Thread (12 messages) 12 messages, 3 authors, 2026-04-01

Re: [PATCH net-next v3 1/4] udp: Only compare daddr/dport when sk_state == TCP_ESTABLISHED

From: Kuniyuki Iwashima <kuniyu@google.com>
Date: 2026-03-31 01:21:51
Also in: bpf 

On Mon, Mar 30, 2026 at 2:57 PM Jordan Rife [off-list ref] wrote:
Adjust lookups and scoring to keep their results equivalent to before
even if inet_daddr+inet_dport are left intact after disconnecting a
socket (sk_state == TCP_CLOSE). sk_state == TCP_ESTABLISHED implies that
*daddr is non-zero, so remove redundant checks for that at the same
time. Note that __udp6_lib_demux_lookup already checks if sk_state ==
TCP_ESTABLISHED, so no change was needed there [1].

I could find no discernible difference in performance in
udp4_lib_lookup2 before and after the change in compute_score.
What workload did you test the series with ?

I think we want to see results under DDoS.
quoted hunk ↗ jump to hunk
(AMD Ryzen 9 9900X)

kprobe:udp4_lib_lookup2 {
        @start[cpu] = nsecs;
}
kretprobe:udp4_lib_lookup2 {
        @lookup[cpu] = hist(nsecs - @start[cpu], 2);
}

BEFORE
======
@lookup[11]:
[80, 96)         1387077 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|
[96, 112)         364973 |@@@@@@@@@@@@@                                       |
[112, 128)         34261 |@                                                   |
[128, 160)          7246 |                                                    |
[160, 192)           215 |                                                    |
[192, 224)           126 |                                                    |

AFTER
=====
@lookup[11]:
[80, 96)         1408594 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@|
[96, 112)         340568 |@@@@@@@@@@@@                                        |
[112, 128)         30753 |@                                                   |
[128, 160)          8019 |                                                    |
[160, 192)           231 |                                                    |
[192, 224)           157 |                                                    |

[1]: https://lore.kernel.org/netdev/20170623222537.130493-1-tracywwnj@gmail.com/ (local)

Signed-off-by: Jordan Rife <redacted>
---
 net/ipv4/udp.c | 20 +++++++++++---------
 net/ipv6/udp.c | 18 +++++++++---------
 2 files changed, 20 insertions(+), 18 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index b60fad393e18..d91c587c3657 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -385,16 +385,16 @@ static int compute_score(struct sock *sk, const struct net *net,
        score = (sk->sk_family == PF_INET) ? 2 : 1;

        inet = inet_sk(sk);
-       if (inet->inet_daddr) {
+       if (sk->sk_state == TCP_ESTABLISHED) {
                if (inet->inet_daddr != saddr)
                        return -1;
                score += 4;
-       }

-       if (inet->inet_dport) {
-               if (inet->inet_dport != sport)
-                       return -1;
-               score += 4;
+               if (inet->inet_dport) {
+                       if (inet->inet_dport != sport)
+                               return -1;
+                       score += 4;
+               }
        }

        dev_match = udp_sk_bound_dev_eq(net, sk->sk_bound_dev_if,
@@ -796,8 +796,9 @@ static inline bool __udp_is_mcast_sock(struct net *net, const struct sock *sk,

        if (!net_eq(sock_net(sk), net) ||
            udp_sk(sk)->udp_port_hash != hnum ||
-           (inet->inet_daddr && inet->inet_daddr != rmt_addr) ||
-           (inet->inet_dport != rmt_port && inet->inet_dport) ||
+           (sk->sk_state == TCP_ESTABLISHED &&
+            (inet->inet_daddr != rmt_addr ||
+            (inet->inet_dport != rmt_port && inet->inet_dport))) ||
            (inet->inet_rcv_saddr && inet->inet_rcv_saddr != loc_addr) ||
            ipv6_only_sock(sk) ||
            !udp_sk_bound_dev_eq(net, sk->sk_bound_dev_if, dif, sdif))
@@ -2854,7 +2855,8 @@ static struct sock *__udp4_lib_demux_lookup(struct net *net,
        ports = INET_COMBINED_PORTS(rmt_port, hnum);

        udp_portaddr_for_each_entry_rcu(sk, &hslot2->head) {
-               if (inet_match(net, sk, acookie, ports, dif, sdif))
+               if (sk->sk_state == TCP_ESTABLISHED &&
+                   inet_match(net, sk, acookie, ports, dif, sdif))
                        return sk;
                /* Only check first socket in chain */
                break;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 010b909275dd..b93a9a3e7678 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -147,16 +147,16 @@ static int compute_score(struct sock *sk, const struct net *net,
        score = 0;
        inet = inet_sk(sk);

-       if (inet->inet_dport) {
+       if (sk->sk_state == TCP_ESTABLISHED) {
                if (inet->inet_dport != sport)
                        return -1;
                score++;
-       }

-       if (!ipv6_addr_any(&sk->sk_v6_daddr)) {
-               if (!ipv6_addr_equal(&sk->sk_v6_daddr, saddr))
-                       return -1;
-               score++;
+               if (!ipv6_addr_any(&sk->sk_v6_daddr)) {
This looks unnecessary.
quoted hunk ↗ jump to hunk
+                       if (!ipv6_addr_equal(&sk->sk_v6_daddr, saddr))
+                               return -1;
+                       score++;
+               }
        }

        bound_dev_if = READ_ONCE(sk->sk_bound_dev_if);
@@ -949,9 +949,9 @@ static bool __udp_v6_is_mcast_sock(struct net *net, const struct sock *sk,

        if (udp_sk(sk)->udp_port_hash != hnum ||
            sk->sk_family != PF_INET6 ||
-           (inet->inet_dport && inet->inet_dport != rmt_port) ||
-           (!ipv6_addr_any(&sk->sk_v6_daddr) &&
-                   !ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr)) ||
+           (sk->sk_state == TCP_ESTABLISHED &&
+            ((inet->inet_dport && inet->inet_dport != rmt_port) ||
+            !ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr))) ||
            !udp_sk_bound_dev_eq(net, READ_ONCE(sk->sk_bound_dev_if), dif, sdif) ||
            (!ipv6_addr_any(&sk->sk_v6_rcv_saddr) &&
                    !ipv6_addr_equal(&sk->sk_v6_rcv_saddr, loc_addr)))
--
2.53.0.1118.gaef5881109-goog
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help