From: Pavel Begunkov <asml.silence@gmail.com>
To: sdf@google.com
Cc: netdev@vger.kernel.org, bpf@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] cgroup/bpf: fast path skb BPF filtering
Date: Wed, 15 Dec 2021 17:18:03 +0000 [thread overview]
Message-ID: <b2af633d-aaae-d0c5-72f9-0688b76b4505@gmail.com> (raw)
In-Reply-To: <Yboc/G18R1Vi1eQV@google.com>
On 12/15/21 16:51, sdf@google.com wrote:
> On 12/15, Pavel Begunkov wrote:
>> Add per socket fast path for not enabled BPF skb filtering, which sheds
>> a nice chunk of send/recv overhead when affected. Testing udp with 128
>> byte payload and/or zerocopy with any payload size showed 2-3%
>> improvement in requests/s on the tx side using fast NICs across network,
>> and around 4% for dummy device. Same goes for rx, not measured, but
>> numbers should be relatable.
>> In my understanding, this should affect a good share of machines, and at
>> least it includes my laptops and some checked servers.
>
>> The core of the problem is that even though there is
>> cgroup_bpf_enabled_key guarding from __cgroup_bpf_run_filter_skb()
>> overhead, there are cases where we have several cgroups and loading a
>> BPF program to one also makes all others to go through the slow path
>> even when they don't have any BPF attached. It's even worse, because
>> apparently systemd or some other early init loads some BPF and so
>> triggers exactly this situation for normal networking.
>
>> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
>> ---
>
>> v2: replace bitmask appoach with empty_prog_array (suggested by Martin)
>> v3: add "bpf_" prefix to empty_prog_array (Martin)
>
>> include/linux/bpf-cgroup.h | 24 +++++++++++++++++++++---
>> include/linux/bpf.h | 13 +++++++++++++
>> kernel/bpf/cgroup.c | 18 ++----------------
>> kernel/bpf/core.c | 16 ++++------------
>> 4 files changed, 40 insertions(+), 31 deletions(-)
>
>> diff --git a/include/linux/bpf-cgroup.h b/include/linux/bpf-cgroup.h
>> index 11820a430d6c..c6dacdbdf565 100644
>> --- a/include/linux/bpf-cgroup.h
>> +++ b/include/linux/bpf-cgroup.h
>> @@ -219,11 +219,28 @@ int bpf_percpu_cgroup_storage_copy(struct bpf_map *map, void *key, void *value);
>> int bpf_percpu_cgroup_storage_update(struct bpf_map *map, void *key,
>> void *value, u64 flags);
>
>> +static inline bool
>> +__cgroup_bpf_prog_array_is_empty(struct cgroup_bpf *cgrp_bpf,
>> + enum cgroup_bpf_attach_type type)
>> +{
>> + struct bpf_prog_array *array = rcu_access_pointer(cgrp_bpf->effective[type]);
>> +
>> + return array == &bpf_empty_prog_array.hdr;
>> +}
>> +
>> +#define CGROUP_BPF_TYPE_ENABLED(sk, atype) \
>> +({ \
>> + struct cgroup *__cgrp = sock_cgroup_ptr(&(sk)->sk_cgrp_data); \
>> + \
>> + !__cgroup_bpf_prog_array_is_empty(&__cgrp->bpf, (atype)); \
>> +})
>> +
>> /* Wrappers for __cgroup_bpf_run_filter_skb() guarded by cgroup_bpf_enabled. */
>> #define BPF_CGROUP_RUN_PROG_INET_INGRESS(sk, skb) \
>> ({ \
>> int __ret = 0; \
>> - if (cgroup_bpf_enabled(CGROUP_INET_INGRESS)) \
>> + if (cgroup_bpf_enabled(CGROUP_INET_INGRESS) && sk && \
>> + CGROUP_BPF_TYPE_ENABLED((sk), CGROUP_INET_INGRESS)) \
>
> Why not add this __cgroup_bpf_run_filter_skb check to
> __cgroup_bpf_run_filter_skb? Result of sock_cgroup_ptr() is already there
> and you can use it. Maybe move the things around if you want
> it to happen earlier.
For inlining. Just wanted to get it done right, otherwise I'll likely be
returning to it back in a few months complaining that I see measurable
overhead from the function call :)
--
Pavel Begunkov
next prev parent reply other threads:[~2021-12-15 17:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-15 14:49 [PATCH v3] cgroup/bpf: fast path skb BPF filtering Pavel Begunkov
2021-12-15 16:40 ` Jakub Kicinski
2021-12-15 17:38 ` Pavel Begunkov
2021-12-15 16:51 ` sdf
2021-12-15 17:18 ` Pavel Begunkov [this message]
2021-12-15 17:33 ` sdf
2021-12-15 17:53 ` Pavel Begunkov
2021-12-15 18:24 ` sdf
2021-12-15 18:54 ` Pavel Begunkov
2021-12-15 19:15 ` Stanislav Fomichev
2021-12-15 19:55 ` Pavel Begunkov
2021-12-15 22:07 ` Stanislav Fomichev
2021-12-16 13:21 ` Pavel Begunkov
2021-12-16 18:14 ` Martin KaFai Lau
2021-12-16 18:24 ` Stanislav Fomichev
2022-01-24 15:46 ` Pavel Begunkov
2022-01-24 18:25 ` Stanislav Fomichev
2022-01-25 18:54 ` Pavel Begunkov
2022-01-25 21:27 ` Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b2af633d-aaae-d0c5-72f9-0688b76b4505@gmail.com \
--to=asml.silence@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kafai@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sdf@google.com \
--cc=songliubraving@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.