From: David Ahern <dsahern@gmail.com>
To: Rumen Telbizov <rumen.telbizov@menlosecurity.com>, bpf@vger.kernel.org
Subject: Re: bpf_fib_lookup support for firewall mark
Date: Tue, 8 Jun 2021 19:21:38 -0600 [thread overview]
Message-ID: <3e6ba294-12ca-3a2f-d17c-9588ae221dda@gmail.com> (raw)
In-Reply-To: <CA+FoirDxh7AhApwWVG_19j5RWT1dp23ab1h0P1nTjhhWpRC5Ow@mail.gmail.com>
On 6/8/21 4:59 PM, Rumen Telbizov wrote:
> Dear BPF list,
>
> I am new to eBPF so go easy on me.
> It seems to me that currently eBPF has no support for route table
> lookups including firewall marks. The bpf_fib_lookup structure itself
> has no mark field as per
> https://elixir.bootlin.com/linux/v5.10.28/source/include/uapi/linux/bpf.h#L4864
>
> Additionally bpf_fib_lookup() function does not incorporate the
> firewall mark in its route lookup. It explicitly sets it to 0 as per
> https://elixir.bootlin.com/linux/v5.10.28/source/net/core/filter.c#L5329
> along with other fields which are used during the regular routing
> policy database lookup.
>
> Thus lookups from within eBPF and outside of it result in different
> outcomes if there are rules directing traffic based on fwmark.
> Can you please advise what the rationale for this is or if there
> anything that I might be missing.
>
> Let me know if I can provide any further information.
>
The API (struct bpf_fib_lookup) is constrained to 64B for performance.
It is not possible to support all of the policy routing options that
Linux has in 64B. Choices had to be made.
next prev parent reply other threads:[~2021-06-09 1:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 22:59 bpf_fib_lookup support for firewall mark Rumen Telbizov
2021-06-09 1:21 ` David Ahern [this message]
2021-06-09 18:30 ` Rumen Telbizov
2021-06-09 21:56 ` Rumen Telbizov
2021-06-09 22:08 ` Daniel Borkmann
2021-06-10 14:37 ` David Ahern
2021-06-10 17:41 ` Rumen Telbizov
2021-06-10 18:52 ` David Ahern
2021-06-10 20:58 ` Daniel Borkmann
2021-06-11 1:41 ` David Ahern
2021-06-11 17:32 ` Rumen Telbizov
[not found] ` <CA+FoirA-eAfux3PfxjgyO=--7duWCKuyeJfxWTdW6jiMWzShTw@mail.gmail.com>
2021-06-12 0:00 ` Rumen Telbizov
2021-06-12 1:13 ` David Ahern
2021-06-14 16:53 ` Rumen Telbizov
2021-06-29 17:18 ` Rumen Telbizov
2021-06-29 17:21 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e6ba294-12ca-3a2f-d17c-9588ae221dda@gmail.com \
--to=dsahern@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=rumen.telbizov@menlosecurity.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).