Re: [PATCH bpf-next V8 5/8] bpf: drop MTU check when doing TC-BPF redirect to ingress

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
	Daniel Borkmann <borkmann@iogearbox.net>,
	Alexei Starovoitov <alexei.starovoitov@gmail.com>,
	maze@google.com, lmb@cloudflare.com, shaun@tigera.io,
	Lorenzo Bianconi <lorenzo@kernel.org>,
	marek@cloudflare.com, John Fastabend <john.fastabend@gmail.com>,
	Jakub Kicinski <kuba@kernel.org>,
	eyal.birger@gmail.com, colrack@gmail.com, brouer@redhat.com
Subject: Re: [PATCH bpf-next V8 5/8] bpf: drop MTU check when doing TC-BPF redirect to ingress
Date: Thu, 17 Dec 2020 15:46:55 +0100	[thread overview]
Message-ID: <20201217154655.42e89d08@carbon> (raw)
In-Reply-To: <af28e4e7-8089-b252-3927-a962b98ad7b8@iogearbox.net>

On Thu, 3 Dec 2020 00:43:36 +0100
Daniel Borkmann <daniel@iogearbox.net> wrote:

> On 11/27/20 7:06 PM, Jesper Dangaard Brouer wrote:
> > The use-case for dropping the MTU check when TC-BPF does redirect to
> > ingress, is described by Eyal Birger in email[0]. The summary is the
> > ability to increase packet size (e.g. with IPv6 headers for NAT64) and
> > ingress redirect packet and let normal netstack fragment packet as needed.
> > 
> > [0] https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19Qo4W4Q@mail.gmail.com/
> > 
> > V4:
> >   - Keep net_device "up" (IFF_UP) check.
> >   - Adjustment to handle bpf_redirect_peer() helper
> > 
> > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
> > ---
> >   include/linux/netdevice.h |   31 +++++++++++++++++++++++++++++--
> >   net/core/dev.c            |   19 ++-----------------
> >   net/core/filter.c         |   14 +++++++++++---
> >   3 files changed, 42 insertions(+), 22 deletions(-)
> > 
> > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> > index 7ce648a564f7..4a854e09e918 100644
> > --- a/include/linux/netdevice.h
> > +++ b/include/linux/netdevice.h
> > @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb);
> >   bool is_skb_forwardable(const struct net_device *dev,
> >   			const struct sk_buff *skb);
> >   
> > +static __always_inline bool __is_skb_forwardable(const struct net_device *dev,
> > +						 const struct sk_buff *skb,
> > +						 const bool check_mtu)
> > +{
> > +	const u32 vlan_hdr_len = 4; /* VLAN_HLEN */
> > +	unsigned int len;
> > +
> > +	if (!(dev->flags & IFF_UP))
> > +		return false;
> > +
> > +	if (!check_mtu)
> > +		return true;
> > +
> > +	len = dev->mtu + dev->hard_header_len + vlan_hdr_len;
> > +	if (skb->len <= len)
> > +		return true;
> > +
> > +	/* if TSO is enabled, we don't care about the length as the packet
> > +	 * could be forwarded without being segmented before
> > +	 */
> > +	if (skb_is_gso(skb))
> > +		return true;
> > +
> > +	return false;
> > +}
> > +
> >   static __always_inline int ____dev_forward_skb(struct net_device *dev,
> > -					       struct sk_buff *skb)
> > +					       struct sk_buff *skb,
> > +					       const bool check_mtu)
> >   {
> >   	if (skb_orphan_frags(skb, GFP_ATOMIC) ||
> > -	    unlikely(!is_skb_forwardable(dev, skb))) {
> > +	    unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) {
> >   		atomic_long_inc(&dev->rx_dropped);
> >   		kfree_skb(skb);
> >   		return NET_RX_DROP;
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 60d325bda0d7..6ceb6412ee97 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff *skb)
> >   
> >   bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb)
> >   {
> > -	unsigned int len;
> > -
> > -	if (!(dev->flags & IFF_UP))
> > -		return false;
> > -
> > -	len = dev->mtu + dev->hard_header_len + VLAN_HLEN;
> > -	if (skb->len <= len)
> > -		return true;
> > -
> > -	/* if TSO is enabled, we don't care about the length as the packet
> > -	 * could be forwarded without being segmented before
> > -	 */
> > -	if (skb_is_gso(skb))
> > -		return true;
> > -
> > -	return false;
> > +	return __is_skb_forwardable(dev, skb, true);
> >   }
> >   EXPORT_SYMBOL_GPL(is_skb_forwardable);  
> 
> Only user of is_skb_forwardable() that is left after this patch is bridge, maybe
> the whole thing should be moved into the header?

Well, yes, maybe... I just felt it belongs in another patchset.


> >   int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
> >   {
> > -	int ret = ____dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, true);
> >   
> >   	if (likely(!ret)) {
> >   		skb->protocol = eth_type_trans(skb, dev);
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index d6125cfc49c3..4673afe59533 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = {
> >   
> >   static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb)
> >   {
> > -	return dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, false);
> > +
> > +	if (likely(!ret)) {
> > +		skb->protocol = eth_type_trans(skb, dev);
> > +		skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
> > +		ret = netif_rx(skb);  
> 
> Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally?
> One extra call otherwise.

This is because the function below calls netif_rx(), which is just
outside patch-diff-window.  Thus, it looked wrong/strange to call
netif_rx_internal(), but sure I can use netif_rx_internal() instead.

> 
> > +	}
> > +
> > +	return ret;
> >   }
> >   
> >   static inline int __bpf_rx_skb_no_mac(struct net_device *dev,
> >   				      struct sk_buff *skb)
> >   {
> > -	int ret = ____dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, false);
> >   
> >   	if (likely(!ret)) {
> >   		skb->dev = dev;
> > @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb)
> >   			goto out_drop;
> >   		dev = ops->ndo_get_peer_dev(dev);
> >   		if (unlikely(!dev ||
> > -			     !is_skb_forwardable(dev, skb) ||
> > +			     !__is_skb_forwardable(dev, skb, false) ||  
> 
> If we only use __is_skb_forwardable() with false directly here, maybe then
> lets just have the !(dev->flags & IFF_UP) test here instead..

Sure, let do that.

> >   			     net_eq(net, dev_net(dev))))
> >   			goto out_drop;
> >   		skb->dev = dev;
> > 


-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

next prev parent reply	other threads:[~2020-12-17 14:48 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-27 18:06 [PATCH bpf-next V8 0/8] bpf: New approach for BPF MTU handling Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 1/8] bpf: Remove MTU check in __bpf_skb_max_len Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 2/8] bpf: fix bpf_fib_lookup helper MTU check for SKB ctx Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 3/8] bpf: bpf_fib_lookup return MTU value as output when looked up Jesper Dangaard Brouer
2020-12-02 22:23   ` Daniel Borkmann
2020-11-27 18:06 ` [PATCH bpf-next V8 4/8] bpf: add BPF-helper for MTU checking Jesper Dangaard Brouer
2020-12-02 23:23   ` Daniel Borkmann
2020-12-14 13:51     ` Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 5/8] bpf: drop MTU check when doing TC-BPF redirect to ingress Jesper Dangaard Brouer
2020-12-02 23:43   ` Daniel Borkmann
2020-12-17 14:46     ` Jesper Dangaard Brouer [this message]
2020-12-17 16:10       ` Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 6/8] bpf: make it possible to identify BPF redirected SKBs Jesper Dangaard Brouer
2020-12-03  0:06   ` Daniel Borkmann
2020-11-27 18:06 ` [PATCH bpf-next V8 7/8] selftests/bpf: use bpf_check_mtu in selftest test_cls_redirect Jesper Dangaard Brouer
2020-11-27 18:06 ` [PATCH bpf-next V8 8/8] bpf/selftests: tests using bpf_check_mtu BPF-helper Jesper Dangaard Brouer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201217154655.42e89d08@carbon \
    --to=brouer@redhat.com \
    --cc=alexei.starovoitov@gmail.com \
    --cc=borkmann@iogearbox.net \
    --cc=bpf@vger.kernel.org \
    --cc=colrack@gmail.com \
    --cc=daniel@iogearbox.net \
    --cc=eyal.birger@gmail.com \
    --cc=john.fastabend@gmail.com \
    --cc=kuba@kernel.org \
    --cc=lmb@cloudflare.com \
    --cc=lorenzo@kernel.org \
    --cc=marek@cloudflare.com \
    --cc=maze@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=shaun@tigera.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.