From owner-svn-src-head@freebsd.org  Tue Jul 10 10:50:44 2018
Return-Path: <owner-svn-src-head@freebsd.org>
Delivered-To: svn-src-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D69D103ED71;
 Tue, 10 Jul 2018 10:50:44 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D94538FE26;
 Tue, 10 Jul 2018 10:50:43 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id BA1C422EF2;
 Tue, 10 Jul 2018 10:50:43 +0000 (UTC)
 (envelope-from tuexen@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6AAohft084640;
 Tue, 10 Jul 2018 10:50:43 GMT (envelope-from tuexen@FreeBSD.org)
Received: (from tuexen@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6AAohxh084639;
 Tue, 10 Jul 2018 10:50:43 GMT (envelope-from tuexen@FreeBSD.org)
Message-Id: <201807101050.w6AAohxh084639@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tuexen set sender to
 tuexen@FreeBSD.org using -f
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Tue, 10 Jul 2018 10:50:43 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r336168 - head/sys/netinet
X-SVN-Group: head
X-SVN-Commit-Author: tuexen
X-SVN-Commit-Paths: head/sys/netinet
X-SVN-Commit-Revision: 336168
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2018 10:50:44 -0000

Author: tuexen
Date: Tue Jul 10 10:50:43 2018
New Revision: 336168
URL: https://svnweb.freebsd.org/changeset/base/336168

Log:
  Add support for printing the TCP FO client-side cookie cache via the
  sysctl interface. This is similar to the TCP host cache.
  
  Reviewed by:		pkelsey@, kbowling@
  Sponsored by:		Netflix, Inc.
  Differential Revision:	https://reviews.freebsd.org/D14554

Modified:
  head/sys/netinet/tcp_fastopen.c

Modified: head/sys/netinet/tcp_fastopen.c
==============================================================================
--- head/sys/netinet/tcp_fastopen.c	Tue Jul 10 10:42:48 2018	(r336167)
+++ head/sys/netinet/tcp_fastopen.c	Tue Jul 10 10:50:43 2018	(r336168)
@@ -81,6 +81,9 @@
  *                          (RDTUN, default TCP_FASTOPEN_CCACHE_BUCKETS_DEFAULT)
  *     The number of client cookie cache buckets.
  *
+ * net.inet.tcp.fastopen.ccache_list (RO)
+ *     Print the client cookie cache.
+ *
  * net.inet.tcp.fastopen.client_enable (RW, default 0)
  *     When zero, no new active (i.e., client) TFO connections can be
  *     created.  On the transition from enabled to disabled, the client
@@ -166,11 +169,14 @@ __FBSDID("$FreeBSD$");
 #include "opt_inet.h"
 
 #include <sys/param.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/hash.h>
 #include <sys/limits.h>
 #include <sys/lock.h>
+#include <sys/proc.h>
 #include <sys/rmlock.h>
+#include <sys/sbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
@@ -343,6 +349,12 @@ SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, setpsk,
     &sysctl_net_inet_tcp_fastopen_setpsk, "",
     "Install a new pre-shared key");
 
+static int sysctl_net_inet_tcp_fastopen_ccache_list(SYSCTL_HANDLER_ARGS);
+SYSCTL_PROC(_net_inet_tcp_fastopen, OID_AUTO, ccache_list,
+    CTLFLAG_VNET | CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_SKIP, NULL, 0,
+    sysctl_net_inet_tcp_fastopen_ccache_list, "A",
+    "List of all client cookie cache entries");
+
 static VNET_DEFINE(struct rmlock, tcp_fastopen_keylock);
 #define	V_tcp_fastopen_keylock	VNET(tcp_fastopen_keylock)
 
@@ -1133,5 +1145,81 @@ tcp_fastopen_ccache_entry_drop(struct tcp_fastopen_cca
 	TAILQ_REMOVE(&ccb->ccb_entries, cce, cce_link);
 	ccb->ccb_num_entries--;
 	uma_zfree(V_tcp_fastopen_ccache.zone, cce);
+}
+
+static int
+sysctl_net_inet_tcp_fastopen_ccache_list(SYSCTL_HANDLER_ARGS)
+{
+	struct sbuf sb;
+	struct tcp_fastopen_ccache_bucket *ccb;
+	struct tcp_fastopen_ccache_entry *cce;
+	sbintime_t now, duration, limit;
+	const int linesize = 128;
+	int i, error, num_entries;
+	unsigned int j;
+#ifdef INET6
+	char clt_buf[INET6_ADDRSTRLEN], srv_buf[INET6_ADDRSTRLEN];
+#else
+	char clt_buf[INET_ADDRSTRLEN], srv_buf[INET_ADDRSTRLEN];
+#endif
+
+	if (jailed_without_vnet(curthread->td_ucred) != 0)
+		return (EPERM);
+
+	/* Only allow root to read the client cookie cache */
+	if (curthread->td_ucred->cr_uid != 0)
+		return (EPERM);
+
+	num_entries = 0;
+	for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
+		ccb = &V_tcp_fastopen_ccache.base[i];
+		CCB_LOCK(ccb);
+		if (ccb->ccb_num_entries > 0)
+			num_entries += ccb->ccb_num_entries;
+		CCB_UNLOCK(ccb);
+	}
+	sbuf_new(&sb, NULL, linesize * (num_entries + 1), SBUF_INCLUDENUL);
+
+	sbuf_printf(&sb,
+	            "\nLocal IP address     Remote IP address     Port   MSS"
+	            " Disabled Cookie\n");
+
+	now = getsbinuptime();
+	limit = (sbintime_t)V_tcp_fastopen_path_disable_time << 32;
+	for (i = 0; i < V_tcp_fastopen_ccache.buckets; i++) {
+		ccb = &V_tcp_fastopen_ccache.base[i];
+		CCB_LOCK(ccb);
+		TAILQ_FOREACH(cce, &ccb->ccb_entries, cce_link) {
+			if (cce->disable_time != 0) {
+				duration = now - cce->disable_time;
+				if (limit >= duration)
+					duration = limit - duration;
+				else
+					duration = 0;
+			} else
+				duration = 0;
+			sbuf_printf(&sb,
+			            "%-20s %-20s %5u %5u ",
+			            inet_ntop(cce->af, &cce->cce_client_ip,
+			                clt_buf, sizeof(clt_buf)),
+			            inet_ntop(cce->af, &cce->cce_server_ip,
+			                srv_buf, sizeof(srv_buf)),
+			            ntohs(cce->server_port),
+			            cce->server_mss);
+			if (duration > 0)
+				sbuf_printf(&sb, "%7ds ", sbintime_getsec(duration));
+			else
+				sbuf_printf(&sb, "%8s ", "No");
+			for (j = 0; j < cce->cookie_len; j++)
+				sbuf_printf(&sb, "%02x", cce->cookie[j]);
+			sbuf_putc(&sb, '\n');
+		}
+		CCB_UNLOCK(ccb);
+	}
+	error = sbuf_finish(&sb);
+	if (error == 0)
+		error = SYSCTL_OUT(req, sbuf_data(&sb), sbuf_len(&sb));
+	sbuf_delete(&sb);
+	return (error);
 }