* [PATCH bpf-next v2 1/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG
2021-01-27 23:28 [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks Stanislav Fomichev
@ 2021-01-27 23:28 ` Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 2/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME Stanislav Fomichev
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-27 23:28 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, Stanislav Fomichev
Can be used to query/modify socket state for unconnected UDP sendmsg.
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
a locked socket.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
net/core/filter.c | 4 ++++
.../selftests/bpf/bpf_sockopt_helpers.h | 21 +++++++++++++++++++
.../selftests/bpf/progs/sendmsg4_prog.c | 7 +++++++
.../selftests/bpf/progs/sendmsg6_prog.c | 5 +++++
4 files changed, 37 insertions(+)
create mode 100644 tools/testing/selftests/bpf/bpf_sockopt_helpers.h
diff --git a/net/core/filter.c b/net/core/filter.c
index 9ab94e90d660..3d7f78a19565 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_SENDMSG:
+ case BPF_CGROUP_UDP6_SENDMSG:
return &bpf_sock_addr_setsockopt_proto;
default:
return NULL;
@@ -7033,6 +7035,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_SENDMSG:
+ case BPF_CGROUP_UDP6_SENDMSG:
return &bpf_sock_addr_getsockopt_proto;
default:
return NULL;
diff --git a/tools/testing/selftests/bpf/bpf_sockopt_helpers.h b/tools/testing/selftests/bpf/bpf_sockopt_helpers.h
new file mode 100644
index 000000000000..11f3a0976174
--- /dev/null
+++ b/tools/testing/selftests/bpf/bpf_sockopt_helpers.h
@@ -0,0 +1,21 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+#include <sys/socket.h>
+#include <bpf/bpf_helpers.h>
+
+int get_set_sk_priority(void *ctx)
+{
+ int prio;
+
+ /* Verify that context allows calling bpf_getsockopt and
+ * bpf_setsockopt by reading and writing back socket
+ * priority.
+ */
+
+ if (bpf_getsockopt(ctx, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio)))
+ return 0;
+ if (bpf_setsockopt(ctx, SOL_SOCKET, SO_PRIORITY, &prio, sizeof(prio)))
+ return 0;
+
+ return 1;
+}
diff --git a/tools/testing/selftests/bpf/progs/sendmsg4_prog.c b/tools/testing/selftests/bpf/progs/sendmsg4_prog.c
index 092d9da536f3..ac5abc34cde8 100644
--- a/tools/testing/selftests/bpf/progs/sendmsg4_prog.c
+++ b/tools/testing/selftests/bpf/progs/sendmsg4_prog.c
@@ -8,6 +8,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
#define SRC1_IP4 0xAC100001U /* 172.16.0.1 */
#define SRC2_IP4 0x00000000U
#define SRC_REWRITE_IP4 0x7f000004U
@@ -21,9 +23,14 @@ int _version SEC("version") = 1;
SEC("cgroup/sendmsg4")
int sendmsg_v4_prog(struct bpf_sock_addr *ctx)
{
+ int prio;
+
if (ctx->type != SOCK_DGRAM)
return 0;
+ if (!get_set_sk_priority(ctx))
+ return 0;
+
/* Rewrite source. */
if (ctx->msg_src_ip4 == bpf_htonl(SRC1_IP4) ||
ctx->msg_src_ip4 == bpf_htonl(SRC2_IP4)) {
diff --git a/tools/testing/selftests/bpf/progs/sendmsg6_prog.c b/tools/testing/selftests/bpf/progs/sendmsg6_prog.c
index 255a432bc163..24694b1a8d82 100644
--- a/tools/testing/selftests/bpf/progs/sendmsg6_prog.c
+++ b/tools/testing/selftests/bpf/progs/sendmsg6_prog.c
@@ -8,6 +8,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
#define SRC_REWRITE_IP6_0 0
#define SRC_REWRITE_IP6_1 0
#define SRC_REWRITE_IP6_2 0
@@ -28,6 +30,9 @@ int sendmsg_v6_prog(struct bpf_sock_addr *ctx)
if (ctx->type != SOCK_DGRAM)
return 0;
+ if (!get_set_sk_priority(ctx))
+ return 0;
+
/* Rewrite source. */
if (ctx->msg_src_ip6[3] == bpf_htonl(1) ||
ctx->msg_src_ip6[3] == bpf_htonl(0)) {
--
2.30.0.280.ga3ce27912f-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH bpf-next v2 2/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME
2021-01-27 23:28 [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 1/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG Stanislav Fomichev
@ 2021-01-27 23:28 ` Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 3/4] selftests/bpf: rewrite recvmsg{4,6} asm progs to c in test_sock_addr Stanislav Fomichev
` (2 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-27 23:28 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, Stanislav Fomichev
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
a locked socket.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
net/core/filter.c | 8 ++++++++
tools/testing/selftests/bpf/progs/connect_force_port4.c | 8 ++++++++
tools/testing/selftests/bpf/progs/connect_force_port6.c | 8 ++++++++
3 files changed, 24 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index 3d7f78a19565..ba436b1d70c2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7025,6 +7025,10 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
+ case BPF_CGROUP_INET4_GETPEERNAME:
+ case BPF_CGROUP_INET6_GETPEERNAME:
+ case BPF_CGROUP_INET4_GETSOCKNAME:
+ case BPF_CGROUP_INET6_GETSOCKNAME:
return &bpf_sock_addr_setsockopt_proto;
default:
return NULL;
@@ -7037,6 +7041,10 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_CONNECT:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
+ case BPF_CGROUP_INET4_GETPEERNAME:
+ case BPF_CGROUP_INET6_GETPEERNAME:
+ case BPF_CGROUP_INET4_GETSOCKNAME:
+ case BPF_CGROUP_INET6_GETSOCKNAME:
return &bpf_sock_addr_getsockopt_proto;
default:
return NULL;
diff --git a/tools/testing/selftests/bpf/progs/connect_force_port4.c b/tools/testing/selftests/bpf/progs/connect_force_port4.c
index 7396308677a3..a979aaef2a76 100644
--- a/tools/testing/selftests/bpf/progs/connect_force_port4.c
+++ b/tools/testing/selftests/bpf/progs/connect_force_port4.c
@@ -10,6 +10,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
char _license[] SEC("license") = "GPL";
int _version SEC("version") = 1;
@@ -58,6 +60,9 @@ int connect4(struct bpf_sock_addr *ctx)
SEC("cgroup/getsockname4")
int getsockname4(struct bpf_sock_addr *ctx)
{
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
/* Expose local server as 1.2.3.4:60000 to client. */
if (ctx->user_port == bpf_htons(60123)) {
ctx->user_ip4 = bpf_htonl(0x01020304);
@@ -71,6 +76,9 @@ int getpeername4(struct bpf_sock_addr *ctx)
{
struct svc_addr *orig;
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
/* Expose service 1.2.3.4:60000 as peer instead of backend. */
if (ctx->user_port == bpf_htons(60123)) {
orig = bpf_sk_storage_get(&service_mapping, ctx->sk, 0, 0);
diff --git a/tools/testing/selftests/bpf/progs/connect_force_port6.c b/tools/testing/selftests/bpf/progs/connect_force_port6.c
index c1a2b555e9ad..afc8f1c5a9d6 100644
--- a/tools/testing/selftests/bpf/progs/connect_force_port6.c
+++ b/tools/testing/selftests/bpf/progs/connect_force_port6.c
@@ -9,6 +9,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
char _license[] SEC("license") = "GPL";
int _version SEC("version") = 1;
@@ -63,6 +65,9 @@ int connect6(struct bpf_sock_addr *ctx)
SEC("cgroup/getsockname6")
int getsockname6(struct bpf_sock_addr *ctx)
{
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
/* Expose local server as [fc00::1]:60000 to client. */
if (ctx->user_port == bpf_htons(60124)) {
ctx->user_ip6[0] = bpf_htonl(0xfc000000);
@@ -79,6 +84,9 @@ int getpeername6(struct bpf_sock_addr *ctx)
{
struct svc_addr *orig;
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
/* Expose service [fc00::1]:60000 as peer instead of backend. */
if (ctx->user_port == bpf_htons(60124)) {
orig = bpf_sk_storage_get(&service_mapping, ctx->sk, 0, 0);
--
2.30.0.280.ga3ce27912f-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH bpf-next v2 3/4] selftests/bpf: rewrite recvmsg{4,6} asm progs to c in test_sock_addr
2021-01-27 23:28 [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 1/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 2/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME Stanislav Fomichev
@ 2021-01-27 23:28 ` Stanislav Fomichev
2021-01-27 23:28 ` [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG Stanislav Fomichev
2021-01-29 1:20 ` [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks patchwork-bot+netdevbpf
4 siblings, 0 replies; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-27 23:28 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, Stanislav Fomichev
I'll extend them in the next patch. It's easier to work with C
than with asm.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
.../selftests/bpf/progs/recvmsg4_prog.c | 37 ++++++++
.../selftests/bpf/progs/recvmsg6_prog.c | 43 ++++++++++
tools/testing/selftests/bpf/test_sock_addr.c | 86 +++----------------
3 files changed, 92 insertions(+), 74 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/recvmsg4_prog.c
create mode 100644 tools/testing/selftests/bpf/progs/recvmsg6_prog.c
diff --git a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c
new file mode 100644
index 000000000000..fc2fe8a952fa
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/stddef.h>
+#include <linux/bpf.h>
+#include <linux/in.h>
+#include <sys/socket.h>
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#define SERV4_IP 0xc0a801feU /* 192.168.1.254 */
+#define SERV4_PORT 4040
+
+SEC("cgroup/recvmsg4")
+int recvmsg4_prog(struct bpf_sock_addr *ctx)
+{
+ struct bpf_sock *sk;
+ __u32 user_ip4;
+ __u16 user_port;
+
+ sk = ctx->sk;
+ if (!sk)
+ return 1;
+
+ if (sk->family != AF_INET)
+ return 1;
+
+ if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM)
+ return 1;
+
+ ctx->user_ip4 = bpf_htonl(SERV4_IP);
+ ctx->user_port = bpf_htons(SERV4_PORT);
+
+ return 1;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c
new file mode 100644
index 000000000000..6060fd63324b
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c
@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/stddef.h>
+#include <linux/bpf.h>
+#include <linux/in6.h>
+#include <sys/socket.h>
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#define SERV6_IP_0 0xfaceb00c /* face:b00c:1234:5678::abcd */
+#define SERV6_IP_1 0x12345678
+#define SERV6_IP_2 0x00000000
+#define SERV6_IP_3 0x0000abcd
+#define SERV6_PORT 6060
+
+SEC("cgroup/recvmsg6")
+int recvmsg6_prog(struct bpf_sock_addr *ctx)
+{
+ struct bpf_sock *sk;
+ __u32 user_ip4;
+ __u16 user_port;
+
+ sk = ctx->sk;
+ if (!sk)
+ return 1;
+
+ if (sk->family != AF_INET6)
+ return 1;
+
+ if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM)
+ return 1;
+
+ ctx->user_ip6[0] = bpf_htonl(SERV6_IP_0);
+ ctx->user_ip6[1] = bpf_htonl(SERV6_IP_1);
+ ctx->user_ip6[2] = bpf_htonl(SERV6_IP_2);
+ ctx->user_ip6[3] = bpf_htonl(SERV6_IP_3);
+ ctx->user_port = bpf_htons(SERV6_PORT);
+
+ return 1;
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/tools/testing/selftests/bpf/test_sock_addr.c b/tools/testing/selftests/bpf/test_sock_addr.c
index dcb83ab02919..aa3f185fcb89 100644
--- a/tools/testing/selftests/bpf/test_sock_addr.c
+++ b/tools/testing/selftests/bpf/test_sock_addr.c
@@ -31,6 +31,8 @@
#define CONNECT6_PROG_PATH "./connect6_prog.o"
#define SENDMSG4_PROG_PATH "./sendmsg4_prog.o"
#define SENDMSG6_PROG_PATH "./sendmsg6_prog.o"
+#define RECVMSG4_PROG_PATH "./recvmsg4_prog.o"
+#define RECVMSG6_PROG_PATH "./recvmsg6_prog.o"
#define BIND4_PROG_PATH "./bind4_prog.o"
#define BIND6_PROG_PATH "./bind6_prog.o"
@@ -94,10 +96,10 @@ static int sendmsg_deny_prog_load(const struct sock_addr_test *test);
static int recvmsg_allow_prog_load(const struct sock_addr_test *test);
static int recvmsg_deny_prog_load(const struct sock_addr_test *test);
static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test);
-static int recvmsg4_rw_asm_prog_load(const struct sock_addr_test *test);
+static int recvmsg4_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test);
-static int recvmsg6_rw_asm_prog_load(const struct sock_addr_test *test);
+static int recvmsg6_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_c_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test);
static int sendmsg6_rw_wildcard_prog_load(const struct sock_addr_test *test);
@@ -573,8 +575,8 @@ static struct sock_addr_test tests[] = {
LOAD_REJECT,
},
{
- "recvmsg4: rewrite IP & port (asm)",
- recvmsg4_rw_asm_prog_load,
+ "recvmsg4: rewrite IP & port (C)",
+ recvmsg4_rw_c_prog_load,
BPF_CGROUP_UDP4_RECVMSG,
BPF_CGROUP_UDP4_RECVMSG,
AF_INET,
@@ -587,8 +589,8 @@ static struct sock_addr_test tests[] = {
SUCCESS,
},
{
- "recvmsg6: rewrite IP & port (asm)",
- recvmsg6_rw_asm_prog_load,
+ "recvmsg6: rewrite IP & port (C)",
+ recvmsg6_rw_c_prog_load,
BPF_CGROUP_UDP6_RECVMSG,
BPF_CGROUP_UDP6_RECVMSG,
AF_INET6,
@@ -786,45 +788,9 @@ static int sendmsg4_rw_asm_prog_load(const struct sock_addr_test *test)
return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
}
-static int recvmsg4_rw_asm_prog_load(const struct sock_addr_test *test)
+static int recvmsg4_rw_c_prog_load(const struct sock_addr_test *test)
{
- struct sockaddr_in src4_rw_addr;
-
- if (mk_sockaddr(AF_INET, SERV4_IP, SERV4_PORT,
- (struct sockaddr *)&src4_rw_addr,
- sizeof(src4_rw_addr)) == -1)
- return -1;
-
- struct bpf_insn insns[] = {
- BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
-
- /* if (sk.family == AF_INET && */
- BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
- offsetof(struct bpf_sock_addr, family)),
- BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET, 6),
-
- /* sk.type == SOCK_DGRAM) { */
- BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
- offsetof(struct bpf_sock_addr, type)),
- BPF_JMP_IMM(BPF_JNE, BPF_REG_7, SOCK_DGRAM, 4),
-
- /* user_ip4 = src4_rw_addr.sin_addr */
- BPF_MOV32_IMM(BPF_REG_7, src4_rw_addr.sin_addr.s_addr),
- BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
- offsetof(struct bpf_sock_addr, user_ip4)),
-
- /* user_port = src4_rw_addr.sin_port */
- BPF_MOV32_IMM(BPF_REG_7, src4_rw_addr.sin_port),
- BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
- offsetof(struct bpf_sock_addr, user_port)),
- /* } */
-
- /* return 1 */
- BPF_MOV64_IMM(BPF_REG_0, 1),
- BPF_EXIT_INSN(),
- };
-
- return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
+ return load_path(test, RECVMSG4_PROG_PATH);
}
static int sendmsg4_rw_c_prog_load(const struct sock_addr_test *test)
@@ -890,37 +856,9 @@ static int sendmsg6_rw_asm_prog_load(const struct sock_addr_test *test)
return sendmsg6_rw_dst_asm_prog_load(test, SERV6_REWRITE_IP);
}
-static int recvmsg6_rw_asm_prog_load(const struct sock_addr_test *test)
+static int recvmsg6_rw_c_prog_load(const struct sock_addr_test *test)
{
- struct sockaddr_in6 src6_rw_addr;
-
- if (mk_sockaddr(AF_INET6, SERV6_IP, SERV6_PORT,
- (struct sockaddr *)&src6_rw_addr,
- sizeof(src6_rw_addr)) == -1)
- return -1;
-
- struct bpf_insn insns[] = {
- BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
-
- /* if (sk.family == AF_INET6) { */
- BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_6,
- offsetof(struct bpf_sock_addr, family)),
- BPF_JMP_IMM(BPF_JNE, BPF_REG_7, AF_INET6, 10),
-
- STORE_IPV6(user_ip6, src6_rw_addr.sin6_addr.s6_addr32),
-
- /* user_port = dst6_rw_addr.sin6_port */
- BPF_MOV32_IMM(BPF_REG_7, src6_rw_addr.sin6_port),
- BPF_STX_MEM(BPF_W, BPF_REG_6, BPF_REG_7,
- offsetof(struct bpf_sock_addr, user_port)),
- /* } */
-
- /* return 1 */
- BPF_MOV64_IMM(BPF_REG_0, 1),
- BPF_EXIT_INSN(),
- };
-
- return load_insns(test, insns, sizeof(insns) / sizeof(struct bpf_insn));
+ return load_path(test, RECVMSG6_PROG_PATH);
}
static int sendmsg6_rw_v4mapped_prog_load(const struct sock_addr_test *test)
--
2.30.0.280.ga3ce27912f-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
2021-01-27 23:28 [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks Stanislav Fomichev
` (2 preceding siblings ...)
2021-01-27 23:28 ` [PATCH bpf-next v2 3/4] selftests/bpf: rewrite recvmsg{4,6} asm progs to c in test_sock_addr Stanislav Fomichev
@ 2021-01-27 23:28 ` Stanislav Fomichev
2021-01-29 0:52 ` Daniel Borkmann
2021-01-29 1:20 ` [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks patchwork-bot+netdevbpf
4 siblings, 1 reply; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-27 23:28 UTC (permalink / raw)
To: netdev, bpf; +Cc: ast, daniel, Stanislav Fomichev
Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
a locked socket.
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
net/core/filter.c | 4 ++++
tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
3 files changed, 14 insertions(+)
diff --git a/net/core/filter.c b/net/core/filter.c
index ba436b1d70c2..e15d4741719a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_RECVMSG:
+ case BPF_CGROUP_UDP6_RECVMSG:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
case BPF_CGROUP_INET4_GETPEERNAME:
@@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
case BPF_CGROUP_INET6_BIND:
case BPF_CGROUP_INET4_CONNECT:
case BPF_CGROUP_INET6_CONNECT:
+ case BPF_CGROUP_UDP4_RECVMSG:
+ case BPF_CGROUP_UDP6_RECVMSG:
case BPF_CGROUP_UDP4_SENDMSG:
case BPF_CGROUP_UDP6_SENDMSG:
case BPF_CGROUP_INET4_GETPEERNAME:
diff --git a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c
index fc2fe8a952fa..3d1ae8b3402f 100644
--- a/tools/testing/selftests/bpf/progs/recvmsg4_prog.c
+++ b/tools/testing/selftests/bpf/progs/recvmsg4_prog.c
@@ -8,6 +8,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
#define SERV4_IP 0xc0a801feU /* 192.168.1.254 */
#define SERV4_PORT 4040
@@ -28,6 +30,9 @@ int recvmsg4_prog(struct bpf_sock_addr *ctx)
if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM)
return 1;
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
ctx->user_ip4 = bpf_htonl(SERV4_IP);
ctx->user_port = bpf_htons(SERV4_PORT);
diff --git a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c
index 6060fd63324b..27dfb21b21b4 100644
--- a/tools/testing/selftests/bpf/progs/recvmsg6_prog.c
+++ b/tools/testing/selftests/bpf/progs/recvmsg6_prog.c
@@ -8,6 +8,8 @@
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_endian.h>
+#include <bpf_sockopt_helpers.h>
+
#define SERV6_IP_0 0xfaceb00c /* face:b00c:1234:5678::abcd */
#define SERV6_IP_1 0x12345678
#define SERV6_IP_2 0x00000000
@@ -31,6 +33,9 @@ int recvmsg6_prog(struct bpf_sock_addr *ctx)
if (ctx->type != SOCK_STREAM && ctx->type != SOCK_DGRAM)
return 1;
+ if (!get_set_sk_priority(ctx))
+ return 1;
+
ctx->user_ip6[0] = bpf_htonl(SERV6_IP_0);
ctx->user_ip6[1] = bpf_htonl(SERV6_IP_1);
ctx->user_ip6[2] = bpf_htonl(SERV6_IP_2);
--
2.30.0.280.ga3ce27912f-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
2021-01-27 23:28 ` [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG Stanislav Fomichev
@ 2021-01-29 0:52 ` Daniel Borkmann
2021-01-29 0:59 ` Stanislav Fomichev
0 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-01-29 0:52 UTC (permalink / raw)
To: Stanislav Fomichev, netdev, bpf; +Cc: ast
On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> a locked socket.
>
> Signed-off-by: Stanislav Fomichev <sdf@google.com>
> ---
> net/core/filter.c | 4 ++++
> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> 3 files changed, 14 insertions(+)
>
> diff --git a/net/core/filter.c b/net/core/filter.c
> index ba436b1d70c2..e15d4741719a 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> case BPF_CGROUP_INET6_BIND:
> case BPF_CGROUP_INET4_CONNECT:
> case BPF_CGROUP_INET6_CONNECT:
> + case BPF_CGROUP_UDP4_RECVMSG:
> + case BPF_CGROUP_UDP6_RECVMSG:
> case BPF_CGROUP_UDP4_SENDMSG:
> case BPF_CGROUP_UDP6_SENDMSG:
> case BPF_CGROUP_INET4_GETPEERNAME:
> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> case BPF_CGROUP_INET6_BIND:
> case BPF_CGROUP_INET4_CONNECT:
> case BPF_CGROUP_INET6_CONNECT:
> + case BPF_CGROUP_UDP4_RECVMSG:
> + case BPF_CGROUP_UDP6_RECVMSG:
> case BPF_CGROUP_UDP4_SENDMSG:
> case BPF_CGROUP_UDP6_SENDMSG:
> case BPF_CGROUP_INET4_GETPEERNAME:
Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
small nit that would be good to get resolved before that. Above you now list all the attach hooks
for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
altogether in this last commit.
Thanks,
Daniel
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
2021-01-29 0:52 ` Daniel Borkmann
@ 2021-01-29 0:59 ` Stanislav Fomichev
2021-01-29 1:08 ` Daniel Borkmann
0 siblings, 1 reply; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-29 0:59 UTC (permalink / raw)
To: Daniel Borkmann; +Cc: Netdev, bpf, Alexei Starovoitov
On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> > Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> > a locked socket.
> >
> > Signed-off-by: Stanislav Fomichev <sdf@google.com>
> > ---
> > net/core/filter.c | 4 ++++
> > tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> > tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> > 3 files changed, 14 insertions(+)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index ba436b1d70c2..e15d4741719a 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > case BPF_CGROUP_INET6_BIND:
> > case BPF_CGROUP_INET4_CONNECT:
> > case BPF_CGROUP_INET6_CONNECT:
> > + case BPF_CGROUP_UDP4_RECVMSG:
> > + case BPF_CGROUP_UDP6_RECVMSG:
> > case BPF_CGROUP_UDP4_SENDMSG:
> > case BPF_CGROUP_UDP6_SENDMSG:
> > case BPF_CGROUP_INET4_GETPEERNAME:
> > @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > case BPF_CGROUP_INET6_BIND:
> > case BPF_CGROUP_INET4_CONNECT:
> > case BPF_CGROUP_INET6_CONNECT:
> > + case BPF_CGROUP_UDP4_RECVMSG:
> > + case BPF_CGROUP_UDP6_RECVMSG:
> > case BPF_CGROUP_UDP4_SENDMSG:
> > case BPF_CGROUP_UDP6_SENDMSG:
> > case BPF_CGROUP_INET4_GETPEERNAME:
>
> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
> small nit that would be good to get resolved before that. Above you now list all the attach hooks
> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
> altogether in this last commit.
Sure, I can resend tomorrow.
But do you think it's safe and there won't ever be another sock_addr
hook that runs with an unlocked socket?
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
2021-01-29 0:59 ` Stanislav Fomichev
@ 2021-01-29 1:08 ` Daniel Borkmann
2021-01-29 1:14 ` Stanislav Fomichev
0 siblings, 1 reply; 10+ messages in thread
From: Daniel Borkmann @ 2021-01-29 1:08 UTC (permalink / raw)
To: Stanislav Fomichev; +Cc: Netdev, bpf, Alexei Starovoitov
On 1/29/21 1:59 AM, Stanislav Fomichev wrote:
> On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
>>> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
>>> a locked socket.
>>>
>>> Signed-off-by: Stanislav Fomichev <sdf@google.com>
>>> ---
>>> net/core/filter.c | 4 ++++
>>> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
>>> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
>>> 3 files changed, 14 insertions(+)
>>>
>>> diff --git a/net/core/filter.c b/net/core/filter.c
>>> index ba436b1d70c2..e15d4741719a 100644
>>> --- a/net/core/filter.c
>>> +++ b/net/core/filter.c
>>> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>>> case BPF_CGROUP_INET6_BIND:
>>> case BPF_CGROUP_INET4_CONNECT:
>>> case BPF_CGROUP_INET6_CONNECT:
>>> + case BPF_CGROUP_UDP4_RECVMSG:
>>> + case BPF_CGROUP_UDP6_RECVMSG:
>>> case BPF_CGROUP_UDP4_SENDMSG:
>>> case BPF_CGROUP_UDP6_SENDMSG:
>>> case BPF_CGROUP_INET4_GETPEERNAME:
>>> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>>> case BPF_CGROUP_INET6_BIND:
>>> case BPF_CGROUP_INET4_CONNECT:
>>> case BPF_CGROUP_INET6_CONNECT:
>>> + case BPF_CGROUP_UDP4_RECVMSG:
>>> + case BPF_CGROUP_UDP6_RECVMSG:
>>> case BPF_CGROUP_UDP4_SENDMSG:
>>> case BPF_CGROUP_UDP6_SENDMSG:
>>> case BPF_CGROUP_INET4_GETPEERNAME:
>>
>> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
>> small nit that would be good to get resolved before that. Above you now list all the attach hooks
>> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
>> altogether in this last commit.
> Sure, I can resend tomorrow.
> But do you think it's safe and there won't ever be another sock_addr
> hook that runs with an unlocked socket?
Ok, that rationale seems reasonable to keep the series as is. It probably makes sense to add a
small comment at least to the commit log to explain the reasoning, I can do so while applying.
So no need for v3, thanks!
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
2021-01-29 1:08 ` Daniel Borkmann
@ 2021-01-29 1:14 ` Stanislav Fomichev
0 siblings, 0 replies; 10+ messages in thread
From: Stanislav Fomichev @ 2021-01-29 1:14 UTC (permalink / raw)
To: Daniel Borkmann; +Cc: Netdev, bpf, Alexei Starovoitov
On Thu, Jan 28, 2021 at 5:08 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 1/29/21 1:59 AM, Stanislav Fomichev wrote:
> > On Thu, Jan 28, 2021 at 4:52 PM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >> On 1/28/21 12:28 AM, Stanislav Fomichev wrote:
> >>> Those hooks run as BPF_CGROUP_RUN_SA_PROG_LOCK and operate on
> >>> a locked socket.
> >>>
> >>> Signed-off-by: Stanislav Fomichev <sdf@google.com>
> >>> ---
> >>> net/core/filter.c | 4 ++++
> >>> tools/testing/selftests/bpf/progs/recvmsg4_prog.c | 5 +++++
> >>> tools/testing/selftests/bpf/progs/recvmsg6_prog.c | 5 +++++
> >>> 3 files changed, 14 insertions(+)
> >>>
> >>> diff --git a/net/core/filter.c b/net/core/filter.c
> >>> index ba436b1d70c2..e15d4741719a 100644
> >>> --- a/net/core/filter.c
> >>> +++ b/net/core/filter.c
> >>> @@ -7023,6 +7023,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >>> case BPF_CGROUP_INET6_BIND:
> >>> case BPF_CGROUP_INET4_CONNECT:
> >>> case BPF_CGROUP_INET6_CONNECT:
> >>> + case BPF_CGROUP_UDP4_RECVMSG:
> >>> + case BPF_CGROUP_UDP6_RECVMSG:
> >>> case BPF_CGROUP_UDP4_SENDMSG:
> >>> case BPF_CGROUP_UDP6_SENDMSG:
> >>> case BPF_CGROUP_INET4_GETPEERNAME:
> >>> @@ -7039,6 +7041,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> >>> case BPF_CGROUP_INET6_BIND:
> >>> case BPF_CGROUP_INET4_CONNECT:
> >>> case BPF_CGROUP_INET6_CONNECT:
> >>> + case BPF_CGROUP_UDP4_RECVMSG:
> >>> + case BPF_CGROUP_UDP6_RECVMSG:
> >>> case BPF_CGROUP_UDP4_SENDMSG:
> >>> case BPF_CGROUP_UDP6_SENDMSG:
> >>> case BPF_CGROUP_INET4_GETPEERNAME:
> >>
> >> Looks good overall, also thanks for adding the test cases! I was about to apply, but noticed one
> >> small nit that would be good to get resolved before that. Above you now list all the attach hooks
> >> for sock_addr ctx, so we should just remove the whole switch that tests on prog->expected_attach_type
> >> altogether in this last commit.
> > Sure, I can resend tomorrow.
> > But do you think it's safe and there won't ever be another sock_addr
> > hook that runs with an unlocked socket?
>
> Ok, that rationale seems reasonable to keep the series as is. It probably makes sense to add a
> small comment at least to the commit log to explain the reasoning, I can do so while applying.
> So no need for v3, thanks!
Sounds good, thank you!
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks
2021-01-27 23:28 [PATCH bpf-next v2 0/4] bpf: expose bpf_{g,s}etsockopt to more bpf_sock_addr hooks Stanislav Fomichev
` (3 preceding siblings ...)
2021-01-27 23:28 ` [PATCH bpf-next v2 4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG Stanislav Fomichev
@ 2021-01-29 1:20 ` patchwork-bot+netdevbpf
4 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-01-29 1:20 UTC (permalink / raw)
To: Stanislav Fomichev; +Cc: netdev, bpf, ast, daniel
Hello:
This series was applied to bpf/bpf-next.git (refs/heads/master):
On Wed, 27 Jan 2021 15:28:49 -0800 you wrote:
> We'd like to use the SENDMSG ones, Daniel suggested to
> expose to more hooks while are here.
>
> Stanislav Fomichev (4):
> bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG
> bpf: enable bpf_{g,s}etsockopt in
> BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME
> selftests/bpf: rewrite readmsg{4,6} asm progs to c in test_sock_addr
> bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
>
> [...]
Here is the summary with links:
- [bpf-next,v2,1/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_SENDMSG
https://git.kernel.org/bpf/bpf-next/c/62476cc1bf24
- [bpf-next,v2,2/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_INET{4,6}_GET{PEER,SOCK}NAME
https://git.kernel.org/bpf/bpf-next/c/073f4ec124bb
- [bpf-next,v2,3/4] selftests/bpf: rewrite recvmsg{4,6} asm progs to c in test_sock_addr
https://git.kernel.org/bpf/bpf-next/c/357490601621
- [bpf-next,v2,4/4] bpf: enable bpf_{g,s}etsockopt in BPF_CGROUP_UDP{4,6}_RECVMSG
https://git.kernel.org/bpf/bpf-next/c/4c3384d7abe5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread