On Thu, Jan 29, 2015 at 9:02 PM, Pravin Shelar [off-list ref] wrote:

On Thu, Jan 29, 2015 at 8:10 PM, Tom Herbert [off-list ref] wrote:

quoted

On Thu, Jan 29, 2015 at 3:29 PM, Pravin B Shelar [off-list ref] wrote:

quoted

This adds a device level support for Stateless TCP Tunnel (STT)
protocol encapsulation. NF-hook is used for receiving STT
packets from networking stack.
Open vSwitch can be used for configuring, set up and tear down
STT tunnels.

The protocol is documented at
http://www.ietf.org/archive/id/draft-davie-stt-06.txt

Signed-off-by: Pravin B Shelar <redacted>
Signed-off-by: Jesse Gross <redacted>
---
 include/net/stt.h |   59 +++
 net/ipv4/Kconfig  |   11 +
 net/ipv4/Makefile |    1 +
 net/ipv4/stt.c    | 1398 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 1469 insertions(+)
 create mode 100644 include/net/stt.h
 create mode 100644 net/ipv4/stt.c

....

quoted

quoted

+
+static void tcp_sock_release(struct socket *sock)
+{
+       kernel_sock_shutdown(sock, SHUT_RDWR);
+       sk_release_kernel(sock->sk);
+}
+
+static int tcp_sock_create4(struct net *net, __be16 port,
+                           struct socket **sockp)
+{
+       int err;
+       struct socket *sock = NULL;
+       struct sockaddr_in tcp_addr;
+
+       err = sock_create_kern(AF_INET, SOCK_STREAM, 0, &sock);

Should be: err = sock_create_kern(AF_INET, SOCK_STREAM, IPPROTO_TCP, &sock);

ok.

quoted

quoted

+       if (err < 0)
+               goto error;
+
+       sk_change_net(sock->sk, net);
+
+       memset(&tcp_addr, 0, sizeof(tcp_addr));
+       tcp_addr.sin_family = AF_INET;
+       tcp_addr.sin_addr.s_addr = htonl(INADDR_ANY);
+       tcp_addr.sin_port = port;
+       err = kernel_bind(sock, (struct sockaddr *)&tcp_addr,
+                         sizeof(tcp_addr));

I think there should also be a kernel_listen also. I'm a little
surprised that this could work without it, it doesn't seem like we
should be finding closed sockets on input. In any case even if that
did work, it is quite annoying that the socket doesn't appear in
"netstat -ant".

This is fake TCP socket. it is created to gain exclusive access to the
TCP port. STT receives packet from nf-hook, so no need to listening
TCP socket.
I am not updating any socket stats so I do not think you will see any
socket stats.

Neither the system nor the sysadmin will know these are "fake" TCP
sockets. To the outside world this looks like TCP packets being sent
to a closed port with no RSTs nor replies being generated (one
conclusion may be DOS attack of some sort). These sockets need to be
visible in management tools. If you call listen on it at least we'll
see this in the open connections list, but it would be better to
create a completely new TCP state for STT sockets and display that.

quoted

quoted

+       if (err < 0)
+               goto error;
+
+       *sockp = sock;
+       return 0;