From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org,
bpf@vger.kernel.org
Cc: kafai@fb.com, theojulienne@github.com, Lorenz Bauer <lmb@cloudflare.com>
Subject: [PATCH v2 3/8] bpf: add skc_lookup_tcp helper
Date: Thu, 14 Mar 2019 11:39:49 +0000 [thread overview]
Message-ID: <20190314113954.10210-4-lmb@cloudflare.com> (raw)
In-Reply-To: <20190314113954.10210-1-lmb@cloudflare.com>
Allow looking up a sock_common. This gives eBPF programs
access to timewait and request sockets.
Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
---
include/uapi/linux/bpf.h | 20 ++++++-
kernel/bpf/verifier.c | 3 +-
net/core/filter.c | 113 +++++++++++++++++++++++++++++++++++----
3 files changed, 124 insertions(+), 12 deletions(-)
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 983b25cb608d..8e4f8276942a 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2374,6 +2374,23 @@ union bpf_attr {
* Return
* A **struct bpf_sock** pointer on success, or NULL in
* case of failure.
+ *
+ * struct bpf_sock *bpf_skc_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)
+ * Description
+ * Look for TCP socket matching *tuple*, optionally in a child
+ * network namespace *netns*. The return value must be checked,
+ * and if non-**NULL**, released via **bpf_sk_release**\ ().
+ *
+ * This function is identical to bpf_sk_lookup_tcp, except that it
+ * also returns timewait or request sockets. Use bpf_sk_fullsock
+ * or bpf_tcp_socket to access the full structure.
+ *
+ * This helper is available only if the kernel was compiled with
+ * **CONFIG_NET** configuration option.
+ * Return
+ * Pointer to **struct bpf_sock**, or **NULL** in case of failure.
+ * For sockets with reuseport option, the **struct bpf_sock**
+ * result is from **reuse->socks**\ [] using the hash of the tuple.
*/
#define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \
@@ -2474,7 +2491,8 @@ union bpf_attr {
FN(sk_fullsock), \
FN(tcp_sock), \
FN(skb_ecn_set_ce), \
- FN(get_listener_sock),
+ FN(get_listener_sock), \
+ FN(skc_lookup_tcp),
/* integer value in 'imm' field of BPF_CALL instruction selects which helper
* function eBPF program intends to call
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f60d9df4e00a..94420942af32 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -369,7 +369,8 @@ static bool is_release_function(enum bpf_func_id func_id)
static bool is_acquire_function(enum bpf_func_id func_id)
{
return func_id == BPF_FUNC_sk_lookup_tcp ||
- func_id == BPF_FUNC_sk_lookup_udp;
+ func_id == BPF_FUNC_sk_lookup_udp ||
+ func_id == BPF_FUNC_skc_lookup_tcp;
}
static bool is_ptr_cast_function(enum bpf_func_id func_id)
diff --git a/net/core/filter.c b/net/core/filter.c
index f879791ea53f..f5210773cfd8 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5156,15 +5156,15 @@ static struct sock *sk_lookup(struct net *net, struct bpf_sock_tuple *tuple,
return sk;
}
-/* bpf_sk_lookup performs the core lookup for different types of sockets,
+/* bpf_skc_lookup performs the core lookup for different types of sockets,
* taking a reference on the socket if it doesn't have the flag SOCK_RCU_FREE.
* Returns the socket as an 'unsigned long' to simplify the casting in the
* callers to satisfy BPF_CALL declarations.
*/
static unsigned long
-__bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
- struct net *caller_net, u32 ifindex, u8 proto, u64 netns_id,
- u64 flags)
+__bpf_skc_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ struct net *caller_net, u32 ifindex, u8 proto, u64 netns_id,
+ u64 flags)
{
struct sock *sk = NULL;
u8 family = AF_UNSPEC;
@@ -5192,15 +5192,28 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
put_net(net);
}
- if (sk)
- sk = sk_to_full_sk(sk);
out:
return (unsigned long) sk;
}
static unsigned long
-bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
- u8 proto, u64 netns_id, u64 flags)
+__bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ struct net *caller_net, u32 ifindex, u8 proto, u64 netns_id,
+ u64 flags)
+{
+ struct sock *sk;
+
+ sk = (struct sock *)__bpf_skc_lookup(skb, tuple, len, caller_net,
+ ifindex, proto, netns_id, flags);
+ if (sk)
+ sk = sk_to_full_sk(sk);
+
+ return (unsigned long)sk;
+}
+
+static unsigned long
+bpf_skc_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ u8 proto, u64 netns_id, u64 flags)
{
struct net *caller_net;
int ifindex;
@@ -5213,10 +5226,42 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
ifindex = 0;
}
- return __bpf_sk_lookup(skb, tuple, len, caller_net, ifindex,
- proto, netns_id, flags);
+ return __bpf_skc_lookup(skb, tuple, len, caller_net, ifindex,
+ proto, netns_id, flags);
}
+static unsigned long
+bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
+ u8 proto, u64 netns_id, u64 flags)
+{
+ struct sock *sk;
+
+ sk = (struct sock *)bpf_skc_lookup(skb, tuple, len, proto, netns_id,
+ flags);
+ if (sk)
+ sk = sk_to_full_sk(sk);
+
+ return (unsigned long)sk;
+}
+
+BPF_CALL_5(bpf_skc_lookup_tcp, struct sk_buff *, skb,
+ struct bpf_sock_tuple *, tuple, u32, len, u64, netns_id, u64, flags)
+{
+ return bpf_skc_lookup(skb, tuple, len, IPPROTO_TCP, netns_id, flags);
+}
+
+static const struct bpf_func_proto bpf_skc_lookup_tcp_proto = {
+ .func = bpf_skc_lookup_tcp,
+ .gpl_only = false,
+ .pkt_access = true,
+ .ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_PTR_TO_MEM,
+ .arg3_type = ARG_CONST_SIZE,
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+};
+
BPF_CALL_5(bpf_sk_lookup_tcp, struct sk_buff *, skb,
struct bpf_sock_tuple *, tuple, u32, len, u64, netns_id, u64, flags)
{
@@ -5289,6 +5334,28 @@ static const struct bpf_func_proto bpf_xdp_sk_lookup_udp_proto = {
.arg5_type = ARG_ANYTHING,
};
+BPF_CALL_5(bpf_xdp_skc_lookup_tcp, struct xdp_buff *, ctx,
+ struct bpf_sock_tuple *, tuple, u32, len, u32, netns_id, u64, flags)
+{
+ struct net *caller_net = dev_net(ctx->rxq->dev);
+ int ifindex = ctx->rxq->dev->ifindex;
+
+ return __bpf_skc_lookup(NULL, tuple, len, caller_net, ifindex,
+ IPPROTO_TCP, netns_id, flags);
+}
+
+static const struct bpf_func_proto bpf_xdp_skc_lookup_tcp_proto = {
+ .func = bpf_xdp_skc_lookup_tcp,
+ .gpl_only = false,
+ .pkt_access = true,
+ .ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_PTR_TO_MEM,
+ .arg3_type = ARG_CONST_SIZE,
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+};
+
BPF_CALL_5(bpf_xdp_sk_lookup_tcp, struct xdp_buff *, ctx,
struct bpf_sock_tuple *, tuple, u32, len, u32, netns_id, u64, flags)
{
@@ -5311,6 +5378,24 @@ static const struct bpf_func_proto bpf_xdp_sk_lookup_tcp_proto = {
.arg5_type = ARG_ANYTHING,
};
+BPF_CALL_5(bpf_sock_addr_skc_lookup_tcp, struct bpf_sock_addr_kern *, ctx,
+ struct bpf_sock_tuple *, tuple, u32, len, u64, netns_id, u64, flags)
+{
+ return __bpf_skc_lookup(NULL, tuple, len, sock_net(ctx->sk), 0,
+ IPPROTO_TCP, netns_id, flags);
+}
+
+static const struct bpf_func_proto bpf_sock_addr_skc_lookup_tcp_proto = {
+ .func = bpf_sock_addr_skc_lookup_tcp,
+ .gpl_only = false,
+ .ret_type = RET_PTR_TO_SOCK_COMMON_OR_NULL,
+ .arg1_type = ARG_PTR_TO_CTX,
+ .arg2_type = ARG_PTR_TO_MEM,
+ .arg3_type = ARG_CONST_SIZE,
+ .arg4_type = ARG_ANYTHING,
+ .arg5_type = ARG_ANYTHING,
+};
+
BPF_CALL_5(bpf_sock_addr_sk_lookup_tcp, struct bpf_sock_addr_kern *, ctx,
struct bpf_sock_tuple *, tuple, u32, len, u64, netns_id, u64, flags)
{
@@ -5586,6 +5671,8 @@ sock_addr_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_sock_addr_sk_lookup_udp_proto;
case BPF_FUNC_sk_release:
return &bpf_sk_release_proto;
+ case BPF_FUNC_skc_lookup_tcp:
+ return &bpf_sock_addr_skc_lookup_tcp_proto;
#endif /* CONFIG_INET */
default:
return bpf_base_func_proto(func_id);
@@ -5719,6 +5806,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_tcp_sock_proto;
case BPF_FUNC_get_listener_sock:
return &bpf_get_listener_sock_proto;
+ case BPF_FUNC_skc_lookup_tcp:
+ return &bpf_skc_lookup_tcp_proto;
#endif
default:
return bpf_base_func_proto(func_id);
@@ -5754,6 +5843,8 @@ xdp_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_xdp_sk_lookup_tcp_proto;
case BPF_FUNC_sk_release:
return &bpf_sk_release_proto;
+ case BPF_FUNC_skc_lookup_tcp:
+ return &bpf_xdp_skc_lookup_tcp_proto;
#endif
default:
return bpf_base_func_proto(func_id);
@@ -5846,6 +5937,8 @@ sk_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
return &bpf_sk_lookup_udp_proto;
case BPF_FUNC_sk_release:
return &bpf_sk_release_proto;
+ case BPF_FUNC_skc_lookup_tcp:
+ return &bpf_skc_lookup_tcp_proto;
#endif
default:
return bpf_base_func_proto(func_id);
--
2.19.1
next prev parent reply other threads:[~2019-03-14 11:40 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 9:50 [PATCH 0/3] Allow checking SYN cookies from XDP and tc cls act Lorenz Bauer
2019-02-22 9:50 ` Lorenz Bauer
2019-02-22 9:50 ` [PATCH 1/3] bpf: add helper to check for a valid SYN cookie Lorenz Bauer
2019-02-23 0:44 ` Martin Lau
2019-02-23 0:44 ` Martin Lau
2019-02-25 18:26 ` Lorenz Bauer
2019-02-26 5:37 ` Martin Lau
2019-02-28 15:11 ` Lorenz Bauer
2019-02-28 15:11 ` Lorenz Bauer
2019-02-28 17:37 ` Martin Lau
2019-02-24 11:21 ` kbuild test robot
2019-02-24 11:21 ` kbuild test robot
2019-02-24 11:37 ` kbuild test robot
2019-02-24 11:37 ` kbuild test robot
2019-02-22 9:50 ` [PATCH 2/3] tools: sync changes to uapi/linux/bpf.h Lorenz Bauer
2019-02-22 9:50 ` [PATCH 3/3] selftests/bpf: add tests for bpf_sk_check_syncookie Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 0/8] Allow checking SYN cookies from XDP and tc cls act Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 1/8] bpf: track references based on is_acquire_func Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 2/8] bpf: allow helpers to return PTR_TO_SOCK_COMMON Lorenz Bauer
2019-03-14 11:39 ` Lorenz Bauer [this message]
2019-03-14 11:39 ` [PATCH v2 4/8] bpf: add helper to check for a valid SYN cookie Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 5/8] tools: update include/uapi/linux/bpf.h Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 6/8] selftests/bpf: allow specifying helper for BPF_SK_LOOKUP Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 7/8] selftests/bpf: test references to sock_common Lorenz Bauer
2019-03-14 11:39 ` [PATCH v2 8/8] selftests/bpf: add tests for bpf_tcp_check_syncookie and bpf_skc_lookup_tcp Lorenz Bauer
2019-03-15 20:42 ` [PATCH v2 0/8] Allow checking SYN cookies from XDP and tc cls act Alexei Starovoitov
2019-03-19 10:20 ` Lorenz Bauer
2019-03-19 10:20 ` [PATCH v2 1/8] bpf: track references based on is_acquire_func Lorenz Bauer
2019-03-19 10:20 ` [PATCH v2 2/8] bpf: allow helpers to return PTR_TO_SOCK_COMMON Lorenz Bauer
2019-03-19 10:20 ` [PATCH v2 3/8] bpf: add skc_lookup_tcp helper Lorenz Bauer
2019-03-19 21:30 ` Alexei Starovoitov
2019-03-19 10:20 ` [PATCH v2 4/8] bpf: add helper to check for a valid SYN cookie Lorenz Bauer
2019-03-19 22:17 ` Alexei Starovoitov
2019-03-21 2:09 ` Lorenz Bauer
2019-03-21 3:03 ` Alexei Starovoitov
2019-03-21 4:53 ` Lorenz Bauer
2019-03-21 5:50 ` Alexei Starovoitov
2019-03-19 10:21 ` [PATCH v2 5/8] tools: update include/uapi/linux/bpf.h Lorenz Bauer
2019-03-19 10:21 ` [PATCH v2 6/8] selftests/bpf: allow specifying helper for BPF_SK_LOOKUP Lorenz Bauer
2019-03-19 10:21 ` [PATCH v2 7/8] selftests/bpf: test references to sock_common Lorenz Bauer
2019-03-19 10:21 ` [PATCH v2 8/8] selftests/bpf: add tests for bpf_tcp_check_syncookie and bpf_skc_lookup_tcp Lorenz Bauer
2019-03-22 1:53 ` [PATCH bpf-next v3 0/8] Allow checking SYN cookies from XDP and tc cls act Lorenz Bauer
2019-03-22 1:53 ` [PATCH bpf-next v3 1/8] bpf: track references based on is_acquire_func Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 2/8] bpf: allow helpers to return PTR_TO_SOCK_COMMON Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 3/8] bpf: add skc_lookup_tcp helper Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 4/8] bpf: add helper to check for a valid SYN cookie Lorenz Bauer
2019-03-22 2:06 ` Alexei Starovoitov
2019-03-22 2:52 ` Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 5/8] tools: update include/uapi/linux/bpf.h Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 6/8] selftests/bpf: allow specifying helper for BPF_SK_LOOKUP Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 7/8] selftests/bpf: test references to sock_common Lorenz Bauer
2019-03-22 1:54 ` [PATCH bpf-next v3 8/8] selftests/bpf: add tests for bpf_tcp_check_syncookie and bpf_skc_lookup_tcp Lorenz Bauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190314113954.10210-4-lmb@cloudflare.com \
--to=lmb@cloudflare.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=theojulienne@github.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.