On Wed, 2 Oct 2019, Toke Høiland-Jørgensen wrote: > This series adds support for executing multiple XDP programs on a single > interface in sequence, through the use of chain calls, as discussed at the Linux > Plumbers Conference last month: > > https://linuxplumbersconf.org/event/4/contributions/460/ > > # HIGH-LEVEL IDEA > > The basic idea is to express the chain call sequence through a special map type, > which contains a mapping from a (program, return code) tuple to another program > to run in next in the sequence. Userspace can populate this map to express > arbitrary call sequences, and update the sequence by updating or replacing the > map. > > The actual execution of the program sequence is done in bpf_prog_run_xdp(), > which will lookup the chain sequence map, and if found, will loop through calls > to BPF_PROG_RUN, looking up the next XDP program in the sequence based on the > previous program ID and return code. > > An XDP chain call map can be installed on an interface by means of a new netlink > attribute containing an fd pointing to a chain call map. This can be supplied > along with the XDP prog fd, so that a chain map is always installed together > with an XDP program. > This is great stuff Toke! One thing that wasn't immediately clear to me - and this may be just me - is the relationship between program behaviour for the XDP_DROP case and chain call execution. My initial thought was that a program in the chain XDP_DROP'ping the packet would terminate the call chain, but on looking at patch #4 it seems that the only way the call chain execution is terminated is if - XDP_ABORTED is returned from a program in the call chain; or - the map entry for the next program (determined by the return value of the current program) is empty; or - we run out of entries in the map The return value of the last-executed program in the chain seems to be what determines packet processing behaviour after executing the chain (_DROP, _TX, _PASS, etc). So there's no way to both XDP_PASS and XDP_TX a packet from the same chain, right? Just want to make sure I've got the semantics correct. Thanks! Alan