From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8A01FC4332F for ; Tue, 26 Apr 2022 23:47:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356200AbiDZXul (ORCPT ); Tue, 26 Apr 2022 19:50:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242818AbiDZXuk (ORCPT ); Tue, 26 Apr 2022 19:50:40 -0400 Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE2CE3465E; Tue, 26 Apr 2022 16:47:29 -0700 (PDT) Received: by mail-io1-xd2a.google.com with SMTP id z26so687781iot.8; Tue, 26 Apr 2022 16:47:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=TVUxqi683bzyBt7t+DtAalhlG18RTOSH9toaBLszxcI=; b=Zj7U8SZsjQnYd4RZbGkTxwK5lYYM3vf5hvVJiQ919eJQCf1p1r7KkFBY/Db6c4sSCR pJSS3W9Cqq9ixAJeviRAAESJ7kRBe9HNaS7dJaAukK/Rrk0MrTpf8z8hfGG/cwQBTbDs DC/CZvfZdAY7dR4J9xzwiu/L0g3rzw5TuD8sICuBdVmgY1JkkzDSp3sezcxdL2A9jtCN b/3/dsfSkUNxc4ueGPjZ5fmpKcjgyQDxhZM063arnmgdsTUAs6JkVYAJE2dHQq8bPBL5 yQCtMDrOdgQ85kK3LNNatbv+IAU8OznBZA856hFEAoLr3jtwH6XPvDenJpFIRYvt3AII pRqQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=TVUxqi683bzyBt7t+DtAalhlG18RTOSH9toaBLszxcI=; b=WNVwurCcqyUa967C5HgxHHxpgANtVYeg2E+TfQTgoeBK9jpI8XBPTcDk1cv1U9iQUT HxbalPNrCgEUpuDhFOXme6s95mYXQSfTLsN3bKTE6Me8r2zJbgBvvga5NPDaFqFHoB/y 95pcUsDAA9qJXzFQdNe00XhTXkkwhMwLQVkreymXmEjubauV/haE9TOOwS+Rk9WEGE+1 NPCqmkE4Y7CD+A2MzJlzzxbViMjr5Ki9ePB/OMjsfi5V2TuxS9x5OD1uamgKJkS/CHqn IPGgU+AYk9f+PxV1nYe5MjxGAcXYRh0CWq/duiXejTgEPNHtn88A3KygUEbc5bemLzDl LflQ== X-Gm-Message-State: AOAM5324jU1fIq7ziwS9iUcRsXEkP76rLi549XLqNMQ2v4ESX5TZgPHT qsn/ptxyjudVD++xF9m8uTmieg7S+jti77m62cE= X-Google-Smtp-Source: ABdhPJw1clGUVFT7SS0HCpbrNVi9wUrFWk7tf2/wy0wO8kSFDs0kmPe7OHBTKFafKYdcWhaduDoY3YBP3RfnCO+Y6EM= X-Received: by 2002:a05:6638:3393:b0:32a:93cd:7e48 with SMTP id h19-20020a056638339300b0032a93cd7e48mr11022409jav.93.1651016849147; Tue, 26 Apr 2022 16:47:29 -0700 (PDT) MIME-Version: 1.0 References: <20220422172422.4037988-1-maximmi@nvidia.com> <20220422172422.4037988-7-maximmi@nvidia.com> In-Reply-To: <20220422172422.4037988-7-maximmi@nvidia.com> From: Andrii Nakryiko Date: Tue, 26 Apr 2022 16:47:18 -0700 Message-ID: Subject: Re: [PATCH bpf-next v6 6/6] bpf: Allow the new syncookie helpers to work with SKBs To: Maxim Mikityanskiy Cc: bpf , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Networking , Tariq Toukan , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , "David S. Miller" , Jakub Kicinski , Petar Penkov , Lorenz Bauer , Eric Dumazet , Hideaki YOSHIFUJI , David Ahern , Shuah Khan , Jesper Dangaard Brouer , Nathan Chancellor , Nick Desaulniers , Joe Stringer , Florent Revest , "open list:KERNEL SELFTEST FRAMEWORK" , =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= , Kumar Kartikeya Dwivedi , Florian Westphal , pabeni@redhat.com Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org On Fri, Apr 22, 2022 at 10:25 AM Maxim Mikityanskiy wrote: > > This commits allows the new BPF helpers to work in SKB context (in TC > BPF programs): bpf_tcp_raw_{gen,check}_syncookie_ipv{4,6}. > > The sample application and selftest are updated to support the TC mode. > It's not the recommended mode of operation, because the SKB is already > created at this point, and it's unlikely that the BPF program will > provide any substantional speedup compared to regular SYN cookies or > synproxy. > > Signed-off-by: Maxim Mikityanskiy > Reviewed-by: Tariq Toukan > --- > net/core/filter.c | 10 ++ > .../selftests/bpf/prog_tests/xdp_synproxy.c | 53 +++++-- > .../selftests/bpf/progs/xdp_synproxy_kern.c | 141 +++++++++++++----- > tools/testing/selftests/bpf/xdp_synproxy.c | 94 +++++++++--- > 4 files changed, 230 insertions(+), 68 deletions(-) > [...] > > - return hdr.tcp->syn ? syncookie_handle_syn(&hdr, ctx, data, data_end) : > - syncookie_handle_ack(&hdr); > + return hdr->tcp->syn ? syncookie_handle_syn(hdr, ctx, data, data_end, xdp) : > + syncookie_handle_ack(hdr); > +} > + > +SEC("xdp/syncookie") SEC("xdp")? libbpf will reject SEC("xdp/syncookie") in strict libbpf 1.0 mode > +int syncookie_xdp(struct xdp_md *ctx) > +{ > + void *data_end = (void *)(long)ctx->data_end; > + void *data = (void *)(long)ctx->data; > + struct header_pointers hdr; > + int ret; > + > + ret = syncookie_part1(ctx, data, data_end, &hdr, true); > + if (ret != XDP_TX) > + return ret; > + > + data_end = (void *)(long)ctx->data_end; > + data = (void *)(long)ctx->data; > + > + return syncookie_part2(ctx, data, data_end, &hdr, true); > +} [...]