On Tue, Jul 26, 2022 at 9:06 AM Eric Dumazet edumazet@google.com wrote:
On Tue, Jul 26, 2022 at 8:16 AM Leonard Crestez cdleonard@gmail.com wrote:
Tests are mostly copied from tcp_md5 with minor changes.
It covers VRF support but only based on binding multiple servers: not multiple keys bound to different interfaces.
Also add a specific -t tcp_authopt to run only these tests specifically.
Thanks for the test.
Could you amend the existing TCP MD5 test to make sure dual sockets mode is working ?
Apparently, if we have a dual stack listener socket (AF_INET6), correct incoming IPV4 SYNs are dropped.
If this is the case, fixing MD5 should happen first ;)
I think that we are very late in the cycle (linux-5.19 should be released in 5 days), and your patch set should not be merged so late.
I suspect bug was added in
commit 7bbb765b73496699a165d505ecdce962f903b422 Author: Dmitry Safonov 0x7f454c46@gmail.com Date: Wed Feb 23 17:57:40 2022 +0000
net/tcp: Merge TCP-MD5 inbound callbacks
a possible fix (also removing an indirect call for IPV4) could be:
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index ba2bdc81137490bd1748cde95789f8d2bff3ab0f..66b883d1683ddf7de6a8959a2b4e025a74c830b1 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4534,8 +4534,14 @@ tcp_inbound_md5_hash(const struct sock *sk, const struct sk_buff *skb, }
/* check the signature */ - genhash = tp->af_specific->calc_md5_hash(newhash, hash_expected, - NULL, skb); + if (family == AF_INET) + genhash = tcp_v4_md5_hash_skb(newhash, + hash_expected, + NULL, skb); + else + genhash = tp->af_specific->calc_md5_hash(newhash, + hash_expected, + NULL, skb);
if (genhash || memcmp(hash_location, newhash, 16) != 0) { NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);