Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Mon, Sep 26, 2016 at 07:54:37PM -0600, David Ahern wrote:
> On 9/26/16 4:38 PM, Cyrill Gorcunov wrote:
> > Something like
> > 
> > Index: linux-ml.git/include/uapi/linux/inet_diag.h
> > ===
> > --- linux-ml.git.orig/include/uapi/linux/inet_diag.h2016-09-11 
> > 20:56:18.191584145 +0300
> > +++ linux-ml.git/include/uapi/linux/inet_diag.h 2016-09-27 
> > 01:34:08.413172394 +0300
> > @@ -38,7 +38,7 @@ struct inet_diag_req_v2 {
> > __u8sdiag_family;
> > __u8sdiag_protocol;
> > __u8idiag_ext;
> > -   __u8pad;
> > +   __u8sdiag_raw_protocol; /* SOCK_RAW only, @pad for others */
> 
> Seems like that should be a union to keep the API.

Is anonymous union (which is not part of c99) are acceptable in uapi?
Initially I declared it as union but then scratched my head if this
would be acceptable.

> 
> 
> > __u32   idiag_states;
> > struct inet_diag_sockid id;
> >  };
> > 
> > and in raw-diag module we will use @sdiag_raw_protocol instead of
> > @sdiag_protocol field. Didn't cover ss tool source code yet but
> > I think the idea is seen. Still not sure if start using @pad here
> > is a good idea (it's uapi), maybe beter to ask nla attribute which would
> > come right afterh the inet_diag_req_v2 message?
> > 
> 
> seems reasonable to me since 2 protocols need to be sent to the kernel.
> 
> Alternatively, sdiag_protocol could be the actual protocol and the pad union 
> be a flag field
> with say bit 0 = INET_DIAG_FLAG_SOCK_RAW. Allows other overrides in the 
> future if needed.

The @sdiag_protocol used for matching in diag module handler, so no, I think
we should not change this semantics. I would stick with @pad usage and if
anonymous unions are acceptable this would be just great.

Cyrill

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/26/16 4:38 PM, Cyrill Gorcunov wrote:
> Something like
> 
> Index: linux-ml.git/include/uapi/linux/inet_diag.h
> ===
> --- linux-ml.git.orig/include/uapi/linux/inet_diag.h2016-09-11 
> 20:56:18.191584145 +0300
> +++ linux-ml.git/include/uapi/linux/inet_diag.h 2016-09-27 01:34:08.413172394 
> +0300
> @@ -38,7 +38,7 @@ struct inet_diag_req_v2 {
> __u8sdiag_family;
> __u8sdiag_protocol;
> __u8idiag_ext;
> -   __u8pad;
> +   __u8sdiag_raw_protocol; /* SOCK_RAW only, @pad for others */

Seems like that should be a union to keep the API.


> __u32   idiag_states;
> struct inet_diag_sockid id;
>  };
> 
> and in raw-diag module we will use @sdiag_raw_protocol instead of
> @sdiag_protocol field. Didn't cover ss tool source code yet but
> I think the idea is seen. Still not sure if start using @pad here
> is a good idea (it's uapi), maybe beter to ask nla attribute which would
> come right afterh the inet_diag_req_v2 message?
> 

seems reasonable to me since 2 protocols need to be sent to the kernel.

Alternatively, sdiag_protocol could be the actual protocol and the pad union be 
a flag field with say bit 0 = INET_DIAG_FLAG_SOCK_RAW. Allows other overrides 
in the future if needed.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Wed, Sep 21, 2016 at 12:13:43AM +0300, Cyrill Gorcunov wrote:
> On Fri, Sep 16, 2016 at 11:07:22PM +0300, Cyrill Gorcunov wrote:
> > > It may well be a ss bug / problem. As I mentioned I am always seeing 255 
> > > for the protocol which
> > 
> > It is rather not addressed in ss. I mean, look, when we send out a diag 
> > packet
> > the kernel look ups for a handler, which for raw protocol we register as
> > 
> > static const struct inet_diag_handler raw_diag_handler = {
> > .dump= raw_diag_dump,
> > .dump_one= raw_diag_dump_one,
> > .idiag_get_info= raw_diag_get_info,
> > .idiag_type= IPPROTO_RAW,
> > .idiag_info_size= 0,
> > #ifdef CONFIG_INET_DIAG_DESTROY
> > .destroy= raw_diag_destroy,
> > #endif
> > };
> > 
> > so if we patch ss and ask for IPPROTO_ICMP in netlink packet the
> > kernel simply won't find anything. Thus I think we need (well, I need)
> > to extend the patch and register IPPROTO_ICMP diag type, then
> > extend ss as well. (If only I didn't miss somethin obvious).
> > 
> > > is odd since ss does a dump and takes the matches and invokes the kill.
> > > Thanks for taking the time to do the kill piece.
> 
> Sorry for delay in reply (I got flu unexpectedly). You know, it eventually
> become uneasy to implement handling for sock-raw because they are special.
> They described as ipproto-ip in net/ipv4/af_inet.c, so it matches any
> protocol specified with the socket call. In turn inet-diag module handled
> predefined protocols only, in particular IPPROTO_RAW in our case. Thus
> to fecth some real protocol sitting in raw sockets hashes we need some
> kind of additional argument passed in the request. I guess we may
> use @idiag_ext field for this sake? Or require @idiag_ext to have
> INET_DIAG_PROTOCOL bit set and then fetch real protocol from
> additional attribute? Sounds ok?

Something like

Index: linux-ml.git/include/uapi/linux/inet_diag.h
===
--- linux-ml.git.orig/include/uapi/linux/inet_diag.h2016-09-11 
20:56:18.191584145 +0300
+++ linux-ml.git/include/uapi/linux/inet_diag.h 2016-09-27 01:34:08.413172394 
+0300
@@ -38,7 +38,7 @@ struct inet_diag_req_v2 {
__u8sdiag_family;
__u8sdiag_protocol;
__u8idiag_ext;
-   __u8pad;
+   __u8sdiag_raw_protocol; /* SOCK_RAW only, @pad for others */
__u32   idiag_states;
struct inet_diag_sockid id;
 };

and in raw-diag module we will use @sdiag_raw_protocol instead of
@sdiag_protocol field. Didn't cover ss tool source code yet but
I think the idea is seen. Still not sure if start using @pad here
is a good idea (it's uapi), maybe beter to ask nla attribute which would
come right afterh the inet_diag_req_v2 message?

Cyrill

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Fri, Sep 16, 2016 at 11:07:22PM +0300, Cyrill Gorcunov wrote:
> > It may well be a ss bug / problem. As I mentioned I am always seeing 255 
> > for the protocol which
> 
> It is rather not addressed in ss. I mean, look, when we send out a diag packet
> the kernel look ups for a handler, which for raw protocol we register as
> 
> static const struct inet_diag_handler raw_diag_handler = {
>   .dump= raw_diag_dump,
>   .dump_one= raw_diag_dump_one,
>   .idiag_get_info= raw_diag_get_info,
>   .idiag_type= IPPROTO_RAW,
>   .idiag_info_size= 0,
> #ifdef CONFIG_INET_DIAG_DESTROY
>   .destroy= raw_diag_destroy,
> #endif
> };
> 
> so if we patch ss and ask for IPPROTO_ICMP in netlink packet the
> kernel simply won't find anything. Thus I think we need (well, I need)
> to extend the patch and register IPPROTO_ICMP diag type, then
> extend ss as well. (If only I didn't miss somethin obvious).
> 
> > is odd since ss does a dump and takes the matches and invokes the kill.
> > Thanks for taking the time to do the kill piece.

Sorry for delay in reply (I got flu unexpectedly). You know, it eventually
become uneasy to implement handling for sock-raw because they are special.
They described as ipproto-ip in net/ipv4/af_inet.c, so it matches any
protocol specified with the socket call. In turn inet-diag module handled
predefined protocols only, in particular IPPROTO_RAW in our case. Thus
to fecth some real protocol sitting in raw sockets hashes we need some
kind of additional argument passed in the request. I guess we may
use @idiag_ext field for this sake? Or require @idiag_ext to have
INET_DIAG_PROTOCOL bit set and then fetch real protocol from
additional attribute? Sounds ok?

Cyrill

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Fri, Sep 16, 2016 at 01:55:42PM -0600, David Ahern wrote:
> >> Since the display is showing sockets in addition to IPPROTO_RAW:
> >>
> >> $ ss -A raw
> >> State  Recv-Q Send-QLocal Address:Port 
> >> Peer Address:Port
> >> UNCONN 0  0*%eth0:icmp 
> >>*:*
> >>
> >> It is going to be confusing if only ipproto-255 sockets can be killed.
> > 
> > OK, gimme some time to implement it. Hopefully on the weekend or monday.
> > Thanks a huge for feedback!
> > 
> 
> It may well be a ss bug / problem. As I mentioned I am always seeing 255 for 
> the protocol which

It is rather not addressed in ss. I mean, look, when we send out a diag packet
the kernel look ups for a handler, which for raw protocol we register as

static const struct inet_diag_handler raw_diag_handler = {
.dump= raw_diag_dump,
.dump_one= raw_diag_dump_one,
.idiag_get_info= raw_diag_get_info,
.idiag_type= IPPROTO_RAW,
.idiag_info_size= 0,
#ifdef CONFIG_INET_DIAG_DESTROY
.destroy= raw_diag_destroy,
#endif
};

so if we patch ss and ask for IPPROTO_ICMP in netlink packet the
kernel simply won't find anything. Thus I think we need (well, I need)
to extend the patch and register IPPROTO_ICMP diag type, then
extend ss as well. (If only I didn't miss somethin obvious).

> is odd since ss does a dump and takes the matches and invokes the kill. 
> Thanks for taking
> the time to do the kill piece.

Sure!

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/16/16 1:52 PM, Cyrill Gorcunov wrote:
> On Fri, Sep 16, 2016 at 01:47:57PM -0600, David Ahern wrote:

 I'm guessing you passed IPPROTO_RAW (255) as the protocol to socket(). If 
 you pass something
 else (IPPROTO_ICMP for example) it won't work.
>>>
>>> True. To support IPPROTO_ICMP it need enhancement. I thought start with
>>> plain _RAW first and then extend to support _ICMP.
>>
>> I thought raw in this case was SOCK_RAW as in the socket type.
>>
>> Since the display is showing sockets in addition to IPPROTO_RAW:
>>
>> $ ss -A raw
>> State  Recv-Q Send-QLocal Address:Port 
>> Peer Address:Port
>> UNCONN 0  0*%eth0:icmp   
>>  *:*
>>
>> It is going to be confusing if only ipproto-255 sockets can be killed.
> 
> OK, gimme some time to implement it. Hopefully on the weekend or monday.
> Thanks a huge for feedback!
> 

It may well be a ss bug / problem. As I mentioned I am always seeing 255 for 
the protocol which is odd since ss does a dump and takes the matches and 
invokes the kill. Thanks for taking the time to do the kill piece.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Fri, Sep 16, 2016 at 01:47:57PM -0600, David Ahern wrote:
> >>
> >> I'm guessing you passed IPPROTO_RAW (255) as the protocol to socket(). If 
> >> you pass something
> >> else (IPPROTO_ICMP for example) it won't work.
> > 
> > True. To support IPPROTO_ICMP it need enhancement. I thought start with
> > plain _RAW first and then extend to support _ICMP.
> 
> I thought raw in this case was SOCK_RAW as in the socket type.
> 
> Since the display is showing sockets in addition to IPPROTO_RAW:
> 
> $ ss -A raw
> State  Recv-Q Send-QLocal Address:Port 
> Peer Address:Port
> UNCONN 0  0*%eth0:icmp
> *:*
> 
> It is going to be confusing if only ipproto-255 sockets can be killed.

OK, gimme some time to implement it. Hopefully on the weekend or monday.
Thanks a huge for feedback!

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/16/16 1:39 PM, Cyrill Gorcunov wrote:
> On Fri, Sep 16, 2016 at 01:30:28PM -0600, David Ahern wrote:
>>> [root@pcs7 iproute2]# misc/ss -A raw
>>> State  Recv-Q Send-QLocal Address:Port  
>>>Peer Address:Port
>>> 
>>> ESTAB  0  0 
>>> 127.0.0.1:ipproto-255
>>> 127.0.0.10:ipproto-9090 
>>> UNCONN 0  0
>>> 127.0.0.10:ipproto-255 
>>> *:*
>>> UNCONN 0  0
>>> :::ipv6-icmp  :::*  
>>>   
>>> UNCONN 0  0
>>> :::ipv6-icmp  :::*  
>>>   
>>> ESTAB  0  0   
>>> ::1:ipproto-255   
>>> ::1:ipproto-9091 
>>>
>>> so it get zapped out. Is there some other way to test it?
>>>
>>
>> I'm guessing you passed IPPROTO_RAW (255) as the protocol to socket(). If 
>> you pass something
>> else (IPPROTO_ICMP for example) it won't work.
> 
> True. To support IPPROTO_ICMP it need enhancement. I thought start with
> plain _RAW first and then extend to support _ICMP.

I thought raw in this case was SOCK_RAW as in the socket type.

Since the display is showing sockets in addition to IPPROTO_RAW:

$ ss -A raw
State  Recv-Q Send-QLocal Address:Port Peer 
Address:Port
UNCONN 0  0*%eth0:icmp  
  *:*

It is going to be confusing if only ipproto-255 sockets can be killed.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Fri, Sep 16, 2016 at 01:30:28PM -0600, David Ahern wrote:
> > [root@pcs7 iproute2]# misc/ss -A raw
> > State  Recv-Q Send-QLocal Address:Port  
> >Peer Address:Port
> > 
> > ESTAB  0  0 
> > 127.0.0.1:ipproto-255
> > 127.0.0.10:ipproto-9090 
> > UNCONN 0  0
> > 127.0.0.10:ipproto-255 
> > *:*
> > UNCONN 0  0
> > :::ipv6-icmp  :::*  
> >   
> > UNCONN 0  0
> > :::ipv6-icmp  :::*  
> >   
> > ESTAB  0  0   
> > ::1:ipproto-255   
> > ::1:ipproto-9091 
> > 
> > so it get zapped out. Is there some other way to test it?
> > 
> 
> I'm guessing you passed IPPROTO_RAW (255) as the protocol to socket(). If you 
> pass something
> else (IPPROTO_ICMP for example) it won't work.

True. To support IPPROTO_ICMP it need enhancement. I thought start with
plain _RAW first and then extend to support _ICMP.

Cyrill

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/16/16 1:00 PM, Cyrill Gorcunov wrote:
> I created veth pair and bound raw socket into it.
> 
> [root@pcs7 iproute2]# misc/ss -A raw
> State  Recv-Q Send-QLocal Address:Port
>  Peer Address:Port
> ESTAB  0  0 
> 127.0.0.1:ipproto-255
> 127.0.0.10:ipproto-9090 
> UNCONN 0  0
> 127.0.0.10:ipproto-255 
> *:*
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> ESTAB  0  0   
> ::1:ipproto-255   
> ::1:ipproto-9091 
> UNCONN 0  0   
> ::1%vm1:ipproto-255:::*   
>  
> [root@pcs7 iproute2]# 
> 
> [root@pcs7 iproute2]# misc/ss -aKw 'dev == vm1'
> State  Recv-Q Send-QLocal Address:Port
>  Peer Address:Port
> UNCONN 0  0   
> ::1%vm1:ipproto-255:::*   
>  
> 
> [root@pcs7 iproute2]# misc/ss -A raw
> State  Recv-Q Send-QLocal Address:Port
>  Peer Address:Port
> ESTAB  0  0 
> 127.0.0.1:ipproto-255
> 127.0.0.10:ipproto-9090 
> UNCONN 0  0
> 127.0.0.10:ipproto-255 
> *:*
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> ESTAB  0  0   
> ::1:ipproto-255   
> ::1:ipproto-9091 
> 
> so it get zapped out. Is there some other way to test it?
> 

I'm guessing you passed IPPROTO_RAW (255) as the protocol to socket(). If you 
pass something else (IPPROTO_ICMP for example) it won't work.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Fri, Sep 16, 2016 at 10:06:23AM +0300, Cyrill Gorcunov wrote:
> On Thu, Sep 15, 2016 at 05:45:02PM -0600, David Ahern wrote:
> > > 
> > > Try to be selective in the -K , do not kill tcp sockets ?
> > 
> > I am running
> >ss -aKw 'dev == red'
> > 
> > to kill raw sockets bound to device named 'red'.
> 
> Thanks David, Eric! I'll play with this option today and report the results.

I created veth pair and bound raw socket into it.

[root@pcs7 iproute2]# misc/ss -A raw
State  Recv-Q Send-QLocal Address:Port  
   Peer Address:Port
ESTAB  0  0 
127.0.0.1:ipproto-255
127.0.0.10:ipproto-9090 
UNCONN 0  0
127.0.0.10:ipproto-255 *:*  
  
UNCONN 0  0:::ipv6-icmp 
 :::*
UNCONN 0  0:::ipv6-icmp 
 :::*
ESTAB  0  0   
::1:ipproto-255   
::1:ipproto-9091 
UNCONN 0  0   
::1%vm1:ipproto-255:::* 
   
[root@pcs7 iproute2]# 

[root@pcs7 iproute2]# misc/ss -aKw 'dev == vm1'
State  Recv-Q Send-QLocal Address:Port  
   Peer Address:Port
UNCONN 0  0   
::1%vm1:ipproto-255:::* 
   

[root@pcs7 iproute2]# misc/ss -A raw
State  Recv-Q Send-QLocal Address:Port  
   Peer Address:Port
ESTAB  0  0 
127.0.0.1:ipproto-255
127.0.0.10:ipproto-9090 
UNCONN 0  0
127.0.0.10:ipproto-255 *:*  
  
UNCONN 0  0:::ipv6-icmp 
 :::*
UNCONN 0  0:::ipv6-icmp 
 :::*
ESTAB  0  0   
::1:ipproto-255   
::1:ipproto-9091 

so it get zapped out. Is there some other way to test it?

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Thu, Sep 15, 2016 at 05:45:02PM -0600, David Ahern wrote:
> > 
> > Try to be selective in the -K , do not kill tcp sockets ?
> 
> I am running
>ss -aKw 'dev == red'
> 
> to kill raw sockets bound to device named 'red'.

Thanks David, Eric! I'll play with this option today and report the results.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/15/16 4:48 PM, Eric Dumazet wrote:
> On Fri, 2016-09-16 at 00:01 +0300, Cyrill Gorcunov wrote:
> 
>> Here I get kicked off the server. Login back
>>
>> [cyrill@uranus ~] ssh root@pcs7 
>> Last login: Thu Sep 15 23:20:42 2016 from gateway
>> [root@pcs7 ~]# cd /home/iproute2/
>> [root@pcs7 iproute2]# misc/ss -A raw
>> State  Recv-Q Send-QLocal Address:Port   
>>   Peer Address:Port  
>>   
>> UNCONN 0  0
>> :::ipv6-icmp  :::*   
>>  
>> UNCONN 0  0
>> :::ipv6-icmp  :::*   
>>  
>>
>> Maybe I do something wrong for testing?
> 
> If you kill your shell, maybe /root/sock is killer as well, thus its raw
> sockets are closed.
> 
> Try to be selective in the -K , do not kill tcp sockets ?
> 
> 

I am running
   ss -aKw 'dev == red'

to kill raw sockets bound to device named 'red'.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Eric Dumazet]

On Fri, 2016-09-16 at 00:01 +0300, Cyrill Gorcunov wrote:

> Here I get kicked off the server. Login back
> 
> [cyrill@uranus ~] ssh root@pcs7 
> Last login: Thu Sep 15 23:20:42 2016 from gateway
> [root@pcs7 ~]# cd /home/iproute2/
> [root@pcs7 iproute2]# misc/ss -A raw
> State  Recv-Q Send-QLocal Address:Port
>  Peer Address:Port
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> UNCONN 0  0
> :::ipv6-icmp  :::*
> 
> 
> Maybe I do something wrong for testing?

If you kill your shell, maybe /root/sock is killer as well, thus its raw
sockets are closed.

Try to be selective in the -K , do not kill tcp sockets ?

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Thu, Sep 15, 2016 at 02:54:57PM -0600, David Ahern wrote:
> On 9/15/16 2:22 PM, Cyrill Gorcunov wrote:
> >> ss -K is not working. Socket lookup fails to find a match due to a 
> >> protocol mismatch.
> >>
> >> haven't had time to track down why there is a mismatch since the kill uses 
> >> the socket returned
> >> from the dump. Won't have time to come back to this until early next week.
> > 
> > Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
> > (including raw ones), which actually kicked me off the testing machine sshd 
> > :/
> > 
> 
> 
> This is the patch I applied to iproute2; the change in your goo.gl link plus 
> a debug to confirm the kill action is initiated by ss:
> 
> diff --git a/misc/ss.c b/misc/ss.c
> index 3b268d999426..4d98411738ea 100644
> --- a/misc/ss.c
> +++ b/misc/ss.c
> @@ -2334,6 +2334,10 @@ static int show_one_inet_sock(const struct sockaddr_nl 
> *addr,
> if (diag_arg->f->f && run_ssfilter(diag_arg->f->f, ) == 0)
> return 0;
> 
> +   if (diag_arg->f->kill) {
> +printf("want to kill:\n");
> +   err = inet_show_sock(h, , diag_arg->protocol);
> +   }
> if (diag_arg->f->kill && kill_inet_sock(h, arg) != 0) {
> if (errno == EOPNOTSUPP || errno == ENOENT) {
> /* Socket can't be closed, or is already closed. */
> @@ -2631,6 +2635,10 @@ static int raw_show(struct filter *f)
> 
> dg_proto = RAW_PROTO;
> 
> +if (!getenv("PROC_NET_RAW") && !getenv("PROC_ROOT") &&
> +inet_show_netlink(f, NULL, IPPROTO_RAW) == 0)
> +return 0;
> +
> if (f->families&(1< if ((fp = net_raw_open()) == NULL)
> goto outerr;
> 

Hmm. Weird. I'm running net-next kernel
---
[root@pcs7 ~]# /root/sock &
[1] 5108

This is a trivial program which opens raw sockets 

[root@pcs7 iproute2]# misc/ss -A raw
State  Recv-Q Send-QLocal Address:Port  
   Peer Address:Port
ESTAB  0  0 
127.0.0.1:ipproto-255
127.0.0.10:ipproto-9090 
UNCONN 0  0
127.0.0.10:ipproto-255 *:*  
  
UNCONN 0  0:::ipv6-icmp 
 :::*
UNCONN 0  0:::ipv6-icmp 
 :::*
ESTAB  0  0   
::1:ipproto-255   
::1:ipproto-9091 
UNCONN 0  0   
::1:ipproto-255:::* 
   
[root@pcs7 iproute2]# 

[root@pcs7 iproute2]# misc/ss -K
Netid  State  Recv-Q Send-Q Local Address:Port  
Peer Address:Port
u_str  ESTAB  0  0/var/run/dbus/system_bus_socket 18071 
   * 16297
u_str  ESTAB  0  0/run/systemd/journal/stdout 18756 
   * 16188
u_str  ESTAB  0  0/run/systemd/journal/stdout 23014 
   * 23013
u_str  ESTAB  0  0  * 18909 
   * 16298
u_str  ESTAB  0  0/var/run/dbus/system_bus_socket 19154 
   * 18163
...
???ESTAB  0  0  
127.0.0.1:ipproto-255 
127.0.0.10:ipproto-9090 
???UNCONN 0  0 
127.0.0.10:ipproto-255  *:* 
   
???ESTAB  0  0
::1:ipproto-255::1:ipproto-9091 

???UNCONN 0  0
::1:ipproto-255 :::*
---

Here I get kicked off the server. Login back

[cyrill@uranus ~] ssh root@pcs7 
Last login: Thu Sep 15 23:20:42 2016 from gateway
[root@pcs7 ~]# cd /home/iproute2/
[root@pcs7 iproute2]# misc/ss -A raw
State  Recv-Q Send-QLocal Address:Port  
   

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/15/16 2:22 PM, Cyrill Gorcunov wrote:
>> ss -K is not working. Socket lookup fails to find a match due to a protocol 
>> mismatch.
>>
>> haven't had time to track down why there is a mismatch since the kill uses 
>> the socket returned
>> from the dump. Won't have time to come back to this until early next week.
> 
> Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
> (including raw ones), which actually kicked me off the testing machine sshd :/
> 


This is the patch I applied to iproute2; the change in your goo.gl link plus a 
debug to confirm the kill action is initiated by ss:

diff --git a/misc/ss.c b/misc/ss.c
index 3b268d999426..4d98411738ea 100644
--- a/misc/ss.c
+++ b/misc/ss.c
@@ -2334,6 +2334,10 @@ static int show_one_inet_sock(const struct sockaddr_nl 
*addr,
if (diag_arg->f->f && run_ssfilter(diag_arg->f->f, ) == 0)
return 0;

+   if (diag_arg->f->kill) {
+printf("want to kill:\n");
+   err = inet_show_sock(h, , diag_arg->protocol);
+   }
if (diag_arg->f->kill && kill_inet_sock(h, arg) != 0) {
if (errno == EOPNOTSUPP || errno == ENOENT) {
/* Socket can't be closed, or is already closed. */
@@ -2631,6 +2635,10 @@ static int raw_show(struct filter *f)

dg_proto = RAW_PROTO;

+if (!getenv("PROC_NET_RAW") && !getenv("PROC_ROOT") &&
+inet_show_netlink(f, NULL, IPPROTO_RAW) == 0)
+return 0;
+
if (f->families&(1<

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/15/16 2:36 PM, Eric Dumazet wrote:
> On Thu, 2016-09-15 at 14:25 -0600, David Ahern wrote:
>> On 9/15/16 2:22 PM, Cyrill Gorcunov wrote:
 ss -K is not working. Socket lookup fails to find a match due to a 
 protocol mismatch.

 haven't had time to track down why there is a mismatch since the kill uses 
 the socket returned
 from the dump. Won't have time to come back to this until early next week.
>>>
>>> Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
>>> (including raw ones), which actually kicked me off the testing machine sshd 
>>> :/
>>
>> yes.
>>
> 
> And CONFIG_INET_DIAG_DESTROY is also set in your .config ?
yes

dsa@kenny:~/kernel.git$ grep INET_DIAG_DESTROY kbuild/perf/.config
CONFIG_INET_DIAG_DESTROY=y

raw_diag_destroy is getting called, but protocol is 255:

diff --git a/net/ipv4/raw_diag.c b/net/ipv4/raw_diag.c
index c730e14618ab..95542b3dad76 100644
--- a/net/ipv4/raw_diag.c
+++ b/net/ipv4/raw_diag.c
@@ -192,6 +192,11 @@ static int raw_diag_destroy(struct sk_buff *in_skb,
struct sock *sk;

sk = raw_sock_get(net, r);
+
+if (r->sdiag_family == AF_INET)
+pr_warn("raw_diag_destroy: family IPv4 protocol %d dst %pI4 src %pI4 dev %d sk 
%p\n",
+r->sdiag_protocol, >id.idiag_dst[0], >id.idiag_src[0], 
r->id.idiag_if, sk);
+
if (IS_ERR(sk))
return PTR_ERR(sk);
return sock_diag_destroy(sk, ECONNABORTED);



so it never finds a match to an actual raw socket:

diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 03618ed03532..6d0489629e74 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -124,9 +124,14 @@ EXPORT_SYMBOL_GPL(raw_unhash_sk);
 struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
unsigned short num, __be32 raddr, __be32 laddr, int dif)
 {
+pr_warn("num %d raddr %pI4 laddr %pI4 dif %d\n", num, , , dif);
+
sk_for_each_from(sk) {
struct inet_sock *inet = inet_sk(sk);

+pr_warn("sk: num %d raddr %pI4 laddr %pI4 dif %d\n",
+   inet->inet_num, >inet_daddr, 
>inet_rcv_saddr,sk->sk_bound_dev_if);
+
if (net_eq(sock_net(sk), net) && inet->inet_num == num  &&
!(inet->inet_daddr && inet->inet_daddr != raddr)&&
!(inet->inet_rcv_saddr && inet->inet_rcv_saddr != laddr) &&

so raw_abort is not called.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Eric Dumazet]

On Thu, 2016-09-15 at 14:25 -0600, David Ahern wrote:
> On 9/15/16 2:22 PM, Cyrill Gorcunov wrote:
> >> ss -K is not working. Socket lookup fails to find a match due to a 
> >> protocol mismatch.
> >>
> >> haven't had time to track down why there is a mismatch since the kill uses 
> >> the socket returned
> >> from the dump. Won't have time to come back to this until early next week.
> > 
> > Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
> > (including raw ones), which actually kicked me off the testing machine sshd 
> > :/
> 
> yes.
> 

And CONFIG_INET_DIAG_DESTROY is also set in your .config ?

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/15/16 2:22 PM, Cyrill Gorcunov wrote:
>> ss -K is not working. Socket lookup fails to find a match due to a protocol 
>> mismatch.
>>
>> haven't had time to track down why there is a mismatch since the kill uses 
>> the socket returned
>> from the dump. Won't have time to come back to this until early next week.
> 
> Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
> (including raw ones), which actually kicked me off the testing machine sshd :/

yes.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Thu, Sep 15, 2016 at 01:53:13PM -0600, David Ahern wrote:
> On 9/13/16 11:19 AM, Cyrill Gorcunov wrote:
> > In criu we are actively using diag interface to collect sockets
> > present in the system when dumping applications. And while for
> > unix, tcp, udp[lite], packet, netlink it works as expected,
> > the raw sockets do not have. Thus add it.
> > 
> > v2:
> >  - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
> >  - implement @destroy for diag requests (by dsa@)
> > 
> > v3:
> >  - add export of raw_abort for IPv6 (by dsa@)
> >  - pass net-admin flag into inet_sk_diag_fill due to
> >changes in net-next branch (by dsa@)
> > 
> > CC: David S. Miller 
> > CC: Eric Dumazet 
> > CC: David Ahern 
> > CC: Alexey Kuznetsov 
> > CC: James Morris 
> > CC: Hideaki YOSHIFUJI 
> > CC: Patrick McHardy 
> > CC: Andrey Vagin 
> > CC: Stephen Hemminger 
> > Signed-off-by: Cyrill Gorcunov 
> > ---
> 
> ss -K is not working. Socket lookup fails to find a match due to a protocol 
> mismatch.
> 
> haven't had time to track down why there is a mismatch since the kill uses 
> the socket returned
> from the dump. Won't have time to come back to this until early next week.

Have you ran iproute2 patched? I just ran ss -K and all sockets get closed
(including raw ones), which actually kicked me off the testing machine sshd :/

Cyrill

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Ahern]

On 9/13/16 11:19 AM, Cyrill Gorcunov wrote:
> In criu we are actively using diag interface to collect sockets
> present in the system when dumping applications. And while for
> unix, tcp, udp[lite], packet, netlink it works as expected,
> the raw sockets do not have. Thus add it.
> 
> v2:
>  - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
>  - implement @destroy for diag requests (by dsa@)
> 
> v3:
>  - add export of raw_abort for IPv6 (by dsa@)
>  - pass net-admin flag into inet_sk_diag_fill due to
>changes in net-next branch (by dsa@)
> 
> CC: David S. Miller 
> CC: Eric Dumazet 
> CC: David Ahern 
> CC: Alexey Kuznetsov 
> CC: James Morris 
> CC: Hideaki YOSHIFUJI 
> CC: Patrick McHardy 
> CC: Andrey Vagin 
> CC: Stephen Hemminger 
> Signed-off-by: Cyrill Gorcunov 
> ---

ss -K is not working. Socket lookup fails to find a match due to a protocol 
mismatch.

haven't had time to track down why there is a mismatch since the kill uses the 
socket returned from the dump. Won't have time to come back to this until early 
next week.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Greg]

On Tue, 2016-09-13 at 20:18 +, Rustad, Mark D wrote:
> Greg  wrote:
> 
> > Someday Linux will be a modern OS that just includes IPV6 and forces a
> > config option to NOT have it.
> >
> > That'll be great.  All the IS_ENABLED_(CONFIG_IPV6) scattered everywhere
> > is nuts.
> >
> > 
> 
> Better wait until everyone at least *has* IPv6! I have yet to have IPv6  
> deployed on any of my employer's networks or get IPv6 service from any ISP  
> at my home. When I was at Apple in the 90's I was told that Apple needed  
> IPv6 by next year or "we were dead". Well Apple nearly died, but IPv6 had  
> nothing to do with that! And I still haven't experienced an IPv6  
> deployment! Yeah, I have run it a bit point-to-point to resolve technical  
> issues, but that isn't a "deployment" and not very interesting.
> 
> As much as we would like things to move faster, much of the world just  
> doesn't. Witness the e1000 discussion today for example. Hardware doesn't  
> vanish overnight, and I know that my ISP has a network full of CPE that  
> doesn't do IPv6, so I'm not expecting their status to change any time soon.

Well that's why we can have a configuration to turn it off...

But yeah.  /pipedream

- Greg

> 
> It would be great though.
> 
> 
> --
> Mark Rustad, Networking Division, Intel Corporation

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Rustad, Mark D]

Greg  wrote:


Someday Linux will be a modern OS that just includes IPV6 and forces a
config option to NOT have it.

That'll be great.  All the IS_ENABLED_(CONFIG_IPV6) scattered everywhere
is nuts.




Better wait until everyone at least *has* IPv6! I have yet to have IPv6  
deployed on any of my employer's networks or get IPv6 service from any ISP  
at my home. When I was at Apple in the 90's I was told that Apple needed  
IPv6 by next year or "we were dead". Well Apple nearly died, but IPv6 had  
nothing to do with that! And I still haven't experienced an IPv6  
deployment! Yeah, I have run it a bit point-to-point to resolve technical  
issues, but that isn't a "deployment" and not very interesting.


As much as we would like things to move faster, much of the world just  
doesn't. Witness the e1000 discussion today for example. Hardware doesn't  
vanish overnight, and I know that my ISP has a network full of CPE that  
doesn't do IPv6, so I'm not expecting their status to change any time soon.


It would be great though.


--
Mark Rustad, Networking Division, Intel Corporation


signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Greg]

On Tue, 2016-09-13 at 20:19 +0300, Cyrill Gorcunov wrote:
> In criu we are actively using diag interface to collect sockets
> present in the system when dumping applications. And while for
> unix, tcp, udp[lite], packet, netlink it works as expected,
> the raw sockets do not have. Thus add it.
> 
> v2:
>  - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
>  - implement @destroy for diag requests (by dsa@)
> 
> v3:
>  - add export of raw_abort for IPv6 (by dsa@)
>  - pass net-admin flag into inet_sk_diag_fill due to
>changes in net-next branch (by dsa@)
> 
> CC: David S. Miller 
> CC: Eric Dumazet 
> CC: David Ahern 
> CC: Alexey Kuznetsov 
> CC: James Morris 
> CC: Hideaki YOSHIFUJI 
> CC: Patrick McHardy 
> CC: Andrey Vagin 
> CC: Stephen Hemminger 
> Signed-off-by: Cyrill Gorcunov 
> ---
> 
>  include/net/raw.h   |6 +
>  include/net/rawv6.h |7 +
>  net/ipv4/Kconfig|8 +
>  net/ipv4/Makefile   |1 
>  net/ipv4/raw.c  |   21 
>  net/ipv4/raw_diag.c |  226 
> 
>  net/ipv6/raw.c  |7 +
>  7 files changed, 272 insertions(+), 4 deletions(-)
> 
> Index: linux-ml.git/include/net/raw.h
> ===
> --- linux-ml.git.orig/include/net/raw.h
> +++ linux-ml.git/include/net/raw.h
> @@ -23,6 +23,12 @@
>  
>  extern struct proto raw_prot;
>  
> +extern struct raw_hashinfo raw_v4_hashinfo;
> +struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
> +  unsigned short num, __be32 raddr,
> +  __be32 laddr, int dif);
> +
> +int raw_abort(struct sock *sk, int err);
>  void raw_icmp_error(struct sk_buff *, int, u32);
>  int raw_local_deliver(struct sk_buff *, int);
>  
> Index: linux-ml.git/include/net/rawv6.h
> ===
> --- linux-ml.git.orig/include/net/rawv6.h
> +++ linux-ml.git/include/net/rawv6.h
> @@ -3,6 +3,13 @@
>  
>  #include 
>  
> +extern struct raw_hashinfo raw_v6_hashinfo;
> +struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
> +  unsigned short num, const struct in6_addr 
> *loc_addr,
> +  const struct in6_addr *rmt_addr, int dif);
> +
> +int raw_abort(struct sock *sk, int err);
> +
>  void raw6_icmp_error(struct sk_buff *, int nexthdr,
>   u8 type, u8 code, int inner_offset, __be32);
>  bool raw6_local_deliver(struct sk_buff *, int);
> Index: linux-ml.git/net/ipv4/Kconfig
> ===
> --- linux-ml.git.orig/net/ipv4/Kconfig
> +++ linux-ml.git/net/ipv4/Kconfig
> @@ -430,6 +430,14 @@ config INET_UDP_DIAG
> Support for UDP socket monitoring interface used by the ss tool.
> If unsure, say Y.
>  
> +config INET_RAW_DIAG
> + tristate "RAW: socket monitoring interface"
> + depends on INET_DIAG && (IPV6 || IPV6=n)
> + default n
> + ---help---
> +   Support for RAW socket monitoring interface used by the ss tool.
> +   If unsure, say Y.
> +
>  config INET_DIAG_DESTROY
>   bool "INET: allow privileged process to administratively close sockets"
>   depends on INET_DIAG
> Index: linux-ml.git/net/ipv4/Makefile
> ===
> --- linux-ml.git.orig/net/ipv4/Makefile
> +++ linux-ml.git/net/ipv4/Makefile
> @@ -40,6 +40,7 @@ obj-$(CONFIG_NETFILTER) += netfilter.o n
>  obj-$(CONFIG_INET_DIAG) += inet_diag.o 
>  obj-$(CONFIG_INET_TCP_DIAG) += tcp_diag.o
>  obj-$(CONFIG_INET_UDP_DIAG) += udp_diag.o
> +obj-$(CONFIG_INET_RAW_DIAG) += raw_diag.o
>  obj-$(CONFIG_NET_TCPPROBE) += tcp_probe.o
>  obj-$(CONFIG_TCP_CONG_BIC) += tcp_bic.o
>  obj-$(CONFIG_TCP_CONG_CDG) += tcp_cdg.o
> Index: linux-ml.git/net/ipv4/raw.c
> ===
> --- linux-ml.git.orig/net/ipv4/raw.c
> +++ linux-ml.git/net/ipv4/raw.c
> @@ -89,9 +89,10 @@ struct raw_frag_vec {
>   int hlen;
>  };
>  
> -static struct raw_hashinfo raw_v4_hashinfo = {
> +struct raw_hashinfo raw_v4_hashinfo = {
>   .lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
>  };
> +EXPORT_SYMBOL_GPL(raw_v4_hashinfo);
>  
>  int raw_hash_sk(struct sock *sk)
>  {
> @@ -120,7 +121,7 @@ void raw_unhash_sk(struct sock *sk)
>  }
>  EXPORT_SYMBOL_GPL(raw_unhash_sk);
>  
> -static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
> +struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
>   unsigned short num, __be32 raddr, __be32 laddr, int dif)
>  {
>   sk_for_each_from(sk) {
> @@ -136,6 +137,7 @@ static struct sock *__raw_v4_lookup(stru
>  found:
>   return sk;
>  }
> 

[PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

In criu we are actively using diag interface to collect sockets
present in the system when dumping applications. And while for
unix, tcp, udp[lite], packet, netlink it works as expected,
the raw sockets do not have. Thus add it.

v2:
 - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
 - implement @destroy for diag requests (by dsa@)

v3:
 - add export of raw_abort for IPv6 (by dsa@)
 - pass net-admin flag into inet_sk_diag_fill due to
   changes in net-next branch (by dsa@)

CC: David S. Miller 
CC: Eric Dumazet 
CC: David Ahern 
CC: Alexey Kuznetsov 
CC: James Morris 
CC: Hideaki YOSHIFUJI 
CC: Patrick McHardy 
CC: Andrey Vagin 
CC: Stephen Hemminger 
Signed-off-by: Cyrill Gorcunov 
---

 include/net/raw.h   |6 +
 include/net/rawv6.h |7 +
 net/ipv4/Kconfig|8 +
 net/ipv4/Makefile   |1 
 net/ipv4/raw.c  |   21 
 net/ipv4/raw_diag.c |  226 
 net/ipv6/raw.c  |7 +
 7 files changed, 272 insertions(+), 4 deletions(-)

Index: linux-ml.git/include/net/raw.h
===
--- linux-ml.git.orig/include/net/raw.h
+++ linux-ml.git/include/net/raw.h
@@ -23,6 +23,12 @@
 
 extern struct proto raw_prot;
 
+extern struct raw_hashinfo raw_v4_hashinfo;
+struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
+unsigned short num, __be32 raddr,
+__be32 laddr, int dif);
+
+int raw_abort(struct sock *sk, int err);
 void raw_icmp_error(struct sk_buff *, int, u32);
 int raw_local_deliver(struct sk_buff *, int);
 
Index: linux-ml.git/include/net/rawv6.h
===
--- linux-ml.git.orig/include/net/rawv6.h
+++ linux-ml.git/include/net/rawv6.h
@@ -3,6 +3,13 @@
 
 #include 
 
+extern struct raw_hashinfo raw_v6_hashinfo;
+struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
+unsigned short num, const struct in6_addr 
*loc_addr,
+const struct in6_addr *rmt_addr, int dif);
+
+int raw_abort(struct sock *sk, int err);
+
 void raw6_icmp_error(struct sk_buff *, int nexthdr,
u8 type, u8 code, int inner_offset, __be32);
 bool raw6_local_deliver(struct sk_buff *, int);
Index: linux-ml.git/net/ipv4/Kconfig
===
--- linux-ml.git.orig/net/ipv4/Kconfig
+++ linux-ml.git/net/ipv4/Kconfig
@@ -430,6 +430,14 @@ config INET_UDP_DIAG
  Support for UDP socket monitoring interface used by the ss tool.
  If unsure, say Y.
 
+config INET_RAW_DIAG
+   tristate "RAW: socket monitoring interface"
+   depends on INET_DIAG && (IPV6 || IPV6=n)
+   default n
+   ---help---
+ Support for RAW socket monitoring interface used by the ss tool.
+ If unsure, say Y.
+
 config INET_DIAG_DESTROY
bool "INET: allow privileged process to administratively close sockets"
depends on INET_DIAG
Index: linux-ml.git/net/ipv4/Makefile
===
--- linux-ml.git.orig/net/ipv4/Makefile
+++ linux-ml.git/net/ipv4/Makefile
@@ -40,6 +40,7 @@ obj-$(CONFIG_NETFILTER)   += netfilter.o n
 obj-$(CONFIG_INET_DIAG) += inet_diag.o 
 obj-$(CONFIG_INET_TCP_DIAG) += tcp_diag.o
 obj-$(CONFIG_INET_UDP_DIAG) += udp_diag.o
+obj-$(CONFIG_INET_RAW_DIAG) += raw_diag.o
 obj-$(CONFIG_NET_TCPPROBE) += tcp_probe.o
 obj-$(CONFIG_TCP_CONG_BIC) += tcp_bic.o
 obj-$(CONFIG_TCP_CONG_CDG) += tcp_cdg.o
Index: linux-ml.git/net/ipv4/raw.c
===
--- linux-ml.git.orig/net/ipv4/raw.c
+++ linux-ml.git/net/ipv4/raw.c
@@ -89,9 +89,10 @@ struct raw_frag_vec {
int hlen;
 };
 
-static struct raw_hashinfo raw_v4_hashinfo = {
+struct raw_hashinfo raw_v4_hashinfo = {
.lock = __RW_LOCK_UNLOCKED(raw_v4_hashinfo.lock),
 };
+EXPORT_SYMBOL_GPL(raw_v4_hashinfo);
 
 int raw_hash_sk(struct sock *sk)
 {
@@ -120,7 +121,7 @@ void raw_unhash_sk(struct sock *sk)
 }
 EXPORT_SYMBOL_GPL(raw_unhash_sk);
 
-static struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
+struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
unsigned short num, __be32 raddr, __be32 laddr, int dif)
 {
sk_for_each_from(sk) {
@@ -136,6 +137,7 @@ static struct sock *__raw_v4_lookup(stru
 found:
return sk;
 }
+EXPORT_SYMBOL_GPL(__raw_v4_lookup);
 
 /*
  * 0 - deliver
@@ -918,6 +920,20 @@ static int compat_raw_ioctl(struct sock
 }
 #endif
 
+int raw_abort(struct sock *sk, int err)
+{
+   lock_sock(sk);
+
+   sk->sk_err = err;
+   sk->sk_error_report(sk);
+   

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Tue, Sep 13, 2016 at 11:57:35AM -0400, David Miller wrote:
> > 
> > Thanks for review, David. I updated against net-next.
> 
> Please do not post new versions of patches as replies to existing
> discussions.
> 
> Instead, make fresh patch postings to the list.

Oh, will do. Sorry for inconvenience.

Re: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[David Miller]

From: Cyrill Gorcunov 
Date: Sun, 11 Sep 2016 22:17:15 +0300

> On Sat, Sep 10, 2016 at 04:28:40PM -0600, David Ahern wrote:
>> On 9/10/16 4:05 PM, Cyrill Gorcunov wrote:
>> > On Sat, Sep 10, 2016 at 10:31:35AM -0600, David Ahern wrote:
>> >>
>> >> Would you mind adding the destroy capability as well? The udp version
>> >> should be close to what is needed for raw sockets. See udp_diag_destroy
>> >> and udp_abort.
>> > 
>> > Should be something like below. Didn't tested it yet so for review only.
>> > Will do testing at Monday.
>> 
>> doesn't compile:
>> - raw_abort needs to be in a header for ipv6, and
>> - inet_sk_diag_fill args have changed due to a recent commit
> 
> Thanks for review, David. I updated against net-next.

Please do not post new versions of patches as replies to existing
discussions.

Instead, make fresh patch postings to the list.

Thanks.

[PATCH v3] net: ip, diag -- Add diag interface for raw sockets

[Cyrill Gorcunov]

On Sat, Sep 10, 2016 at 04:28:40PM -0600, David Ahern wrote:
> On 9/10/16 4:05 PM, Cyrill Gorcunov wrote:
> > On Sat, Sep 10, 2016 at 10:31:35AM -0600, David Ahern wrote:
> >>
> >> Would you mind adding the destroy capability as well? The udp version
> >> should be close to what is needed for raw sockets. See udp_diag_destroy
> >> and udp_abort.
> > 
> > Should be something like below. Didn't tested it yet so for review only.
> > Will do testing at Monday.
> 
> doesn't compile:
> - raw_abort needs to be in a header for ipv6, and
> - inet_sk_diag_fill args have changed due to a recent commit

Thanks for review, David. I updated against net-next.
---
From: Cyrill Gorcunov <gorcu...@openvz.org>
Subject: [PATCH v3] net: ip, diag -- Add diag interface for raw sockets

In criu we are actively using diag interface to collect sockets
present in the system when dumping applications. And while for
unix, tcp, udp[lite], packet, netlink it works as expected,
the raw sockets do not have. Thus add it.

v2:
 - add missing sock_put calls in raw_diag_dump_one (by eric.dumazet@)
 - implement @destroy for diag requests (by dsa@)

v3:
 - add export of raw_abort for IPv6 (by dsa@)
 - pass net-admin flag into inet_sk_diag_fill due to
   changes in net-next branch (by dsa@)

CC: David S. Miller <da...@davemloft.net>
CC: Eric Dumazet <eric.duma...@gmail.com>
CC: David Ahern <d...@cumulusnetworks.com>
CC: Alexey Kuznetsov <kuz...@ms2.inr.ac.ru>
CC: James Morris <jmor...@namei.org>
CC: Hideaki YOSHIFUJI <yoshf...@linux-ipv6.org>
CC: Patrick McHardy <ka...@trash.net>
CC: Andrey Vagin <ava...@openvz.org>
CC: Stephen Hemminger <step...@networkplumber.org>
Signed-off-by: Cyrill Gorcunov <gorcu...@openvz.org>
---

 include/net/raw.h   |5 +
 include/net/rawv6.h |7 +
 net/ipv4/Kconfig|8 +
 net/ipv4/Makefile   |1 
 net/ipv4/raw.c  |   21 
 net/ipv4/raw_diag.c |  226 
 net/ipv6/raw.c  |7 +
 7 files changed, 271 insertions(+), 4 deletions(-)

Index: linux-ml.git/include/net/raw.h
===
--- linux-ml.git.orig/include/net/raw.h
+++ linux-ml.git/include/net/raw.h
@@ -23,6 +23,11 @@
 
 extern struct proto raw_prot;
 
+extern struct raw_hashinfo raw_v4_hashinfo;
+struct sock *__raw_v4_lookup(struct net *net, struct sock *sk,
+unsigned short num, __be32 raddr,
+__be32 laddr, int dif);
+
 void raw_icmp_error(struct sk_buff *, int, u32);
 int raw_local_deliver(struct sk_buff *, int);
 
Index: linux-ml.git/include/net/rawv6.h
===
--- linux-ml.git.orig/include/net/rawv6.h
+++ linux-ml.git/include/net/rawv6.h
@@ -3,6 +3,13 @@
 
 #include 
 
+extern struct raw_hashinfo raw_v6_hashinfo;
+struct sock *__raw_v6_lookup(struct net *net, struct sock *sk,
+unsigned short num, const struct in6_addr 
*loc_addr,
+const struct in6_addr *rmt_addr, int dif);
+
+int raw_abort(struct sock *sk, int err);
+
 void raw6_icmp_error(struct sk_buff *, int nexthdr,
u8 type, u8 code, int inner_offset, __be32);
 bool raw6_local_deliver(struct sk_buff *, int);
Index: linux-ml.git/net/ipv4/Kconfig
===
--- linux-ml.git.orig/net/ipv4/Kconfig
+++ linux-ml.git/net/ipv4/Kconfig
@@ -430,6 +430,14 @@ config INET_UDP_DIAG
  Support for UDP socket monitoring interface used by the ss tool.
  If unsure, say Y.
 
+config INET_RAW_DIAG
+   tristate "RAW: socket monitoring interface"
+   depends on INET_DIAG && (IPV6 || IPV6=n)
+   default n
+   ---help---
+ Support for RAW socket monitoring interface used by the ss tool.
+ If unsure, say Y.
+
 config INET_DIAG_DESTROY
bool "INET: allow privileged process to administratively close sockets"
depends on INET_DIAG
Index: linux-ml.git/net/ipv4/Makefile
===
--- linux-ml.git.orig/net/ipv4/Makefile
+++ linux-ml.git/net/ipv4/Makefile
@@ -40,6 +40,7 @@ obj-$(CONFIG_NETFILTER)   += netfilter.o n
 obj-$(CONFIG_INET_DIAG) += inet_diag.o 
 obj-$(CONFIG_INET_TCP_DIAG) += tcp_diag.o
 obj-$(CONFIG_INET_UDP_DIAG) += udp_diag.o
+obj-$(CONFIG_INET_RAW_DIAG) += raw_diag.o
 obj-$(CONFIG_NET_TCPPROBE) += tcp_probe.o
 obj-$(CONFIG_TCP_CONG_BIC) += tcp_bic.o
 obj-$(CONFIG_TCP_CONG_CDG) += tcp_cdg.o
Index: linux-ml.git/net/ipv4/raw.c
===
--- linux-ml.git.orig/net/ipv4/raw.c
+++ linux-ml.git/net/ipv4/raw.c
@@ -89,9 +89,10 @@ struct raw_frag_vec {
int hlen;
 };
 
-static struct raw_hashinfo raw_v4_hashinfo