From: Florian Westphal <fw@strlen.de>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: "Florian Westphal" <fw@strlen.de>,
"Toke Høiland-Jørgensen" <toke@kernel.org>,
bpf@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: [RFC] bpf: add bpf_link support for BPF_NETFILTER programs
Date: Tue, 31 Jan 2023 15:18:15 +0100 [thread overview]
Message-ID: <20230131141815.GA6999@breakpoint.cc> (raw)
In-Reply-To: <20230130214442.robf7ljttx5krjth@macbook-pro-6.dhcp.thefacebook.com>
Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
> Yes. bpf_link is the right model.
> I'd also allow more than one BPF_NETFILTER prog at the hook.
> When Daniel respins his tc bpf_link set there will be a way to do that
> for tc and hopefully soon for xdp.
> For netfilter hook we can use the same approach.
For nf it should already support several programs, the
builtin limit in the nf core is currently 1024 hooks per
family/hook location.
> > I could add a new nfnetlink subtype for nf-bpf if bpf_link is not
> > appropriate as an alternative.
>
> Let's start with bpf_link and figure out netlink path when appropriate.
Good, that works for me.
> I'd steer clear from new abi-s.
> Don't look at uapi __sk_buff model. It's not a great example to follow.
> Just pass kernel nf_hook_state into bpf prog and let program deal
> with changes to it via CORE.
The current prototype for nf hooks is
fun(void *private, struct sk_buff *skb, struct nf_hook_state *s)
Originally I had intended to place sk_buff in nf_hook_state, but its
quite some code churn for everyone else.
So I'm leaning towards something like
struct nf_bpf_ctx {
struct nf_hook_state *state;
struct sk_buff *skb;
};
that gets passed as argument.
> The prog will get a defition of 'struct nf_hook_state' from vmlinux.h
> or via private 'struct nf_hook_state___flavor' with few fields defined
> that prog wants to use. CORE will deal with offset adjustments.
> That's a lot less kernel code. No need for asm style ctx rewrites.
> Just see how much kernel code we already burned on *convert_ctx_access().
> We cannot remove this tech debt due to uapi.
> When you pass struct nf_hook_state directly none of it is needed.
Ok, thanks for pointing that out. I did not realize
convert_ctx_access() conversions were frowned upon.
I will pass a known/exposed struct then.
I thought __sk_buff was required for direct packet access, I will look
at this again.
next prev parent reply other threads:[~2023-01-31 14:18 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-30 15:04 [RFC] bpf: add bpf_link support for BPF_NETFILTER programs Florian Westphal
2023-01-30 17:38 ` Toke Høiland-Jørgensen
2023-01-30 18:01 ` Florian Westphal
2023-01-30 21:10 ` Toke Høiland-Jørgensen
2023-01-30 21:44 ` Alexei Starovoitov
2023-01-31 14:18 ` Florian Westphal [this message]
2023-01-31 16:19 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230131141815.GA6999@breakpoint.cc \
--to=fw@strlen.de \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=toke@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.