From: David Ahern <dsa@cumulusnetworks.com>
To: "Eric W. Biederman" <ebiederm@xmission.com>,
Daniel Borkmann <daniel@iogearbox.net>
Cc: netdev@vger.kernel.org, davem@davemloft.net, ast@kernel.org,
tj@kernel.org, luto@amacapital.net
Subject: Re: [PATCH net v5] bpf: add helper to compare network namespaces
Date: Wed, 22 Feb 2017 20:28:47 -0700 [thread overview]
Message-ID: <1a4f1938-6f2a-2c75-d45a-41c46baac039@cumulusnetworks.com> (raw)
In-Reply-To: <878tp1h4xs.fsf@xmission.com>
On 2/19/17 9:17 PM, Eric W. Biederman wrote:
>>> @@ -2597,6 +2598,39 @@ static const struct bpf_func_proto bpf_xdp_event_output_proto = {
>>> .arg5_type = ARG_CONST_STACK_SIZE,
>>> };
>>>
>>> +BPF_CALL_3(bpf_sk_netns_cmp, struct sock *, sk, u64, ns_dev, u64, ns_ino)
>>> +{
>>> + return netns_cmp(sock_net(sk), ns_dev, ns_ino);
>>> +}
>>
>> Is there anything that speaks against doing the comparison itself
>> outside of the helper? Meaning, the helper would get a buffer
>> passed from stack f.e. struct foo { u64 ns_dev; u64 ns_ino; }
>> and fills both out with the netns info belonging to the sk/skb.
>
> Yes. The dev/ino pair is not necessarily unique so it is not at all
> clear that the returned value would be what the program is expecting.
How does the comparison inside a helper change the fact that a dev and
inode number are compared? ie., inside or outside of a helper, the end
result is that a bpf program has a dev/inode pair that is compared to
that of a socket or skb.
Ideally, it would be nice to have a bpf equivalent to net_eq(), but it
is not possible from a practical perspective to have bpf programs load a
namespace reference (address really) from a given pid or fd.
next prev parent reply other threads:[~2017-02-23 3:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 1:29 [PATCH net v5] bpf: add helper to compare network namespaces David Ahern
2017-02-16 3:24 ` Eric W. Biederman
2017-02-16 10:08 ` Daniel Borkmann
2017-02-17 4:01 ` David Ahern
2017-02-17 14:15 ` Daniel Borkmann
2017-02-20 4:17 ` Eric W. Biederman
2017-02-23 3:28 ` David Ahern [this message]
2017-02-23 14:55 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a4f1938-6f2a-2c75-d45a-41c46baac039@cumulusnetworks.com \
--to=dsa@cumulusnetworks.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.