From: Stanislav Fomichev <sdf@google.com>
To: netdev@vger.kernel.org, bpf@vger.kernel.org
Cc: davem@davemloft.net, ast@kernel.org, daniel@iogearbox.net,
simon.horman@netronome.com, willemb@google.com,
peterpenkov96@gmail.com, Stanislav Fomichev <sdf@google.com>
Subject: [RFC bpf-next v2 5/9] flow_dissector: allow access only to a subset of __sk_buff fields
Date: Tue, 19 Mar 2019 15:19:44 -0700 [thread overview]
Message-ID: <20190319221948.170441-6-sdf@google.com> (raw)
In-Reply-To: <20190319221948.170441-1-sdf@google.com>
Use whitelist instead of a blacklist and allow only a small set of
fields that might be relevant in the context of flow dissector:
* len
* protocol
* vlan_present
* vlan_tci
* vlan_proto
* cb
This is required for the eth_get_headlen case where we construct
temporary skb which might not have full/consistent state to let flow
dissector programs access all the fields (which are irrelevant in for
flow dissector program type).
Signed-off-by: Stanislav Fomichev <sdf@google.com>
---
net/core/filter.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 647c63a7b25b..5f413567ce8a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6632,11 +6632,14 @@ static bool flow_dissector_is_valid_access(int off, int size,
case bpf_ctx_range_ptr(struct __sk_buff, flow_keys):
info->reg_type = PTR_TO_FLOW_KEYS;
break;
- case bpf_ctx_range(struct __sk_buff, tc_classid):
- case bpf_ctx_range(struct __sk_buff, data_meta):
- case bpf_ctx_range_till(struct __sk_buff, family, local_port):
- case bpf_ctx_range(struct __sk_buff, tstamp):
- case bpf_ctx_range(struct __sk_buff, wire_len):
+ case bpf_ctx_range(struct __sk_buff, len):
+ case bpf_ctx_range(struct __sk_buff, protocol):
+ case bpf_ctx_range(struct __sk_buff, vlan_present):
+ case bpf_ctx_range(struct __sk_buff, vlan_tci):
+ case bpf_ctx_range(struct __sk_buff, vlan_proto):
+ case bpf_ctx_range_till(struct __sk_buff, cb[0], cb[4]):
+ break;
+ default:
return false;
}
--
2.21.0.225.g810b269d1ac-goog
next prev parent reply other threads:[~2019-03-19 22:20 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-19 22:19 [RFC bpf-next v2 0/9] net: flow_dissector: trigger BPF hook when called from eth_get_headlen Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 1/9] net: introduce __init_skb{,_data,_shinfo} helpers Stanislav Fomichev
2019-03-21 3:39 ` Alexei Starovoitov
2019-03-21 4:44 ` Eric Dumazet
2019-03-21 13:58 ` Willem de Bruijn
2019-03-21 15:44 ` Stanislav Fomichev
2019-03-21 16:00 ` Alexei Starovoitov
2019-03-21 16:13 ` Willem de Bruijn
2019-03-21 20:56 ` Alexei Starovoitov
2019-03-21 21:13 ` Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 2/9] net: introduce skb_net helper Stanislav Fomichev
2019-03-20 2:14 ` Willem de Bruijn
2019-03-20 16:49 ` Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 3/9] net: plumb network namespace into __skb_flow_dissect Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 4/9] net: flow_dissector: prepare for no-skb use case Stanislav Fomichev
2019-03-19 22:19 ` Stanislav Fomichev [this message]
2019-03-19 22:19 ` [RFC bpf-next v2 6/9] net: flow_dissector: handle " Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 7/9] bpf: when doing BPF_PROG_TEST_RUN for flow dissector use no-skb mode Stanislav Fomichev
2019-03-20 2:14 ` Willem de Bruijn
2019-03-20 16:57 ` Stanislav Fomichev
2019-03-20 18:29 ` Willem de Bruijn
2019-03-20 19:02 ` Stanislav Fomichev
2019-03-20 19:08 ` Willem de Bruijn
2019-03-20 19:19 ` Stanislav Fomichev
2019-03-20 19:23 ` Willem de Bruijn
2019-03-20 19:48 ` Stanislav Fomichev
2019-03-20 20:03 ` Willem de Bruijn
2019-03-19 22:19 ` [RFC bpf-next v2 8/9] selftests/bpf: add flow dissector bpf_skb_load_bytes helper test Stanislav Fomichev
2019-03-19 22:19 ` [RFC bpf-next v2 9/9] net: flow_dissector: pass net argument to the eth_get_headlen Stanislav Fomichev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190319221948.170441-6-sdf@google.com \
--to=sdf@google.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=peterpenkov96@gmail.com \
--cc=simon.horman@netronome.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.