linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Michael S. Tsirkin" <mst@redhat.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
	Network Development <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Tom Herbert <tom@herbertland.com>,
	Aaron Conole <aconole@redhat.com>
Subject: Re: [PATCH net-next V2 3/3] tun: add eBPF based queue selection method
Date: Wed, 8 Nov 2017 07:43:52 +0200	[thread overview]
Message-ID: <20171108073717-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <1e5256e3-72cf-fa6b-b00e-2661e29291b1@redhat.com>

On Wed, Nov 08, 2017 at 02:28:53PM +0900, Jason Wang wrote:
> 
> 
> On 2017年11月04日 08:56, Willem de Bruijn wrote:
> > On Fri, Nov 3, 2017 at 5:56 PM, Willem de Bruijn
> > <willemdebruijn.kernel@gmail.com> wrote:
> > > On Tue, Oct 31, 2017 at 7:32 PM, Jason Wang <jasowang@redhat.com> wrote:
> > > > This patch introduces an eBPF based queue selection method based on
> > > > the flow steering policy ops. Userspace could load an eBPF program
> > > > through TUNSETSTEERINGEBPF. This gives much more flexibility compare
> > > > to simple but hard coded policy in kernel.
> > > > 
> > > > Signed-off-by: Jason Wang <jasowang@redhat.com>
> > > > ---
> > > > +static int tun_set_steering_ebpf(struct tun_struct *tun, void __user *data)
> > > > +{
> > > > +       struct bpf_prog *prog;
> > > > +       u32 fd;
> > > > +
> > > > +       if (copy_from_user(&fd, data, sizeof(fd)))
> > > > +               return -EFAULT;
> > > > +
> > > > +       prog = bpf_prog_get_type(fd, BPF_PROG_TYPE_SOCKET_FILTER);
> > > If the idea is to allow guests to pass BPF programs down to the host,
> > > you may want to define a new program type that is more restrictive than
> > > socket filter.
> > > 
> > > The external functions allowed for socket filters (sk_filter_func_proto)
> > > are relatively few (compared to, say, clsact), but may still leak host
> > > information to a guest. More importantly, guest security considerations
> > > limits how we can extend socket filters later.
> > Unless the idea is for the hypervisor to prepared the BPF based on a
> > limited set of well defined modes that the guest can configure. Then
> > socket filters are fine, as the BPF is prepared by a regular host process.
> 
> Yes, I think the idea is to let qemu to build a BPF program now.
> 
> Passing eBPF program from guest to host is interesting, but an obvious issue
> is how to deal with the accessing of map.
> 
> Thanks

Fundamentally, I suspect the way to solve it is to allow
the program to specify "should be offloaded to host".

And then it would access the host map rather than the guest map.

Then add some control path API for guest to poke at the host map.

It's not that there's anything special about the host map -
it's just separate from the guest - so if we wanted to
do something that can work on bare-metal we could -
just do something like a namespace and put all host
maps there. But I'm not sure it's worth the complexity.

Cc Aaron who wanted to look at this.

-- 
MST

  reply	other threads:[~2017-11-08  5:43 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-31 10:32 [PATCH net-next V2 0/3] support changing steering policies in tuntap Jason Wang
2017-10-31 10:32 ` [PATCH net-next V2 1/3] tun: abstract flow steering logic Jason Wang
2017-11-02  1:11   ` Willem de Bruijn
2017-11-02  3:43     ` Jason Wang
2017-11-02  3:45       ` Michael S. Tsirkin
2017-11-02  3:51         ` Jason Wang
2017-11-03  8:49           ` Willem de Bruijn
2017-10-31 10:32 ` [PATCH net-next V2 2/3] tun: introduce ioctls to set and get steering policies Jason Wang
2017-11-02  1:15   ` Willem de Bruijn
2017-10-31 10:32 ` [PATCH net-next V2 3/3] tun: add eBPF based queue selection method Jason Wang
2017-10-31 16:45   ` Michael S. Tsirkin
2017-11-01 13:02     ` Jason Wang
2017-11-01 13:59       ` Michael S. Tsirkin
2017-11-01 19:12         ` Alexei Starovoitov
2017-11-02  3:24           ` Jason Wang
2017-11-02  3:45         ` Jason Wang
2017-11-03  8:56   ` Willem de Bruijn
2017-11-03 23:56     ` Willem de Bruijn
2017-11-08  5:28       ` Jason Wang
2017-11-08  5:43         ` Michael S. Tsirkin [this message]
2017-11-08 11:13           ` Jason Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171108073717-mutt-send-email-mst@kernel.org \
    --to=mst@redhat.com \
    --cc=aconole@redhat.com \
    --cc=jasowang@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=tom@herbertland.com \
    --cc=willemdebruijn.kernel@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).