@@ -6,6 +6,7 @@
#define DEFINE_DROP_REASON(FN, FNe) \
FN(NOT_SPECIFIED) \
FN(NO_SOCKET) \
+ FN(NO_REQSK_ALLOC) \
FN(PKT_TOO_SMALL) \
FN(TCP_CSUM) \
FN(SOCKET_FILTER) \
@@ -43,10 +44,12 @@
FN(TCP_FASTOPEN) \
FN(TCP_OLD_ACK) \
FN(TCP_TOO_OLD_ACK) \
+ FN(COOKIE_NOCHILD) \
FN(TCP_ACK_UNSENT_DATA) \
FN(TCP_OFO_QUEUE_PRUNE) \
FN(TCP_OFO_DROP) \
FN(IP_OUTNOROUTES) \
+ FN(IP_ROUTEOUTPUTKEY) \
FN(BPF_CGROUP_EGRESS) \
FN(IPV6DISABLED) \
FN(NEIGH_CREATEFAIL) \
@@ -54,6 +57,7 @@
FN(NEIGH_QUEUEFULL) \
FN(NEIGH_DEAD) \
FN(TC_EGRESS) \
+ FN(SECURITY_HOOK) \
FN(QDISC_DROP) \
FN(CPU_BACKLOG) \
FN(XDP) \
@@ -107,6 +111,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NOT_SPECIFIED,
/** @SKB_DROP_REASON_NO_SOCKET: socket not found */
SKB_DROP_REASON_NO_SOCKET,
+ /** @SKB_DROP_REASON_NO_REQSK_ALLOC: request socket allocation failed */
+ SKB_DROP_REASON_NO_REQSK_ALLOC,
/** @SKB_DROP_REASON_PKT_TOO_SMALL: packet size is too small */
SKB_DROP_REASON_PKT_TOO_SMALL,
/** @SKB_DROP_REASON_TCP_CSUM: TCP checksum error */
@@ -243,6 +249,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OLD_ACK,
/** @SKB_DROP_REASON_TCP_TOO_OLD_ACK: TCP ACK is too old */
SKB_DROP_REASON_TCP_TOO_OLD_ACK,
+ /** @SKB_DROP_REASON_COOKIE_NOCHILD: no child socket in cookie mode */
+ SKB_DROP_REASON_COOKIE_NOCHILD,
/**
* @SKB_DROP_REASON_TCP_ACK_UNSENT_DATA: TCP ACK for data we haven't
* sent yet
@@ -254,6 +262,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_TCP_OFO_DROP,
/** @SKB_DROP_REASON_IP_OUTNOROUTES: route lookup failed */
SKB_DROP_REASON_IP_OUTNOROUTES,
+ /** @SKB_DROP_REASON_IP_ROUTEOUTPUTKEY: route output key failed */
+ SKB_DROP_REASON_IP_ROUTEOUTPUTKEY,
/**
* @SKB_DROP_REASON_BPF_CGROUP_EGRESS: dropped by BPF_PROG_TYPE_CGROUP_SKB
* eBPF program
@@ -271,6 +281,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_NEIGH_DEAD,
/** @SKB_DROP_REASON_TC_EGRESS: dropped in TC egress HOOK */
SKB_DROP_REASON_TC_EGRESS,
+ /** @SKB_DROP_REASON_SECURITY_HOOK: dropped due to security HOOK */
+ SKB_DROP_REASON_SECURITY_HOOK,
/**
* @SKB_DROP_REASON_QDISC_DROP: dropped by qdisc when packet outputting (
* failed to enqueue to current qdisc)
@@ -492,7 +492,8 @@ struct sock *tcp_get_cookie_sock(struct sock *sk, struct sk_buff *skb,
struct request_sock *req,
struct dst_entry *dst);
int __cookie_v4_check(const struct iphdr *iph, const struct tcphdr *th);
-struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb);
+struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason);
struct request_sock *cookie_tcp_reqsk_alloc(const struct request_sock_ops *ops,
struct sock *sk, struct sk_buff *skb,
struct tcp_options_received *tcp_opt,
@@ -395,7 +395,8 @@ static struct request_sock *cookie_tcp_check(struct net *net, struct sock *sk,
* Output is listener if incoming packet would not create a child
* NULL if memory could not be allocated.
*/
-struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
+struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason)
{
struct ip_options *opt = &TCP_SKB_CB(skb)->header.h4.opt;
const struct tcphdr *th = tcp_hdr(skb);
@@ -420,8 +421,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
if (IS_ERR(req))
goto out;
}
- if (!req)
+ if (!req) {
+ *reason = SKB_DROP_REASON_NO_REQSK_ALLOC;
goto out_drop;
+ }
ireq = inet_rsk(req);
@@ -433,8 +436,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
*/
RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
- if (security_inet_conn_request(sk, skb, req))
+ if (security_inet_conn_request(sk, skb, req)) {
+ *reason = SKB_DROP_REASON_SECURITY_HOOK;
goto out_free;
+ }
tcp_ao_syncookie(sk, skb, req, AF_INET);
@@ -451,8 +456,10 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
ireq->ir_loc_addr, th->source, th->dest, sk->sk_uid);
security_req_classify_flow(req, flowi4_to_flowi_common(&fl4));
rt = ip_route_output_key(net, &fl4);
- if (IS_ERR(rt))
+ if (IS_ERR(rt)) {
+ *reason = SKB_DROP_REASON_IP_ROUTEOUTPUTKEY;
goto out_free;
+ }
/* Try to redo what tcp_v4_send_synack did. */
req->rsk_window_clamp = tp->window_clamp ? :dst_metric(&rt->dst, RTAX_WINDOW);
@@ -477,6 +484,9 @@ struct sock *cookie_v4_check(struct sock *sk, struct sk_buff *skb)
*/
if (ret)
inet_sk(ret)->cork.fl.u.ip4 = fl4;
+ else
+ *reason = SKB_DROP_REASON_COOKIE_NOCHILD;
+
out:
return ret;
out_free:
@@ -1846,13 +1846,14 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
}
EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
-static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
+static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb,
+ enum skb_drop_reason *reason)
{
#ifdef CONFIG_SYN_COOKIES
const struct tcphdr *th = tcp_hdr(skb);
if (!th->syn)
- sk = cookie_v4_check(sk, skb);
+ sk = cookie_v4_check(sk, skb, reason);
#endif
return sk;
}
@@ -1912,7 +1913,7 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
goto csum_err;
if (sk->sk_state == TCP_LISTEN) {
- struct sock *nsk = tcp_v4_cookie_check(sk, skb);
+ struct sock *nsk = tcp_v4_cookie_check(sk, skb, &reason);
if (!nsk)
goto discard;