From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qt0-x243.google.com (mail-qt0-x243.google.com [IPv6:2607:f8b0:400d:c0d::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id D9E3F3B25E; Thu, 6 Oct 2016 00:28:29 -0400 (EDT) Received: by mail-qt0-x243.google.com with SMTP id m5so213947qtb.0; Wed, 05 Oct 2016 21:28:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=I4ddZN6YIEYwb7fPvLbeA2WJxhOyygyqyvYN3CiXvtI=; b=TNc69aiRUGWN//RBmE9HWSX7I8nDpQEOYy+J87rRHzduIARD1LbPvyxW91nq9NoZFT AcTUcJ0jwlKYotDx1JLUNkH/CdrxdqvpdooarICfh/zyNJkJg/FbejHdWJi/1T3PQo1b 6T+gqqPcsPAbgdFSorGvwi55IBtzJewVWauim5eTiAYlwdUHfioJLNb63reDcF+wpHT6 XTGcdOfkGrz7ovqgw3Q1yGOvAqt0KZj4bzIVS5V0Cy7sKXbt1TlMmCkOXK24KkON/sJv aYczoLcoNjEcBNJd4dKautAnYRZ6Yo0uJhmWsRCcVTqc2CXj1ETix18SCaMlCY8/byIr 7pAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=I4ddZN6YIEYwb7fPvLbeA2WJxhOyygyqyvYN3CiXvtI=; b=KfAX+chrHlZZkZ3VpoF5XdwRy628X3VgcAlZIRt1gBKzExJhEwQDkrpy+UM8cey7/M dCw7BcZPd3Es1PlAoJa4NSZDnO2Geet29q/r1zk3eOTWOJVsE1ItaYt7e/NEn0z/Mgj8 m+9PiP/iFWkrsJ4+6ew1yG7rihK9Jl1lXQV3AzBvair35rWpVat2vhtFIS7BGkYaY079 q9W9DY5oQwzk9yHJvcreX4peSMhJoGAExUXI3ZHYQsV1cGaOtMizvU0dfY4RL3SDkqUv hua1h54NIVey6G+Socy821Atlnlex3UpNzrfOvOP2fw1QXBD4+IQbDJuxpjsgkMgZCRo pkPQ== X-Gm-Message-State: AA6/9Rl8Me/Pxh+hf9QUliTUHXdUSemOU9fU627EEWn1MfYzoZWSC52WXdS0fBI382jeCS0cVu1Nymi7pQAMfQ== X-Received: by 10.200.52.75 with SMTP id v11mr12180146qtb.137.1475728109389; Wed, 05 Oct 2016 21:28:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.12.146.164 with HTTP; Wed, 5 Oct 2016 21:28:28 -0700 (PDT) From: Dave Taht Date: Wed, 5 Oct 2016 21:28:28 -0700 Message-ID: To: cake@lists.bufferbloat.net, "codel@lists.bufferbloat.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [Codel] [RFC PATCH] Don't give malicious CE senders a free ride X-BeenThere: codel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: CoDel AQM discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Oct 2016 04:28:29 -0000 After doing myself in with BBR not respecting CE marks, I'm now thinking that perhaps the right thing for red/fq_codel/cake/pie/etc to do is actuall= y *drop* stuff that it sees that is already CE marked, when it too wants to mark, instead of giving it a free ride. It's an unfriendly world out there. Not happy with the name of the function... and to me - it looks like the existing call sites for IP_ECN_set_ce would actually be saner if they always returned 0 instead of !ecn. diff --git a/include/net/inet_ecn.h b/include/net/inet_ecn.h index dce2d58..3742d84 100644 --- a/include/net/inet_ecn.h +++ b/include/net/inet_ecn.h @@ -71,6 +71,36 @@ static inline void INET_ECN_dontxmit(struct sock *sk) (label) |=3D htonl(INET_ECN_ECT_0 << 20); \ } while (0) +/* When CE is already asserted, sometimes it is saner to drop the packet + in order to not give malicious CE senders as much of a free ride. */ + +static inline int IP_ECN_safe_set_ce(struct iphdr *iph) +{ + u32 check =3D (__force u32)iph->check; + u32 ecn =3D (iph->tos + 1) & INET_ECN_MASK; + + /* + * After the last operation we have (in binary): + * INET_ECN_NOT_ECT =3D> 01 + * INET_ECN_ECT_1 =3D> 10 + * INET_ECN_ECT_0 =3D> 11 + * INET_ECN_CE =3D> 00 + */ + if (!(ecn & 2)) + return 0; + + /* + * The following gives us: + * INET_ECN_ECT_1 =3D> check +=3D htons(0xFFFD) + * INET_ECN_ECT_0 =3D> check +=3D htons(0xFFFE) + */ + check +=3D (__force u16)htons(0xFFFB) + (__force u16)htons(ecn); + + iph->check =3D (__force __sum16)(check + (check>=3D0xFFFF)); + iph->tos |=3D INET_ECN_CE; + return 1; +} + --=20 Dave T=C3=A4ht Let's go make home routers and wifi faster! With better software! http://blog.cerowrt.org