From: ebiederm@xmission.com (Eric W. Biederman)
To: David Ahern <dsa@cumulusnetworks.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net, ast@kernel.org,
daniel@iogearbox.net, tj@kernel.org, luto@amacapital.net
Subject: Re: [PATCH net v5] bpf: add helper to compare network namespaces
Date: Thu, 16 Feb 2017 16:24:23 +1300 [thread overview]
Message-ID: <877f4q95so.fsf@xmission.com> (raw)
In-Reply-To: <1487208564-4666-1-git-send-email-dsa@cumulusnetworks.com> (David Ahern's message of "Wed, 15 Feb 2017 17:29:24 -0800")
David Ahern <dsa@cumulusnetworks.com> writes:
> In cases where bpf programs are looking at sockets and packets
> that belong to different netns, it could be useful to compare the
> network namespace of the socket or packet
>
> Introduce bpf_sk_netns_cmp and bpf_skb_netns_cmp helpers to compare
> network namespace of the socket or skb to the namespace parameters
> in a prorgam.
The code for bpf_sk_netns_cmp looks good.
I don't feel comfortable with bpf_skb_netns_cmp. There are two
issues:
(a) skb->dev is not reliably set and does not have reliable semantics
in different parts of the network stack. Making bpf_skb_netns_cmp not
work reliably for output packets for example.
(b) Every path that processes a network packet in the network stack
now has a struct net passed in the function arguments. Either
directly or in a function that is passed through. Making it
unambiguous and simple to get the struct net.
So I recommend a function bpf_context_cmp. Which looks a net passed
into the bpf filter of skbs. That should be 100% reliable and quite
straight forward to implement today.
Eric
next prev parent reply other threads:[~2017-02-16 3:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 1:29 [PATCH net v5] bpf: add helper to compare network namespaces David Ahern
2017-02-16 3:24 ` Eric W. Biederman [this message]
2017-02-16 10:08 ` Daniel Borkmann
2017-02-17 4:01 ` David Ahern
2017-02-17 14:15 ` Daniel Borkmann
2017-02-20 4:17 ` Eric W. Biederman
2017-02-23 3:28 ` David Ahern
2017-02-23 14:55 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877f4q95so.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.