Re: [PATCH bpf-next v3 2/4] bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb

From: Daniel Borkmann <daniel@iogearbox.net>
To: Dmitry Yakunin <zeil@yandex-team.ru>,
	alexei.starovoitov@gmail.com, netdev@vger.kernel.org,
	bpf@vger.kernel.org
Cc: sdf@google.com
Subject: Re: [PATCH bpf-next v3 2/4] bpf: allow to specify ifindex for skb in bpf_prog_test_run_skb
Date: Thu, 16 Jul 2020 21:42:36 +0200	[thread overview]
Message-ID: <08c685b1-da91-9815-29fe-c7b8f3edc3c1@iogearbox.net> (raw)
In-Reply-To: <20200715195132.4286-3-zeil@yandex-team.ru>

On 7/15/20 9:51 PM, Dmitry Yakunin wrote:
> Now skb->dev is unconditionally set to the loopback device in current net
> namespace. But if we want to test bpf program which contains code branch
> based on ifindex condition (eg filters out localhost packets) it is useful
> to allow specifying of ifindex from userspace. This patch adds such option
> through ctx_in (__sk_buff) parameter.
> 
> Signed-off-by: Dmitry Yakunin <zeil@yandex-team.ru>
> ---
>   net/bpf/test_run.c                               | 22 ++++++++++++++++++++--
>   tools/testing/selftests/bpf/prog_tests/skb_ctx.c |  5 +++++
>   2 files changed, 25 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bpf/test_run.c b/net/bpf/test_run.c
> index 0c3283d..0e92973 100644
> --- a/net/bpf/test_run.c
> +++ b/net/bpf/test_run.c
> @@ -310,6 +310,12 @@ static int convert___skb_to_skb(struct sk_buff *skb, struct __sk_buff *__skb)
>   	/* priority is allowed */
>   
>   	if (!range_is_zero(__skb, offsetofend(struct __sk_buff, priority),
> +			   offsetof(struct __sk_buff, ifindex)))
> +		return -EINVAL;
> +
> +	/* ifindex is allowed */
> +
> +	if (!range_is_zero(__skb, offsetofend(struct __sk_buff, ifindex),
>   			   offsetof(struct __sk_buff, cb)))
>   		return -EINVAL;
>   
> @@ -364,6 +370,7 @@ static void convert_skb_to___skb(struct sk_buff *skb, struct __sk_buff *__skb)
>   
>   	__skb->mark = skb->mark;
>   	__skb->priority = skb->priority;
> +	__skb->ifindex = skb->dev->ifindex;
>   	__skb->tstamp = skb->tstamp;
>   	memcpy(__skb->cb, &cb->data, QDISC_CB_PRIV_LEN);
>   	__skb->wire_len = cb->pkt_len;
> @@ -374,6 +381,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>   			  union bpf_attr __user *uattr)
>   {
>   	bool is_l2 = false, is_direct_pkt_access = false;
> +	struct net *net = current->nsproxy->net_ns;
> +	struct net_device *dev = net->loopback_dev;
>   	u32 size = kattr->test.data_size_in;
>   	u32 repeat = kattr->test.repeat;
>   	struct __sk_buff *ctx = NULL;
> @@ -415,7 +424,7 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>   		kfree(ctx);
>   		return -ENOMEM;
>   	}
> -	sock_net_set(sk, current->nsproxy->net_ns);
> +	sock_net_set(sk, net);
>   	sock_init_data(NULL, sk);
>   
>   	skb = build_skb(data, 0);
> @@ -429,7 +438,14 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>   
>   	skb_reserve(skb, NET_SKB_PAD + NET_IP_ALIGN);
>   	__skb_put(skb, size);
> -	skb->protocol = eth_type_trans(skb, current->nsproxy->net_ns->loopback_dev);
> +	if (ctx && ctx->ifindex > 1) {
> +		dev = dev_get_by_index(net, ctx->ifindex);
> +		if (!dev) {
> +			ret = -ENODEV;
> +			goto out;
> +		}
> +	}
> +	skb->protocol = eth_type_trans(skb, dev);
>   	skb_reset_network_header(skb);
>   
>   	switch (skb->protocol) {
> @@ -481,6 +497,8 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog, const union bpf_attr *kattr,
>   		ret = bpf_ctx_finish(kattr, uattr, ctx,
>   				     sizeof(struct __sk_buff));
>   out:

Overall this looks good. One small note is that dev_get_by_index() will hold the device
for the entire test duration preventing to release it from user side, but I think in this
context it's an acceptable trade-off.

> +	if (dev && dev != net->loopback_dev)
> +		dev_put(dev);
>   	kfree_skb(skb);
>   	bpf_sk_storage_free(sk);
>   	kfree(sk);