From: Joe Stringer <joe@wand.net.nz>
To: Lorenz Bauer <lmb@cloudflare.com>
Cc: Joe Stringer <joe@wand.net.nz>, bpf <bpf@vger.kernel.org>,
Networking <netdev@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Eric Dumazet <eric.dumazet@gmail.com>, Martin Lau <kafai@fb.com>
Subject: Re: [PATCHv2 bpf-next 1/5] bpf: Add socket assign support
Date: Thu, 26 Mar 2020 15:52:22 -0700 [thread overview]
Message-ID: <CAOftzPi04QYiN6hjdzt+S128hc_1ZOYPCvPG7zc5DK=uqPOQCw@mail.gmail.com> (raw)
In-Reply-To: <CACAyw989SkYaE6Qt_Lm+wjTCvpFH470ObGCkb4+hmEoijG3T8Q@mail.gmail.com>
On Thu, Mar 26, 2020 at 3:25 AM Lorenz Bauer <lmb@cloudflare.com> wrote:
>
> On Wed, 25 Mar 2020 at 05:57, Joe Stringer <joe@wand.net.nz> wrote:
> >
> > Add support for TPROXY via a new bpf helper, bpf_sk_assign().
> >
> > This helper requires the BPF program to discover the socket via a call
> > to bpf_sk*_lookup_*(), then pass this socket to the new helper. The
> > helper takes its own reference to the socket in addition to any existing
> > reference that may or may not currently be obtained for the duration of
> > BPF processing. For the destination socket to receive the traffic, the
> > traffic must be routed towards that socket via local route. The
> > simplest example route is below, but in practice you may want to route
> > traffic more narrowly (eg by CIDR):
> >
> > $ ip route add local default dev lo
> >
> > This patch avoids trying to introduce an extra bit into the skb->sk, as
> > that would require more invasive changes to all code interacting with
> > the socket to ensure that the bit is handled correctly, such as all
> > error-handling cases along the path from the helper in BPF through to
> > the orphan path in the input. Instead, we opt to use the destructor
> > variable to switch on the prefetch of the socket.
> >
> > Signed-off-by: Joe Stringer <joe@wand.net.nz>
> > ---
> > v2: Use skb->destructor to determine socket prefetch usage instead of
> > introducing a new metadata_dst
> > Restrict socket assign to same netns as TC device
> > Restrict assigning reuseport sockets
> > Adjust commit wording
> > v1: Initial version
> > ---
> > include/net/sock.h | 7 +++++++
> > include/uapi/linux/bpf.h | 25 ++++++++++++++++++++++++-
> > net/core/filter.c | 31 +++++++++++++++++++++++++++++++
> > net/core/sock.c | 9 +++++++++
> > net/ipv4/ip_input.c | 3 ++-
> > net/ipv6/ip6_input.c | 3 ++-
> > net/sched/act_bpf.c | 2 ++
> > tools/include/uapi/linux/bpf.h | 25 ++++++++++++++++++++++++-
> > 8 files changed, 101 insertions(+), 4 deletions(-)
> >
> > diff --git a/include/net/sock.h b/include/net/sock.h
> > index b5cca7bae69b..2613d21a667a 100644
> > --- a/include/net/sock.h
> > +++ b/include/net/sock.h
> > @@ -1657,6 +1657,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size,
> > void skb_orphan_partial(struct sk_buff *skb);
> > void sock_rfree(struct sk_buff *skb);
> > void sock_efree(struct sk_buff *skb);
> > +void sock_pfree(struct sk_buff *skb);
> > #ifdef CONFIG_INET
> > void sock_edemux(struct sk_buff *skb);
> > #else
> > @@ -2526,6 +2527,12 @@ void sock_net_set(struct sock *sk, struct net *net)
> > write_pnet(&sk->sk_net, net);
> > }
> >
> > +static inline bool
> > +skb_sk_is_prefetched(struct sk_buff *skb)
> > +{
> > + return skb->destructor == sock_pfree;
> > +}
> > +
> > static inline struct sock *skb_steal_sock(struct sk_buff *skb)
> > {
> > if (skb->sk) {
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index 5d01c5c7e598..0c6f151deebe 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -2950,6 +2950,28 @@ union bpf_attr {
> > * restricted to raw_tracepoint bpf programs.
> > * Return
> > * 0 on success, or a negative error in case of failure.
> > + *
> > + * int bpf_sk_assign(struct sk_buff *skb, struct bpf_sock *sk, u64 flags)
> > + * Description
> > + * Assign the *sk* to the *skb*. When combined with appropriate
> > + * routing configuration to receive the packet towards the socket,
> > + * will cause *skb* to be delivered to the specified socket.
> > + * Subsequent redirection of *skb* via **bpf_redirect**\ (),
> > + * **bpf_clone_redirect**\ () or other methods outside of BPF may
> > + * interfere with successful delivery to the socket.
> > + *
> > + * This operation is only valid from TC ingress path.
> > + *
> > + * The *flags* argument must be zero.
> > + * Return
> > + * 0 on success, or a negative errno in case of failure.
> > + *
> > + * * **-EINVAL** Unsupported flags specified.
> > + * * **-ENETUNREACH** Socket is unreachable (wrong netns).
> > + * * **-ENOENT** Socket is unavailable for assignment.
> > + * * **-EOPNOTSUPP** Unsupported operation, for example a
> > + * call from outside of TC ingress.
> > + * * **-ESOCKTNOSUPPORT** Socket type not supported (reuseport).
> > */
> > #define __BPF_FUNC_MAPPER(FN) \
> > FN(unspec), \
> > @@ -3073,7 +3095,8 @@ union bpf_attr {
> > FN(jiffies64), \
> > FN(read_branch_records), \
> > FN(get_ns_current_pid_tgid), \
> > - FN(xdp_output),
> > + FN(xdp_output), \
> > + FN(sk_assign),
> >
> > /* integer value in 'imm' field of BPF_CALL instruction selects which helper
> > * function eBPF program intends to call
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 96350a743539..f7f9b6631f75 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -5860,6 +5860,35 @@ static const struct bpf_func_proto bpf_tcp_gen_syncookie_proto = {
> > .arg5_type = ARG_CONST_SIZE,
> > };
> >
> > +BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags)
> > +{
> > + if (flags != 0)
> > + return -EINVAL;
> > + if (!skb_at_tc_ingress(skb))
> > + return -EOPNOTSUPP;
> > + if (unlikely(sk->sk_reuseport))
> > + return -ESOCKTNOSUPPORT;
> > + if (unlikely(dev_net(skb->dev) != sock_net(sk)))
> > + return -ENETUNREACH;
> > + if (unlikely(!refcount_inc_not_zero(&sk->sk_refcnt)))
> > + return -ENOENT;
> > +
> > + skb_orphan(skb);
> > + skb->sk = sk;
> > + skb->destructor = sock_pfree;
> > +
> > + return 0;
> > +}
>
> Follow up to my email re UDP tests: it seems like the helper doesn't check
> that the sk is TCP, hence I assumed that you want to add support for
> both in the same series.
>
> Also, is it possible to check that the sk protocol matches skb protocol?
Correction, I was able to get UDP working without the other series (at
least in Cilium, still working through the tests) so the extra check
should be unnecessary.
I'll look into options for avoiding crossing packets/sockets of the wrong types.
next prev parent reply other threads:[~2020-03-26 22:52 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-25 5:57 [PATCHv2 bpf-next 0/5] Add bpf_sk_assign eBPF helper Joe Stringer
2020-03-25 5:57 ` [PATCHv2 bpf-next 1/5] bpf: Add socket assign support Joe Stringer
2020-03-26 6:23 ` Martin KaFai Lau
2020-03-26 6:31 ` Joe Stringer
2020-03-26 10:24 ` Lorenz Bauer
2020-03-26 22:52 ` Joe Stringer [this message]
2020-03-27 2:40 ` Joe Stringer
2020-03-25 5:57 ` [PATCHv2 bpf-next 2/5] bpf: Prefetch established socket destinations Joe Stringer
2020-03-26 21:11 ` Alexei Starovoitov
2020-03-26 21:45 ` Joe Stringer
2020-03-25 5:57 ` [PATCHv2 bpf-next 3/5] net: Track socket refcounts in skb_steal_sock() Joe Stringer
2020-03-25 5:57 ` [PATCHv2 bpf-next 4/5] bpf: Don't refcount LISTEN sockets in sk_assign() Joe Stringer
2020-03-25 10:29 ` Lorenz Bauer
2020-03-25 20:46 ` Joe Stringer
2020-03-26 10:20 ` Lorenz Bauer
2020-03-26 21:37 ` Joe Stringer
2020-03-25 5:57 ` [PATCHv2 bpf-next 5/5] selftests: bpf: add test for sk_assign Joe Stringer
2020-03-25 10:35 ` Lorenz Bauer
2020-03-25 20:55 ` Joe Stringer
2020-03-26 6:25 ` Martin KaFai Lau
2020-03-26 6:38 ` Joe Stringer
2020-03-26 23:39 ` Joe Stringer
2020-03-25 18:17 ` Yonghong Song
2020-03-25 21:20 ` Joe Stringer
2020-03-25 22:00 ` Yonghong Song
2020-03-25 23:07 ` Joe Stringer
2020-03-26 10:13 ` Lorenz Bauer
2020-03-26 21:07 ` call for bpf progs. " Alexei Starovoitov
2020-03-26 23:14 ` Yonghong Song
2020-03-27 10:02 ` Lorenz Bauer
2020-03-27 16:08 ` Alexei Starovoitov
2020-03-27 19:06 ` Joe Stringer
2020-03-27 20:16 ` Daniel Borkmann
2020-03-27 22:24 ` Alexei Starovoitov
2020-03-28 0:17 ` Andrii Nakryiko
2020-03-26 2:04 ` Andrii Nakryiko
2020-03-26 2:16 ` Andrii Nakryiko
2020-03-26 5:28 ` Joe Stringer
2020-03-26 6:31 ` Martin KaFai Lau
2020-03-26 19:36 ` Andrii Nakryiko
2020-03-26 21:38 ` Joe Stringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOftzPi04QYiN6hjdzt+S128hc_1ZOYPCvPG7zc5DK=uqPOQCw@mail.gmail.com' \
--to=joe@wand.net.nz \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eric.dumazet@gmail.com \
--cc=kafai@fb.com \
--cc=lmb@cloudflare.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).