[PATCH net-next] Add uid and cookie bpf helper to cg_skb_func_proto

[PATCH net-next] Add uid and cookie bpf helper to cg_skb_func_proto

[Chenbo Feng]

From: Chenbo Feng <fengc@google.com>

BPF helper functions get_socket_cookie and get_socket_uid can be
used for network traffic classifications, among others. Expose
them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of
commit 8f917bba0042 ("bpf: pass sk to helper functions") the required
skb->sk function is available at both cgroup bpf ingress and egress
hooks.

Signed-off-by: Chenbo Feng <fengc@google.com>
---
 net/core/filter.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/core/filter.c b/net/core/filter.c
index ce2a19d..b6db9e330 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2769,6 +2769,10 @@ cg_skb_func_proto(enum bpf_func_id func_id)
 	switch (func_id) {
 	case BPF_FUNC_skb_load_bytes:
 		return &bpf_skb_load_bytes_proto;
+	case BPF_FUNC_get_socket_cookie:
+		return &bpf_get_socket_cookie_proto;
+	case BPF_FUNC_get_socket_uid:
+		return &bpf_get_socket_uid_proto;
 	default:
 		return bpf_base_func_proto(func_id);
 	}
-- 
2.7.4

Re: [PATCH net-next] Add uid and cookie bpf helper to cg_skb_func_proto

[Alexei Starovoitov]

On Fri, Apr 14, 2017 at 04:12:14PM -0700, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
> 
> BPF helper functions get_socket_cookie and get_socket_uid can be
> used for network traffic classifications, among others. Expose
> them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of
> commit 8f917bba0042 ("bpf: pass sk to helper functions") the required
> skb->sk function is available at both cgroup bpf ingress and egress
> hooks.
> 
> Signed-off-by: Chenbo Feng <fengc@google.com>

Thanks for follow up.
Another alternative is to do
cg_skb_func_proto(enum bpf_func_id func_id)
{
    return sk_filter_func_proto(func_id);
}

I think all socket filter helpers are applicable to cg_skb too.

Re: [PATCH net-next] Add uid and cookie bpf helper to cg_skb_func_proto

[Daniel Borkmann]

On 04/15/2017 02:07 AM, Alexei Starovoitov wrote:
> On Fri, Apr 14, 2017 at 04:12:14PM -0700, Chenbo Feng wrote:
>> From: Chenbo Feng <fengc@google.com>
>>
>> BPF helper functions get_socket_cookie and get_socket_uid can be
>> used for network traffic classifications, among others. Expose
>> them also to programs of type BPF_PROG_TYPE_CGROUP_SKB. As of
>> commit 8f917bba0042 ("bpf: pass sk to helper functions") the required
>> skb->sk function is available at both cgroup bpf ingress and egress
>> hooks.
>>
>> Signed-off-by: Chenbo Feng <fengc@google.com>
>
> Thanks for follow up.
> Another alternative is to do
> cg_skb_func_proto(enum bpf_func_id func_id)
> {
>      return sk_filter_func_proto(func_id);
> }
>
> I think all socket filter helpers are applicable to cg_skb too.

Yeah, both will effectively be the same at that point:

static const struct bpf_func_proto *
sk_filter_func_proto(enum bpf_func_id func_id)
{
	switch (func_id) {
	case BPF_FUNC_skb_load_bytes:
		return &bpf_skb_load_bytes_proto;
	case BPF_FUNC_get_socket_cookie:
		return &bpf_get_socket_cookie_proto;
	case BPF_FUNC_get_socket_uid:
		return &bpf_get_socket_uid_proto;
	default:
		return bpf_base_func_proto(func_id);
	}
}

And with the two additions:

static const struct bpf_func_proto *
cg_skb_func_proto(enum bpf_func_id func_id)
{
	switch (func_id) {
	case BPF_FUNC_skb_load_bytes:
		return &bpf_skb_load_bytes_proto;
+	case BPF_FUNC_get_socket_cookie:
+		return &bpf_get_socket_cookie_proto;
+	case BPF_FUNC_get_socket_uid:
+		return &bpf_get_socket_uid_proto;
	default:
		return bpf_base_func_proto(func_id);
	}
}