From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
Marek Majkowski <marek@cloudflare.com>,
Lorenz Bauer <lmb@cloudflare.com>,
Alan Maguire <alan.maguire@oracle.com>,
Jesper Dangaard Brouer <brouer@redhat.com>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 1/5] bpf: Support injecting chain calls into BPF programs on load
Date: Tue, 08 Oct 2019 11:02:50 +0200 [thread overview]
Message-ID: <87blurlidh.fsf@toke.dk> (raw)
In-Reply-To: <20191007204534.o3prqf463yk4sepn@ast-mbp.dhcp.thefacebook.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
> On Mon, Oct 07, 2019 at 12:11:31PM +0200, Toke Høiland-Jørgensen wrote:
>> Alexei Starovoitov <alexei.starovoitov@gmail.com> writes:
>>
>> > On Fri, Oct 04, 2019 at 07:22:41PM +0200, Toke Høiland-Jørgensen wrote:
>> >> From: Toke Høiland-Jørgensen <toke@redhat.com>
>> >>
>> >> This adds support for injecting chain call logic into eBPF programs before
>> >> they return. The code injection is controlled by a flag at program load
>> >> time; if the flag is set, the verifier will add code to every BPF_EXIT
>> >> instruction that first does a lookup into a chain call structure to see if
>> >> it should call into another program before returning. The actual calls
>> >> reuse the tail call infrastructure.
>> >>
>> >> Ideally, it shouldn't be necessary to set the flag on program load time,
>> >> but rather inject the calls when a chain call program is first loaded.
>> >> However, rewriting the program reallocates the bpf_prog struct, which is
>> >> obviously not possible after the program has been attached to something.
>> >>
>> >> One way around this could be a sysctl to force the flag one (for enforcing
>> >> system-wide support). Another could be to have the chain call support
>> >> itself built into the interpreter and JIT, which could conceivably be
>> >> re-run each time we attach a new chain call program. This would also allow
>> >> the JIT to inject direct calls to the next program instead of using the
>> >> tail call infrastructure, which presumably would be a performance win. The
>> >> drawback is, of course, that it would require modifying all the JITs.
>> >>
>> >> Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
>> > ...
>> >>
>> >> +static int bpf_inject_chain_calls(struct bpf_verifier_env *env)
>> >> +{
>> >> + struct bpf_prog *prog = env->prog;
>> >> + struct bpf_insn *insn = prog->insnsi;
>> >> + int i, cnt, delta = 0, ret = -ENOMEM;
>> >> + const int insn_cnt = prog->len;
>> >> + struct bpf_array *prog_array;
>> >> + struct bpf_prog *new_prog;
>> >> + size_t array_size;
>> >> +
>> >> + struct bpf_insn call_next[] = {
>> >> + BPF_LD_IMM64(BPF_REG_2, 0),
>> >> + /* Save real return value for later */
>> >> + BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
>> >> + /* First try tail call with index ret+1 */
>> >> + BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
>> >> + BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 1),
>> >> + BPF_RAW_INSN(BPF_JMP | BPF_TAIL_CALL, 0, 0, 0, 0),
>> >> + /* If that doesn't work, try with index 0 (wildcard) */
>> >> + BPF_MOV64_IMM(BPF_REG_3, 0),
>> >> + BPF_RAW_INSN(BPF_JMP | BPF_TAIL_CALL, 0, 0, 0, 0),
>> >> + /* Restore saved return value and exit */
>> >> + BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
>> >> + BPF_EXIT_INSN()
>> >> + };
>> >
>> > How did you test it?
>> > With the only test from patch 5?
>> > +int xdp_drop_prog(struct xdp_md *ctx)
>> > +{
>> > + return XDP_DROP;
>> > +}
>> >
>> > Please try different program with more than one instruction.
>> > And then look at above asm and think how it can be changed to
>> > get valid R1 all the way to each bpf_exit insn.
>> > Do you see amount of headaches this approach has?
>>
>> Ah yes, that's a good point. It seems that I totally overlooked that
>> issue, somehow...
>>
>> > The way you explained the use case of XDP-based firewall plus XDP-based
>> > IPS/IDS it's about "knows nothing" admin that has to deal with more than
>> > one XDP application on an unfamiliar server.
>> > This is the case of debugging.
>>
>> This is not about debugging. The primary use case is about deploying
>> multiple, independently developed, XDP-enabled applications on the same
>> server.
>>
>> Basically, we want the admin to be able to do:
>>
>> # yum install MyIDS
>> # yum install MyXDPFirewall
>>
>> and then have both of those *just work* in XDP mode, on the same
>> interface.
>>
>> I originally started solving this in an XDP-specific way (v1 of this
>> patch set), but the reactions to that was pretty unanimous that this
>> could be useful as a general eBPF feature. Do you agree with this?
>
> Chaining in general is useful, but
> yum install ids
> yum install firewall
> is not.
>
> Say, xdp doesn't exist. Such ids and firewall will be using iptables.
> And they will collide and conflict all over it.
Yeah, and conventions have evolved to handle these conflicts (for
iptables: create your own chain and put all your rules there; for
connmark, masking off different bits so each application can have its
own mark, etc). As I explained in my reply to Daniel, this is the
minimum kernel infrastructure required to enable userspace applications
to play nice with each other...
-Toke
next prev parent reply other threads:[~2019-10-08 9:02 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-04 17:22 [PATCH bpf-next v2 0/5] xdp: Support multiple programs on a single interface through chain calls Toke Høiland-Jørgensen
2019-10-04 17:22 ` [PATCH bpf-next v2 1/5] bpf: Support injecting chain calls into BPF programs on load Toke Høiland-Jørgensen
2019-10-04 20:51 ` kbuild test robot
2019-10-04 21:12 ` kbuild test robot
2019-10-04 23:17 ` Jakub Kicinski
2019-10-05 10:29 ` Toke Høiland-Jørgensen
2019-10-06 3:39 ` Jakub Kicinski
2019-10-06 15:52 ` Toke Høiland-Jørgensen
2019-10-05 10:32 ` Toke Høiland-Jørgensen
2019-10-07 0:27 ` Alexei Starovoitov
2019-10-07 10:11 ` Toke Høiland-Jørgensen
2019-10-07 20:22 ` Daniel Borkmann
2019-10-08 9:00 ` Toke Høiland-Jørgensen
2019-10-07 20:45 ` Alexei Starovoitov
2019-10-08 9:02 ` Toke Høiland-Jørgensen [this message]
2019-10-04 17:22 ` [PATCH bpf-next v2 2/5] bpf: Add support for setting chain call sequence for programs Toke Høiland-Jørgensen
2019-10-04 23:18 ` Jakub Kicinski
2019-10-05 10:30 ` Toke Høiland-Jørgensen
2019-10-04 17:22 ` [PATCH bpf-next v2 3/5] tools: Update bpf.h header for program chain calls Toke Høiland-Jørgensen
2019-10-04 17:22 ` [PATCH bpf-next v2 4/5] libbpf: Add syscall wrappers for BPF_PROG_CHAIN_* commands Toke Høiland-Jørgensen
2019-10-04 17:22 ` [PATCH bpf-next v2 5/5] selftests: Add tests for XDP chain calls Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87blurlidh.fsf@toke.dk \
--to=toke@redhat.com \
--cc=alan.maguire@oracle.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=kafai@fb.com \
--cc=lmb@cloudflare.com \
--cc=marek@cloudflare.com \
--cc=netdev@vger.kernel.org \
--cc=songliubraving@fb.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).