We'd like to use the SENDMSG ones, Daniel suggested to expose to more hooks while are here. Stanislav Fomichev (4): bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME selftests/bpf: rewrite readmsg{4,6} asm progs to c in test_sock_addr bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG net/core/filter.c | 16 ++++ .../selftests/bpf/bpf_sockopt_helpers.h | 21 +++++ .../selftests/bpf/progs/connect_force_port4.c | 8 ++ .../selftests/bpf/progs/connect_force_port6.c | 8 ++ .../selftests/bpf/progs/recvmsg4_prog.c | 42 +++++++++ .../selftests/bpf/progs/recvmsg6_prog.c | 48 +++++++++++ .../selftests/bpf/progs/sendmsg4_prog.c | 7 ++ .../selftests/bpf/progs/sendmsg6_prog.c | 5 ++ tools/testing/selftests/bpf/test_sock_addr.c | 86 +++---------------- 9 files changed, 167 insertions(+), 74 deletions(-) create mode 100644 tools/testing/selftests/bpf/bpf_sockopt_helpers.h create mode 100644 tools/testing/selftests/bpf/progs/recvmsg4_prog.c create mode 100644 tools/testing/selftests/bpf/progs/recvmsg6_prog.c -- 2.30.0.280.ga3ce27912f-goog
Can be used to query/modify socket state for unconnected UDP sendmsg. Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on a locked socket. Signed-off-by: Stanislav Fomichev <sdf@google.com> --- net/core/filter.c | 4 ++++ .../selftests/bpf/bpf_sockopt_helpers.h | 21 +++++++++++++++++++ .../selftests/bpf/progs/sendmsg4_prog.c | 7 +++++++ .../selftests/bpf/progs/sendmsg6_prog.c | 5 +++++ 4 files changed, 37 insertions(+) create mode 100644 tools/testing/selftests/bpf/bpf_sockopt_helpers.h diff --git a/net/core/filter.c b/net/core/filter.c index 9ab94e90d660..3d7f78a19565 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET6_CONNECT: + case BPF_CGROUP_UDP4_SENDMSG: + case BPF_CGROUP_UDP6_SENDMSG: return &bpf_sock_addr_setsockopt_proto; default: return NULL; @@ -7033,6 +7035,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET6_CONNECT: + case BPF_CGROUP_UDP4_SENDMSG: + case BPF_CGROUP_UDP6_SENDMSG: return &bpf_sock_addr_getsockopt_proto; default: return NULL; diff --git a/tools/testing/selftests/bpf/bpf_sockopt_helpers.h b/tools/testing/selftests/bpf/bpf_sockopt_helpers.h new file mode 100644 index 000000000000..11f3a0976174 --- /dev/null +++ b/tools/testing/selftests/bpf/bpf_sockopt_helpers.h @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#include <sys/socket.h> +#include <bpf/bpf_helpers.h> + +int get_set_sk_priority(void *ctx) +{ + int prio; + + /* Verify that context allows calling bpf_getsockopt and + * bpf_setsockopt by reading and writing back socket + * priority. + */ + + if (bpf_getsockopt(ctx, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio))) + return 0; + if (bpf_setsockopt(ctx, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio))) + return 0; + + return 1; +} diff --git a/tools/testing/selftests/bpf/progs/sendmsg4_prog.c b/tools/testing/selftests/bpf/progs/sendmsg4_prog.c index 092d9da536f3..ac5abc34cde8 100644 --- a/tools/testing/selftests/bpf/progs/sendmsg4_prog.c +++ b/tools/testing/selftests/bpf/progs/sendmsg4_prog.c @@ -8,6 +8,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + #define SRC1_IP4 0xAC100001U /* 172.16.0.1 */ #define SRC2_IP4 0x00000000U #define SRC_REWRITE_IP4 0x7f000004U @@ -21,9 +23,14 @@ int _version SEC("version") = 1; SEC("cgroup/sendmsg4") int sendmsg_v4_prog(struct bpf_sock_addr *ctx) { + int prio; + if (ctx->type != SOCK_DGRAM) return 0; + if (!get_set_sk_priority(ctx)) + return 0; + /* Rewrite source. */ if (ctx->msg_src_ip4 == bpf_htonl(SRC1_IP4) || ctx->msg_src_ip4 == bpf_htonl(SRC2_IP4)) { diff --git a/tools/testing/selftests/bpf/progs/sendmsg6_prog.c b/tools/testing/selftests/bpf/progs/sendmsg6_prog.c index 255a432bc163..24694b1a8d82 100644 --- a/tools/testing/selftests/bpf/progs/sendmsg6_prog.c +++ b/tools/testing/selftests/bpf/progs/sendmsg6_prog.c @@ -8,6 +8,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + #define SRC_REWRITE_IP6_0 0 #define SRC_REWRITE_IP6_1 0 #define SRC_REWRITE_IP6_2 0 @@ -28,6 +30,9 @@ int sendmsg_v6_prog(struct bpf_sock_addr *ctx) if (ctx->type != SOCK_DGRAM) return 0; + if (!get_set_sk_priority(ctx)) + return 0; + /* Rewrite source. */ if (ctx->msg_src_ip6[3] == bpf_htonl(1) || ctx->msg_src_ip6[3] == bpf_htonl(0)) { -- 2.30.0.280.ga3ce27912f-goog
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on a locked socket. Signed-off-by: Stanislav Fomichev <sdf@google.com> --- net/core/filter.c | 8 ++++++++ tools/testing/selftests/bpf/progs/connect_force_port4.c | 8 ++++++++ tools/testing/selftests/bpf/progs/connect_force_port6.c | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index 3d7f78a19565..ba436b1d70c2 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -7025,6 +7025,10 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_UDP4_SENDMSG: case BPF_CGROUP_UDP6_SENDMSG: + case BPF_CGROUP_INET4_GETPEERNAME: + case BPF_CGROUP_INET6_GETPEERNAME: + case BPF_CGROUP_INET4_GETSOCKNAME: + case BPF_CGROUP_INET6_GETSOCKNAME: return &bpf_sock_addr_setsockopt_proto; default: return NULL; @@ -7037,6 +7041,10 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_CONNECT: case BPF_CGROUP_UDP4_SENDMSG: case BPF_CGROUP_UDP6_SENDMSG: + case BPF_CGROUP_INET4_GETPEERNAME: + case BPF_CGROUP_INET6_GETPEERNAME: + case BPF_CGROUP_INET4_GETSOCKNAME: + case BPF_CGROUP_INET6_GETSOCKNAME: return &bpf_sock_addr_getsockopt_proto; default: return NULL; diff --git a/tools/testing/selftests/bpf/progs/connect_force_port4.c b/tools/testing/selftests/bpf/progs/connect_force_port4.c index 7396308677a3..a979aaef2a76 100644 --- a/tools/testing/selftests/bpf/progs/connect_force_port4.c +++ b/tools/testing/selftests/bpf/progs/connect_force_port4.c @@ -10,6 +10,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + char _license[] SEC("license") = "GPL"; int _version SEC("version") = 1; @@ -58,6 +60,9 @@ int connect4(struct bpf_sock_addr *ctx) SEC("cgroup/getsockname4") int getsockname4(struct bpf_sock_addr *ctx) { + if (!get_set_sk_priority(ctx)) + return 1; + /* Expose local server as 1.2.3.4:60000 to client. */ if (ctx->user_port == bpf_htons(60123)) { ctx->user_ip4 = bpf_htonl(0x01020304); @@ -71,6 +76,9 @@ int getpeername4(struct bpf_sock_addr *ctx) { struct svc_addr *orig; + if (!get_set_sk_priority(ctx)) + return 1; + /* Expose service 1.2.3.4:60000 as peer instead of backend. */ if (ctx->user_port == bpf_htons(60123)) { orig = bpf_sk_storage_get(&service_mapping, ctx->sk, 0, 0); diff --git a/tools/testing/selftests/bpf/progs/connect_force_port6.c b/tools/testing/selftests/bpf/progs/connect_force_port6.c index c1a2b555e9ad..afc8f1c5a9d6 100644 --- a/tools/testing/selftests/bpf/progs/connect_force_port6.c +++ b/tools/testing/selftests/bpf/progs/connect_force_port6.c @@ -9,6 +9,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + char _license[] SEC("license") = "GPL"; int _version SEC("version") = 1; @@ -63,6 +65,9 @@ int connect6(struct bpf_sock_addr *ctx) SEC("cgroup/getsockname6") int getsockname6(struct bpf_sock_addr *ctx) { + if (!get_set_sk_priority(ctx)) + return 1; + /* Expose local server as [fc00::1]:60000 to client. */ if (ctx->user_port == bpf_htons(60124)) { ctx->user_ip6[0] = bpf_htonl(0xfc000000); @@ -79,6 +84,9 @@ int getpeername6(struct bpf_sock_addr *ctx) { struct svc_addr *orig; + if (!get_set_sk_priority(ctx)) + return 1; + /* Expose service [fc00::1]:60000 as peer instead of backend. */ if (ctx->user_port == bpf_htons(60124)) { orig = bpf_sk_storage_get(&service_mapping, ctx->sk, 0, 0); -- 2.30.0.280.ga3ce27912f-goog
I'll extend them in the next patch. It's easier to work with C than with asm. Signed-off-by: Stanislav Fomichev <sdf@google.com> --- .../selftests/bpf/progs/recvmsg4_prog.c | 37 ++++++++ .../selftests/bpf/progs/recvmsg6_prog.c | 43 ++++++++++ tools/testing/selftests/bpf/test_sock_addr.c | 86 +++---------------- 3 files changed, 92 insertions(+), 74 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/recvmsg4_prog.c create mode 100644 tools/testing/selftests/bpf/progs/recvmsg6_prog.c diff --git a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c new file mode 100644 index 000000000000..fc2fe8a952fa --- /dev/null +++ b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c @@ -0,0 +1,37 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/stddef.h> +#include <linux/bpf.h> +#include <linux/in.h> +#include <sys/socket.h> + +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_endian.h> + +#define SERV4_IP 0xc0a801feU /* 192.168.1.254 */ +#define SERV4_PORT 4040 + +SEC("cgroup/recvmsg4") +int recvmsg4_prog(struct bpf_sock_addr *ctx) +{ + struct bpf_sock *sk; + __u32 user_ip4; + __u16 user_port; + + sk = ctx->sk; + if (!sk) + return 1; + + if (sk->family != AF_INET) + return 1; + + if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM) + return 1; + + ctx->user_ip4 = bpf_htonl(SERV4_IP); + ctx->user_port = bpf_htons(SERV4_PORT); + + return 1; +} + +char _license[] SEC("license") = "GPL"; diff --git a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c new file mode 100644 index 000000000000..6060fd63324b --- /dev/null +++ b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c @@ -0,0 +1,43 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/stddef.h> +#include <linux/bpf.h> +#include <linux/in6.h> +#include <sys/socket.h> + +#include <bpf/bpf_helpers.h> +#include <bpf/bpf_endian.h> + +#define SERV6_IP_0 0xfaceb00c /* face:b00c:1234:5678::abcd */ +#define SERV6_IP_1 0x12345678 +#define SERV6_IP_2 0x00000000 +#define SERV6_IP_3 0x0000abcd +#define SERV6_PORT 6060 + +SEC("cgroup/recvmsg6") +int recvmsg6_prog(struct bpf_sock_addr *ctx) +{ + struct bpf_sock *sk; + __u32 user_ip4; + __u16 user_port; + + sk = ctx->sk; + if (!sk) + return 1; + + if (sk->family != AF_INET6) + return 1; + + if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM) + return 1; + + ctx->user_ip6[0] = bpf_htonl(SERV6_IP_0); + ctx->user_ip6[1] = bpf_htonl(SERV6_IP_1); + ctx->user_ip6[2] = bpf_htonl(SERV6_IP_2); + ctx->user_ip6[3] = bpf_htonl(SERV6_IP_3); + ctx->user_port = bpf_htons(SERV6_PORT); + + return 1; +} + +char _license[] SEC("license") = "GPL"; diff --git a/tools/testing/selftests/bpf/test_sock_addr.c b/tools/testing/selftests/bpf/test_sock_addr.c index dcb83ab02919..aa3f185fcb89 100644 --- a/tools/testing/selftests/bpf/test_sock_addr.c +++ b/tools/testing/selftests/bpf/test_sock_addr.c @@ -31,6 +31,8 @@ #define CONNECT6_PROG_PATH "./connect6_prog.o" #define SENDMSG4_PROG_PATH "./sendmsg4_prog.o" #define SENDMSG6_PROG_PATH "./sendmsg6_prog.o" +#define RECVMSG4_PROG_PATH "./recvmsg4_prog.o" +#define RECVMSG6_PROG_PATH "./recvmsg6_prog.o" #define BIND4_PROG_PATH "./bind4_prog.o" #define BIND6_PROG_PATH "./bind6_prog.o" @@ -94,10 +96,10 @@ static int sendmsg_deny_prog_load(const struct sock_addr_test *test); static int recvmsg_allow_prog_load(const struct sock_addr_test *test); static int recvmsg_deny_prog_load(const struct sock_addr_test *test); static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test); -static int recvmsg4_rw_asm_prog_load(const struct sock_addr_test *test); +static int recvmsg4_rw_c_prog_load(const struct sock_addr_test *test); static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test); static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test); -static int recvmsg6_rw_asm_prog_load(const struct sock_addr_test *test); +static int recvmsg6_rw_c_prog_load(const struct sock_addr_test *test); static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test); static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test); static int sendmsg6_rw_wildcard_prog_load(const struct sock_addr_test *test); @@ -573,8 +575,8 @@ static struct sock_addr_test tests[] = { LOAD_REJECT, }, { - "recvmsg4: rewrite IP & port (asm)", - recvmsg4_rw_asm_prog_load, + "recvmsg4: rewrite IP & port (C)", + recvmsg4_rw_c_prog_load, BPF_CGROUP_UDP4_RECVMSG, BPF_CGROUP_UDP4_RECVMSG, AF_INET, @@ -587,8 +589,8 @@ static struct sock_addr_test tests[] = { SUCCESS, }, { - "recvmsg6: rewrite IP & port (asm)", - recvmsg6_rw_asm_prog_load, + "recvmsg6: rewrite IP & port (C)", + recvmsg6_rw_c_prog_load, BPF_CGROUP_UDP6_RECVMSG, BPF_CGROUP_UDP6_RECVMSG, AF_INET6, @@ -786,45 +788,9 @@ static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test) return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn)); } -static int recvmsg4_rw_asm_prog_load(const struct sock_addr_test *test) +static int recvmsg4_rw_c_prog_load(const struct sock_addr_test *test) { - struct sockaddr_in src4_rw_addr; - - if (mk_sockaddr(AF_INET, SERV4_IP, SERV4_PORT, - (struct sockaddr *)&src4_rw_addr, - sizeof(src4_rw_addr)) == -1) - return -1; - - struct bpf_insn insns[] = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (sk.family == AF_INET && */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock_addr, family)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET, 6), - - /* sk.type == SOCK_DGRAM) { */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock_addr, type)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_DGRAM, 4), - - /* user_ip4 = src4_rw_addr.sin_addr */ - BPF_MOV32_IMM(BPF_REG_7, src4_rw_addr.sin_addr.s_addr), - BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, - offsetof(struct bpf_sock_addr, user_ip4)), - - /* user_port = src4_rw_addr.sin_port */ - BPF_MOV32_IMM(BPF_REG_7, src4_rw_addr.sin_port), - BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, - offsetof(struct bpf_sock_addr, user_port)), - /* } */ - - /* return 1 */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }; - - return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn)); + return load_path(test, RECVMSG4_PROG_PATH); } static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test) @@ -890,37 +856,9 @@ static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test) return sendmsg6_rw_dst_asm_prog_load(test, SERV6_REWRITE_IP); } -static int recvmsg6_rw_asm_prog_load(const struct sock_addr_test *test) +static int recvmsg6_rw_c_prog_load(const struct sock_addr_test *test) { - struct sockaddr_in6 src6_rw_addr; - - if (mk_sockaddr(AF_INET6, SERV6_IP, SERV6_PORT, - (struct sockaddr *)&src6_rw_addr, - sizeof(src6_rw_addr)) == -1) - return -1; - - struct bpf_insn insns[] = { - BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), - - /* if (sk.family == AF_INET6) { */ - BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6, - offsetof(struct bpf_sock_addr, family)), - BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET6, 10), - - STORE_IPV6(user_ip6, src6_rw_addr.sin6_addr.s6_addr32), - - /* user_port = dst6_rw_addr.sin6_port */ - BPF_MOV32_IMM(BPF_REG_7, src6_rw_addr.sin6_port), - BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7, - offsetof(struct bpf_sock_addr, user_port)), - /* } */ - - /* return 1 */ - BPF_MOV64_IMM(BPF_REG_0, 1), - BPF_EXIT_INSN(), - }; - - return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn)); + return load_path(test, RECVMSG6_PROG_PATH); } static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test) -- 2.30.0.280.ga3ce27912f-goog
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on a locked socket. Signed-off-by: Stanislav Fomichev <sdf@google.com> --- net/core/filter.c | 4 ++++ tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++ tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++ 3 files changed, 14 insertions(+) diff --git a/net/core/filter.c b/net/core/filter.c index ba436b1d70c2..e15d4741719a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET6_CONNECT: + case BPF_CGROUP_UDP4_RECVMSG: + case BPF_CGROUP_UDP6_RECVMSG: case BPF_CGROUP_UDP4_SENDMSG: case BPF_CGROUP_UDP6_SENDMSG: case BPF_CGROUP_INET4_GETPEERNAME: @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) case BPF_CGROUP_INET6_BIND: case BPF_CGROUP_INET4_CONNECT: case BPF_CGROUP_INET6_CONNECT: + case BPF_CGROUP_UDP4_RECVMSG: + case BPF_CGROUP_UDP6_RECVMSG: case BPF_CGROUP_UDP4_SENDMSG: case BPF_CGROUP_UDP6_SENDMSG: case BPF_CGROUP_INET4_GETPEERNAME: diff --git a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c index fc2fe8a952fa..3d1ae8b3402f 100644 --- a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c +++ b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c @@ -8,6 +8,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + #define SERV4_IP 0xc0a801feU /* 192.168.1.254 */ #define SERV4_PORT 4040 @@ -28,6 +30,9 @@ int recvmsg4_prog(struct bpf_sock_addr *ctx) if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM) return 1; + if (!get_set_sk_priority(ctx)) + return 1; + ctx->user_ip4 = bpf_htonl(SERV4_IP); ctx->user_port = bpf_htons(SERV4_PORT); diff --git a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c index 6060fd63324b..27dfb21b21b4 100644 --- a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c +++ b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c @@ -8,6 +8,8 @@ #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> +#include <bpf_sockopt_helpers.h> + #define SERV6_IP_0 0xfaceb00c /* face:b00c:1234:5678::abcd */ #define SERV6_IP_1 0x12345678 #define SERV6_IP_2 0x00000000 @@ -31,6 +33,9 @@ int recvmsg6_prog(struct bpf_sock_addr *ctx) if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM) return 1; + if (!get_set_sk_priority(ctx)) + return 1; + ctx->user_ip6[0] = bpf_htonl(SERV6_IP_0); ctx->user_ip6[1] = bpf_htonl(SERV6_IP_1); ctx->user_ip6[2] = bpf_htonl(SERV6_IP_2); -- 2.30.0.280.ga3ce27912f-goog
On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> a locked socket.
>
> Signed-off-by: Stanislav Fomichev <sdf@google.com>
> ---
> net/core/filter.c | 4 ++++
> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> 3 files changed, 14 insertions(+)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index ba436b1d70c2..e15d4741719a 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> case BPF_CGROUP_INET6_BIND:
> case BPF_CGROUP_INET4_CONNECT:
> case BPF_CGROUP_INET6_CONNECT:
> + case BPF_CGROUP_UDP4_RECVMSG:
> + case BPF_CGROUP_UDP6_RECVMSG:
> case BPF_CGROUP_UDP4_SENDMSG:
> case BPF_CGROUP_UDP6_SENDMSG:
> case BPF_CGROUP_INET4_GETPEERNAME:
> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> case BPF_CGROUP_INET6_BIND:
> case BPF_CGROUP_INET4_CONNECT:
> case BPF_CGROUP_INET6_CONNECT:
> + case BPF_CGROUP_UDP4_RECVMSG:
> + case BPF_CGROUP_UDP6_RECVMSG:
> case BPF_CGROUP_UDP4_SENDMSG:
> case BPF_CGROUP_UDP6_SENDMSG:
> case BPF_CGROUP_INET4_GETPEERNAME:
Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
small nit that would be good to get resolved before that. Above you now list all the attach hooks
for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
altogether in this last commit.
Thanks,
Daniel
On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> > Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> > a locked socket.
> >
> > Signed-off-by: Stanislav Fomichev <sdf@google.com>
> > ---
> > net/core/filter.c | 4 ++++
> > tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> > tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> > 3 files changed, 14 insertions(+)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index ba436b1d70c2..e15d4741719a 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > case BPF_CGROUP_INET6_BIND:
> > case BPF_CGROUP_INET4_CONNECT:
> > case BPF_CGROUP_INET6_CONNECT:
> > + case BPF_CGROUP_UDP4_RECVMSG:
> > + case BPF_CGROUP_UDP6_RECVMSG:
> > case BPF_CGROUP_UDP4_SENDMSG:
> > case BPF_CGROUP_UDP6_SENDMSG:
> > case BPF_CGROUP_INET4_GETPEERNAME:
> > @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > case BPF_CGROUP_INET6_BIND:
> > case BPF_CGROUP_INET4_CONNECT:
> > case BPF_CGROUP_INET6_CONNECT:
> > + case BPF_CGROUP_UDP4_RECVMSG:
> > + case BPF_CGROUP_UDP6_RECVMSG:
> > case BPF_CGROUP_UDP4_SENDMSG:
> > case BPF_CGROUP_UDP6_SENDMSG:
> > case BPF_CGROUP_INET4_GETPEERNAME:
>
> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
> small nit that would be good to get resolved before that. Above you now list all the attach hooks
> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
> altogether in this last commit.
Sure, I can resend tomorrow.
But do you think it's safe and there won't ever be another sock_addr
hook that runs with an unlocked socket?
On 1/29/21 1:59 AM, Stanislav Fomichev wrote:
> On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
>>> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
>>> a locked socket.
>>>
>>> Signed-off-by: Stanislav Fomichev <sdf@google.com>
>>> ---
>>> net/core/filter.c | 4 ++++
>>> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
>>> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
>>> 3 files changed, 14 insertions(+)
>>>
>>> diff --git a/net/core/filter.c b/net/core/filter.c
>>> index ba436b1d70c2..e15d4741719a 100644
>>> --- a/net/core/filter.c
>>> +++ b/net/core/filter.c
>>> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>>> case BPF_CGROUP_INET6_BIND:
>>> case BPF_CGROUP_INET4_CONNECT:
>>> case BPF_CGROUP_INET6_CONNECT:
>>> + case BPF_CGROUP_UDP4_RECVMSG:
>>> + case BPF_CGROUP_UDP6_RECVMSG:
>>> case BPF_CGROUP_UDP4_SENDMSG:
>>> case BPF_CGROUP_UDP6_SENDMSG:
>>> case BPF_CGROUP_INET4_GETPEERNAME:
>>> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>>> case BPF_CGROUP_INET6_BIND:
>>> case BPF_CGROUP_INET4_CONNECT:
>>> case BPF_CGROUP_INET6_CONNECT:
>>> + case BPF_CGROUP_UDP4_RECVMSG:
>>> + case BPF_CGROUP_UDP6_RECVMSG:
>>> case BPF_CGROUP_UDP4_SENDMSG:
>>> case BPF_CGROUP_UDP6_SENDMSG:
>>> case BPF_CGROUP_INET4_GETPEERNAME:
>>
>> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
>> small nit that would be good to get resolved before that. Above you now list all the attach hooks
>> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
>> altogether in this last commit.
> Sure, I can resend tomorrow.
> But do you think it's safe and there won't ever be another sock_addr
> hook that runs with an unlocked socket?
Ok, that rationale seems reasonable to keep the series as is. It probably makes sense to add a
small comment at least to the commit log to explain the reasoning, I can do so while applying.
So no need for v3, thanks!
On Thu, Jan 28, 2021 at 5:08 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 1/29/21 1:59 AM, Stanislav Fomichev wrote:
> > On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> >>> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> >>> a locked socket.
> >>>
> >>> Signed-off-by: Stanislav Fomichev <sdf@google.com>
> >>> ---
> >>> net/core/filter.c | 4 ++++
> >>> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> >>> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> >>> 3 files changed, 14 insertions(+)
> >>>
> >>> diff --git a/net/core/filter.c b/net/core/filter.c
> >>> index ba436b1d70c2..e15d4741719a 100644
> >>> --- a/net/core/filter.c
> >>> +++ b/net/core/filter.c
> >>> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >>> case BPF_CGROUP_INET6_BIND:
> >>> case BPF_CGROUP_INET4_CONNECT:
> >>> case BPF_CGROUP_INET6_CONNECT:
> >>> + case BPF_CGROUP_UDP4_RECVMSG:
> >>> + case BPF_CGROUP_UDP6_RECVMSG:
> >>> case BPF_CGROUP_UDP4_SENDMSG:
> >>> case BPF_CGROUP_UDP6_SENDMSG:
> >>> case BPF_CGROUP_INET4_GETPEERNAME:
> >>> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >>> case BPF_CGROUP_INET6_BIND:
> >>> case BPF_CGROUP_INET4_CONNECT:
> >>> case BPF_CGROUP_INET6_CONNECT:
> >>> + case BPF_CGROUP_UDP4_RECVMSG:
> >>> + case BPF_CGROUP_UDP6_RECVMSG:
> >>> case BPF_CGROUP_UDP4_SENDMSG:
> >>> case BPF_CGROUP_UDP6_SENDMSG:
> >>> case BPF_CGROUP_INET4_GETPEERNAME:
> >>
> >> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
> >> small nit that would be good to get resolved before that. Above you now list all the attach hooks
> >> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
> >> altogether in this last commit.
> > Sure, I can resend tomorrow.
> > But do you think it's safe and there won't ever be another sock_addr
> > hook that runs with an unlocked socket?
>
> Ok, that rationale seems reasonable to keep the series as is. It probably makes sense to add a
> small comment at least to the commit log to explain the reasoning, I can do so while applying.
> So no need for v3, thanks!
Sounds good, thank you!
Hello: This series was applied to bpf/bpf-next.git (refs/heads/master): On Wed, 27 Jan 2021 15:28:49 -0800 you wrote: > We'd like to use the SENDMSG ones, Daniel suggested to > expose to more hooks while are here. > > Stanislav Fomichev (4): > bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG > bpf: enable bpf_{g,s}etsockopt in > BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME > selftests/bpf: rewrite readmsg{4,6} asm progs to c in test_sock_addr > bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG > > [...] Here is the summary with links: - [bpf-next,v2,1/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG https://git.kernel.org/bpf/bpf-next/c/62476cc1bf24 - [bpf-next,v2,2/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME https://git.kernel.org/bpf/bpf-next/c/073f4ec124bb - [bpf-next,v2,3/4] selftests/bpf: rewrite recvmsg{4,6} asm progs to c in test_sock_addr https://git.kernel.org/bpf/bpf-next/c/357490601621 - [bpf-next,v2,4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG https://git.kernel.org/bpf/bpf-next/c/4c3384d7abe5 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html