed-By tag in patch 2/3 because of changes
>>
>> Thank you for the patches and the reviews!
>>
>> Please note that 'b4' is telling me that your emails are not properly
>> signed by your SMTP server:
>>
>>    BADSIG: DKIM/internet.ru
>>
>> That's not blocking here, but it could be a sign someone is trying to
>> forge the sender address.
> 
> This is because of DKIM expiration (DKIM-Signature header contains t=
> and x= tags, that make signature invalid after some time). It is
> reasonably effective to prevent DKIM replay attacks, also can be done by
> rotating DKIM selectors (gmail does that, IIRC).
> 
> Running b4 with -d flag tells:
> DKIM: x= value is past (b'1702386232')
> 
> Otherwise header and body hashes should verify OK here..

Thank you for having checked that! I already saw that before [1], but I
forgot about that!

[1]
https://lore.kernel.org/tools/ddeefd4d0323df0948565fea2ffb55793fdcc8dc@linux.dev/

Cheers,
Matt