本文详细介绍了TCP首部中SACK选项的解析过程及获取地址的方法,同时阐述了如何进行SACK块的合法性检查,包括在慢速路径中的解析时机与流程,以及对非法SACK块的处理方式。
不论是18版,还是37版,一开始都会从TCP的控制块中取出SACK选项的起始地址。
SACK选项的起始地址是保存在tcp_skb_cb结构的sacked项中的,那么这是在什么时候做的呢?
SACK块并不是总是合法的,非法的SACK块可能会引起处理错误,所以还需要进行SACK块的合法性检查。
本文主要内容:TCP首部中SACK选项的解析和地址的获取,SACK块的合法性检查。
Author:zhangskd @ csdn
SACK选项的地址
TCP_SKB_CB(skb)->sacked is initialized to offset corresponding to the start of the SACK option in the
TCP header for the segment received.
处理时机为:
tcp_rcv_established(),进入慢速路径时调用
| --> tcp_validate_incoming()
| --> tcp_fast_parse_options()
| --> tcp_parse_options()
在慢速路径中,有可能只带有TIMESTAMP选项,因此先用tcp_fast_parse_options()快速解析。
/* Fast parse options. This hopes to only see timestamps.
* If it is wrong it falls back on tcp_parse_options().
*/
static int tcp_fast_parse_options(struct sk_buff *skb, struct tcphdr *th, struct tcp_sock *tp, u8 **hvpp)
{
/* In the spirit of fast parsing, compare doff directly to constant values.
* Because equality is used, short doff can be ignored here.
*/
if (th->doff == (sizeof(*th) / 4)) { /* 没有带选项 */
tp->rx_opt.saw_tstamp = 0;
return 0;
} else if (tp->rx_opt.tstamp_ok &&
th->doff == ((sizeof(*th) + TCPOLEN_TSTAMP_ALIGNED) / 4)) { /* 只带有时间戳选项 */
if (tcp_parse_aligned_timestamp(tp, th))
return 1;
}
/* 如果以上的快速解析失败,则进行全面解析 */
tcp_parse_options(skb, &tp->rx_opt, hvpp, 1);
return 1;
}static int tcp_parse_aligned_timestamp(struct tcp_sock *tp, struct tcphdr *th)
{
__be32 *ptr = (__be32 *) (th + 1); /* 指向选项部分 */
/* 如果选项部分的前4个字节分别为:0x 01 01 08 0A */
if (*ptr == htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16)
| (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP)) {
tp->rx_opt.saw_tstamp = 1;
++ptr;
tp->rx_opt.rcv_tsval = ntohl(*ptr); /* 提取接收包的时间戳*/
++ptr;
tp->rx_opt.rcv_tsecr = ntohl(*ptr); /* 提取接收包的回显值*/
return 1;
}
return 0;
}
在慢速路径中,如果tcp_fast_parse_options()失败,则调用tcp_parse_options()全面解析TCP选项。
/* Look for tcp options. Normally only called on SYN and SYNACK packets.
* But, this can also be called on packets in the established flow when the fast version
* below fails.
*/
void tcp_parse_options(struct sk_buff *skb, struct tcp_options_received *opt_rx, u8 **hvpp, int estab)
{
unsigned char *ptr;
struct tcphdr *th = tcp_hdr(skb);
int length = (th->doff * 4) - sizeof(struct tcphdr); /* 选项总长度 */
ptr = (unsigned char *) (th + 1); /* 选项起始地址 */
opt_rx->saw_tstamp = 0; /* 此ACK有没有带时间戳接下来才知道 */
while (length > 0) {
int opcode = *ptr++; /* 选项kind */
int opsize;
switch (opcode) {
case TCPOPT_EOL: /* 结束选项,不常见到 */
return;
case TCPOPT_NOP: /* 填充选项 */
length--; /* 此选项只占一个字节 */
continue;
default:
opsize = *ptr++; /* 此选项长度 */
if (opsize < 2) /* "silly options" */
return; /* 选项长度过小 */
if (opsize > length)
return; /* don't parse partial options */
switch (opcode) {
...
case TCPOPT_SACK_PERM:
if (opsize == TCPOLEN_SACK_PERM && th->syn &&
!estab && sysctl_tcp_sack) {
opt_rx->sack_ok = 1; /* SYN包中显示支持SACK */
tcp_sack_reset(opt_rx); /* 清空dsack和num_sacks */
}
break;
case TCPOPT_SACK:
if ((opsize >= (TCPOLEN_SACK_BASE + TCPOLEN_SACK_PERBLOCK)) &&
!((opsize - TCPOLEN_SACK_BASE) % TCPOLEN_SACK_PERBLOCK) &&
opt_rx->sack_ok) {
/*保存SACK选项的起始地址偏移*/
TCP_SKB_CB(skb)->sacked = (ptr - 2) - (unsigned char *) th;
}
break;
...
}
}
}
}
/* TCP options */
#define TCPOPT_NOP 1 /* Padding */
#define TCPOPT_EOL 0 /* End of options */
#define TCPOPT_MSS 2 /* Segment size negotiating */
#define TCPOPT_WINDOW 3 /* Window Scaling */
#define TCPOPT_SACK_PERM 4 /* SACK Permitted */
#define TCPOPT_SACK 5 /* SACK Block */
#define TCPOPT_TIMESTAMP 8 /* Better RTT estimations/PAWS */
static inline void tcp_sack_reset(struct tcp_options_received *rx_opt)
{
rx_opt->dsack = 0;
rx_opt->num_sacks = 0;
}
/* This is the max number of SACKS that we'll generate and process.
* It's safe to increase this, although since:
* size = TCPOLEN_SACK_BASE_ALIGNED(4) + n * TCPOLEN_SACK_PERBLOCK(8)
* only four options will fit in a standard TCP header
*/
#define TCP_NUM_SACKS 4 /* SACK块数最多为4 */
SACK块合法性检查
检查SACK块或者DSACK块是否合法。
2.6.24之前的版本没有检查SACK块的合法性,而某些非法的SACK块可能会触发空指针的引用。
在3.1版本之前有一个小bug,处理DSACK时会产生问题,修复非常简单:
@if (! after(end_seq, tp->snd_una)),把非去掉。
符合以下任一条件的SACK块是合法的:
1. sack块和dsack块:snd_una < start_seq < end_seq <= snd_nxt
2. dsack块:undo_marker <= start_seq < end_seq <= snd_una
3. dsack块:start_seq < undo_marker < end_seq <= snd_una 且 end_seq - start_seq <= max_window
/* SACK block range validation checks that the received SACK block fits to the
* expected sequence limits, i.e., it is between SND.UNA and SND.NXT.
*/
static int tcp_is_sackblock_valid(struct tcp_sock *tp, int is_dsack, u32 start_seq, u32 end_seq)
{
/* Too far in future, or reversed (interpretation is ambiguous)
* end_seq超过了snd_nxt,或者start_seq >= end_seq,那么不合法
*/
if (after(end_seq, tp->snd_nxt) || ! before(start_seq, end_seq))
return 0;
/* Nasty start_seq wrap-around check (see comments above) */
* start_seq超过了snd_nxt
*/
if (! before(start_seq, tp->snd_nxt))
return 0;
/* In outstanding window? This is valid exit for D-SACKs too.
* start_seq == snd_una is non-sensical (see comments above)
*/
if (after(start_seq, tp->snd_una))
return 1; /* 合法 */
if (! is_dsack || ! tp->undo_marker)
return 0;
/* Then it's D-SACK, and must reside below snd_una completely.
* 注意在3.1以前这里是:! after(end_seq, tp->snd_una),是一个bug
*/
if (after(end_seq, tp->snd_una))
return 0;
if (! before(start_seq, tp->undo_marker))
return 1; /* dsack块合法 */
/* Too old,DSACK块太旧了*/
if (! after(end_seq, tp->undo_marker))
return 0;
/* Undo_marker boundary crossing */
return !before(start_seq, end_seq - tp->max_window);
}
扫一扫
1020
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
