netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Andrii Nakryiko <andriin@fb.com>,
	bpf@vger.kernel.org, netdev@vger.kernel.org, ast@fb.com,
	daniel@iogearbox.net
Cc: andrii.nakryiko@gmail.com, kernel-team@fb.com,
	Andrii Nakryiko <andriin@fb.com>, David Ahern <dsahern@gmail.com>,
	Jakub Kicinski <kicinski@fb.com>, Andrey Ignatov <rdna@fb.com>,
	Takshak Chahande <ctakshak@fb.com>
Subject: Re: [PATCH bpf-next 2/7] bpf, xdp: add bpf_link-based XDP attachment API
Date: Tue, 14 Jul 2020 15:57:18 +0200	[thread overview]
Message-ID: <877dv6gpxd.fsf@toke.dk> (raw)
In-Reply-To: <20200710224924.4087399-3-andriin@fb.com>

Andrii Nakryiko <andriin@fb.com> writes:

> Add bpf_link-based API (bpf_xdp_link) to attach BPF XDP program through
> BPF_LINK_CREATE command.

I'm still not convinced this is a good idea. As far as I can tell, at
this point adding this gets you three things:

1. The ability to 'lock' an attachment in place.

2. Automatic detach on fd close

3. API unification with other uses of BPF_LINK_CREATE.


Of those, 1. is certainly useful, but can be trivially achieved with the
existing netlink API (add a flag on attach that prevents removal unless
the original prog_fd is supplied as EXPECTED_FD).

2. is IMO the wrong model for XDP, as I believe I argued the last time
we discussed this :)
In particular, in a situation with multiple XDP programs attached
through a dispatcher, the 'owner' application of each program don't
'own' the interface attachment anyway, so if using bpf_link for that it
would have to be pinned somewhere anyway. So the 'automatic detach'
feature is only useful in the "xdpd" deployment scenario, whereas in the
common usage model of command-line attachment ('ip link set xdp...') it
is something that needs to be worked around.

3. would be kinda nice, I guess, if we were designing the API from
scratch. But we already have an existing API, so IMO the cost of
duplication outweighs any benefits of API unification.

So why is XDP worth it? I assume you weigh this differently, but please
explain how. Ideally, this should have been in the commit message
already...

> bpf_xdp_link is mutually exclusive with direct BPF program attachment,
> previous BPF program should be detached prior to attempting to create a new
> bpf_xdp_link attachment (for a given XDP mode). Once link is attached, it
> can't be replaced by other BPF program attachment or link attachment. It will
> be detached only when the last BPF link FD is closed.

I was under the impression that forcible attachment of bpf_links was
already possible, but looking at the code now it doesn't appear to be?
Wasn't that the whole point of BPF_LINK_GET_FD_BY_ID? I.e., that a
sysadmin with CAP_SYS_ADMIN privs could grab the offending bpf_link FD
and force-remove it? I certainly think this should be added before we
expand bpf_link usage any more...

-Toke


  parent reply	other threads:[~2020-07-14 13:57 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20200710224924.4087399-1-andriin@fb.com>
     [not found] ` <20200710224924.4087399-3-andriin@fb.com>
2020-07-13 14:19   ` [PATCH bpf-next 2/7] bpf, xdp: add bpf_link-based XDP attachment API David Ahern
2020-07-13 22:33     ` Andrii Nakryiko
2020-07-14 13:57   ` Toke Høiland-Jørgensen [this message]
2020-07-14 18:59     ` Andrii Nakryiko
2020-07-14 20:12       ` Toke Høiland-Jørgensen
2020-07-14 20:37         ` Andrii Nakryiko
2020-07-14 21:41           ` Toke Høiland-Jørgensen
2020-07-14 22:26             ` Andrii Nakryiko
2020-07-15 15:48               ` Toke Høiland-Jørgensen
2020-07-15 20:54                 ` Andrii Nakryiko
2020-07-16 10:52                   ` Toke Høiland-Jørgensen
2020-07-22  6:45                     ` Andrii Nakryiko
     [not found] ` <20200710224924.4087399-5-andriin@fb.com>
2020-07-13 14:32   ` [PATCH bpf-next 4/7] bpf: implement BPF XDP link-specific introspection APIs David Ahern
2020-07-13 22:41     ` Andrii Nakryiko
2020-07-13  5:12 [PATCH bpf-next 0/7] BPF XDP link Andrii Nakryiko
2020-07-13  5:12 ` [PATCH bpf-next 2/7] bpf, xdp: add bpf_link-based XDP attachment API Andrii Nakryiko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=877dv6gpxd.fsf@toke.dk \
    --to=toke@redhat.com \
    --cc=andrii.nakryiko@gmail.com \
    --cc=andriin@fb.com \
    --cc=ast@fb.com \
    --cc=bpf@vger.kernel.org \
    --cc=ctakshak@fb.com \
    --cc=daniel@iogearbox.net \
    --cc=dsahern@gmail.com \
    --cc=kernel-team@fb.com \
    --cc=kicinski@fb.com \
    --cc=netdev@vger.kernel.org \
    --cc=rdna@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).