From: Alexei Starovoitov <alexei.starovoitov-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Martin KaFai Lau <kafai-b10kYP2dOMg@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Alexei Starovoitov <ast-b10kYP2dOMg@public.gmane.org>,
Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
kernel-team-b10kYP2dOMg@public.gmane.org
Subject: Re: [PATCH -next 4/4] cgroup: bpf: Add an example to do cgroup checking in BPF
Date: Tue, 21 Jun 2016 18:19:06 -0700 [thread overview]
Message-ID: <20160622011904.GC97149@ast-mbp.thefacebook.com> (raw)
In-Reply-To: <1466555002-1316296-5-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
On Tue, Jun 21, 2016 at 05:23:22PM -0700, Martin KaFai Lau wrote:
> test_cgrp2_array_pin.c:
> A userland program that creates a bpf_map (BPF_MAP_TYPE_GROUP_ARRAY),
> pouplates/updates it with a cgroup2's backed fd and pins it to a
> bpf-fs's file. The pinned file can be loaded by tc and then used
> by the bpf prog later. This program can also update an existing pinned
> array and it could be useful for debugging/testing purpose.
>
> test_cgrp2_tc_kern.c:
> A bpf prog which should be loaded by tc. It is to demonstrate
> the usage of bpf_skb_in_cgroup.
>
> test_cgrp2_tc.sh:
> A script that glues the test_cgrp2_array_pin.c and
> test_cgrp2_tc_kern.c together. The idea is like:
> 1. Use test_cgrp2_array_pin.c to populate a BPF_MAP_TYPE_CGROUP_ARRAY
> with a cgroup fd
> 2. Load the test_cgrp2_tc_kern.o by tc
> 3. Do a 'ping -6 ff02::1%ve' to ensure the packet has been
> dropped because of a match on the cgroup
>
> Most of the lines in test_cgrp2_tc.sh is the boilerplate
> to setup the cgroup/bpf-fs/net-devices/netns...etc. It is
> not bulletproof on errors but should work well enough and
> give enough debug info if things did not go well.
>
> Signed-off-by: Martin KaFai Lau <kafai-b10kYP2dOMg@public.gmane.org>
> Cc: Alexei Starovoitov <ast-b10kYP2dOMg@public.gmane.org>
> Cc: Daniel Borkmann <daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
> Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
> ---
> samples/bpf/Makefile | 3 +
> samples/bpf/bpf_helpers.h | 2 +
> samples/bpf/test_cgrp2_array_pin.c | 109 +++++++++++++++++++++
> samples/bpf/test_cgrp2_tc.sh | 189 +++++++++++++++++++++++++++++++++++++
> samples/bpf/test_cgrp2_tc_kern.c | 71 ++++++++++++++
> 5 files changed, 374 insertions(+)
...
> +struct bpf_elf_map SEC("maps") test_cgrp2_array_pin = {
> + .type = BPF_MAP_TYPE_CGROUP_ARRAY,
> + .size_key = sizeof(uint32_t),
> + .size_value = sizeof(uint32_t),
> + .pinning = PIN_GLOBAL_NS,
> + .max_elem = 1,
> +};
> +
> +SEC("filter")
> +int handle_egress(struct __sk_buff *skb)
> +{
> + void *data = (void *)(long)skb->data;
> + struct eth_hdr *eth = data;
> + struct ipv6hdr *ip6h = data + sizeof(*eth);
> + void *data_end = (void *)(long)skb->data_end;
> + char dont_care_msg[] = "dont care %04x %d\n";
> + char pass_msg[] = "pass\n";
> + char reject_msg[] = "reject\n";
> +
> + /* single length check */
> + if (data + sizeof(*eth) + sizeof(*ip6h) > data_end)
> + return TC_ACT_OK;
love the test case.
It's using tc + clsact + cls_bpf in da mode + bpffs + direct packet access
and new cgroup helper.
All the most recent features I can think of :)
Acked-by: Alexei Starovoitov <ast-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
WARNING: multiple messages have this Message-ID (diff)
From: Alexei Starovoitov <alexei.starovoitov@gmail.com>
To: Martin KaFai Lau <kafai@fb.com>
Cc: cgroups@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, Alexei Starovoitov <ast@fb.com>,
Daniel Borkmann <daniel@iogearbox.net>, Tejun Heo <tj@kernel.org>,
kernel-team@fb.com
Subject: Re: [PATCH -next 4/4] cgroup: bpf: Add an example to do cgroup checking in BPF
Date: Tue, 21 Jun 2016 18:19:06 -0700 [thread overview]
Message-ID: <20160622011904.GC97149@ast-mbp.thefacebook.com> (raw)
In-Reply-To: <1466555002-1316296-5-git-send-email-kafai@fb.com>
On Tue, Jun 21, 2016 at 05:23:22PM -0700, Martin KaFai Lau wrote:
> test_cgrp2_array_pin.c:
> A userland program that creates a bpf_map (BPF_MAP_TYPE_GROUP_ARRAY),
> pouplates/updates it with a cgroup2's backed fd and pins it to a
> bpf-fs's file. The pinned file can be loaded by tc and then used
> by the bpf prog later. This program can also update an existing pinned
> array and it could be useful for debugging/testing purpose.
>
> test_cgrp2_tc_kern.c:
> A bpf prog which should be loaded by tc. It is to demonstrate
> the usage of bpf_skb_in_cgroup.
>
> test_cgrp2_tc.sh:
> A script that glues the test_cgrp2_array_pin.c and
> test_cgrp2_tc_kern.c together. The idea is like:
> 1. Use test_cgrp2_array_pin.c to populate a BPF_MAP_TYPE_CGROUP_ARRAY
> with a cgroup fd
> 2. Load the test_cgrp2_tc_kern.o by tc
> 3. Do a 'ping -6 ff02::1%ve' to ensure the packet has been
> dropped because of a match on the cgroup
>
> Most of the lines in test_cgrp2_tc.sh is the boilerplate
> to setup the cgroup/bpf-fs/net-devices/netns...etc. It is
> not bulletproof on errors but should work well enough and
> give enough debug info if things did not go well.
>
> Signed-off-by: Martin KaFai Lau <kafai@fb.com>
> Cc: Alexei Starovoitov <ast@fb.com>
> Cc: Daniel Borkmann <daniel@iogearbox.net>
> Cc: Tejun Heo <tj@kernel.org>
> ---
> samples/bpf/Makefile | 3 +
> samples/bpf/bpf_helpers.h | 2 +
> samples/bpf/test_cgrp2_array_pin.c | 109 +++++++++++++++++++++
> samples/bpf/test_cgrp2_tc.sh | 189 +++++++++++++++++++++++++++++++++++++
> samples/bpf/test_cgrp2_tc_kern.c | 71 ++++++++++++++
> 5 files changed, 374 insertions(+)
...
> +struct bpf_elf_map SEC("maps") test_cgrp2_array_pin = {
> + .type = BPF_MAP_TYPE_CGROUP_ARRAY,
> + .size_key = sizeof(uint32_t),
> + .size_value = sizeof(uint32_t),
> + .pinning = PIN_GLOBAL_NS,
> + .max_elem = 1,
> +};
> +
> +SEC("filter")
> +int handle_egress(struct __sk_buff *skb)
> +{
> + void *data = (void *)(long)skb->data;
> + struct eth_hdr *eth = data;
> + struct ipv6hdr *ip6h = data + sizeof(*eth);
> + void *data_end = (void *)(long)skb->data_end;
> + char dont_care_msg[] = "dont care %04x %d\n";
> + char pass_msg[] = "pass\n";
> + char reject_msg[] = "reject\n";
> +
> + /* single length check */
> + if (data + sizeof(*eth) + sizeof(*ip6h) > data_end)
> + return TC_ACT_OK;
love the test case.
It's using tc + clsact + cls_bpf in da mode + bpffs + direct packet access
and new cgroup helper.
All the most recent features I can think of :)
Acked-by: Alexei Starovoitov <ast@kernel.org>
next prev parent reply other threads:[~2016-06-22 1:19 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-22 0:23 [PATCH -next 0/4] cgroup: bpf: cgroup2 membership test on skb Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 0:23 ` [PATCH -next 2/4] cgroup: bpf: Add BPF_MAP_TYPE_CGROUP_ARRAY Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 1:15 ` Alexei Starovoitov
[not found] ` <1466555002-1316296-3-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 2:33 ` kbuild test robot
2016-06-22 2:33 ` kbuild test robot
[not found] ` <1466555002-1316296-1-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 0:23 ` [PATCH -next 1/4] cgroup: Add cgroup_get_from_fd Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 15:35 ` Tejun Heo
2016-06-22 0:23 ` [PATCH -next 3/4] cgroup: bpf: Add bpf_skb_in_cgroup_proto Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 1:15 ` Alexei Starovoitov
2016-06-22 6:19 ` Martin KaFai Lau
2016-06-22 6:19 ` Martin KaFai Lau
[not found] ` <1466555002-1316296-4-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 1:25 ` kbuild test robot
2016-06-22 1:25 ` kbuild test robot
2016-06-22 2:15 ` kbuild test robot
2016-06-22 2:15 ` kbuild test robot
2016-06-22 0:23 ` [PATCH -next 4/4] cgroup: bpf: Add an example to do cgroup checking in BPF Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
2016-06-22 0:23 ` Martin KaFai Lau
[not found] ` <1466555002-1316296-5-git-send-email-kafai-b10kYP2dOMg@public.gmane.org>
2016-06-22 1:19 ` Alexei Starovoitov [this message]
2016-06-22 1:19 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160622011904.GC97149@ast-mbp.thefacebook.com \
--to=alexei.starovoitov-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=ast-b10kYP2dOMg@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=daniel-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org \
--cc=kafai-b10kYP2dOMg@public.gmane.org \
--cc=kernel-team-b10kYP2dOMg@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.