From: Florian Westphal <fw@strlen.de>
To: Daniel Xu <dxu@dxuuu.xyz>
Cc: Alexei Starovoitov <alexei.starovoitov@gmail.com>,
bpf <bpf@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de,
daniel@iogearbox.net
Subject: Re: [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF
Date: Tue, 7 Mar 2023 21:11:56 +0100 [thread overview]
Message-ID: <20230307201156.GF13059@breakpoint.cc> (raw)
In-Reply-To: <20230307194801.mopwvidrkrybm7h5@kashmir.localdomain>
Daniel Xu <dxu@dxuuu.xyz> wrote:
> From my reading (I'll run some tests later) it looks like netfilter
> will defrag all ipv4/ipv6 packets in any netns with conntrack enabled.
> It appears to do so in NF_INET_PRE_ROUTING.
Yes, and output.
> One thing we would need though are (probably kfunc) wrappers around
> nf_defrag_ipv4_enable() and nf_defrag_ipv6_enable() to ensure BPF progs
> are not transitively depending on defrag support from other netfilter
> modules.
>
> The exact mechanism would probably need some thinking, as the above
> functions kinda rely on module_init() and module_exit() semantics. We
> cannot make the prog bump the refcnt every time it runs -- it would
> overflow. And it would be nice to automatically free the refcnt when
> prog is unloaded.
Probably add a flag attribute that is evaluated at BPF_LINK time, so
progs can say they need defrag enabled. Same could be used to request
conntrack enablement.
Will need some glue on netfilter side to handle DEFRAG=m, but we already
have plenty of those.
next prev parent reply other threads:[~2023-03-07 20:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-27 19:51 [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 1/8] ip: frags: Return actual error codes from ip_check_defrag() Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 2/8] bpf: verifier: Support KF_CHANGES_PKT flag Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 3/8] bpf, net, frags: Add bpf_ip_check_defrag() kfunc Daniel Xu
2023-02-28 19:37 ` Stanislav Fomichev
2023-02-28 22:00 ` Daniel Xu
2023-02-28 22:18 ` Stanislav Fomichev
2023-02-27 19:51 ` [PATCH bpf-next v2 4/8] net: ipv6: Factor ipv6_frag_rcv() to take netns and user Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 5/8] bpf: net: ipv6: Add bpf_ipv6_frag_rcv() kfunc Daniel Xu
2023-02-28 8:15 ` kernel test robot
2023-02-28 9:37 ` kernel test robot
2023-02-27 19:51 ` [PATCH bpf-next v2 6/8] bpf: selftests: Support not connecting client socket Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 7/8] bpf: selftests: Support custom type and proto for client sockets Daniel Xu
2023-02-27 19:51 ` [PATCH bpf-next v2 8/8] bpf: selftests: Add defrag selftests Daniel Xu
2023-02-27 20:38 ` [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF Edward Cree
2023-02-27 22:04 ` Daniel Xu
2023-02-27 22:58 ` Edward Cree
2023-03-01 16:24 ` Daniel Xu
2023-02-27 23:03 ` Alexei Starovoitov
[not found] ` <20230228015712.clq6kyrsd7rrklbz@kashmir.localdomain>
2023-02-28 4:56 ` Alexei Starovoitov
2023-02-28 13:43 ` Daniel Borkmann
2023-02-28 23:17 ` Daniel Xu
2023-03-07 4:17 ` Alexei Starovoitov
2023-03-07 19:48 ` Daniel Xu
2023-03-07 20:11 ` Florian Westphal [this message]
2023-03-07 21:18 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230307201156.GF13059@breakpoint.cc \
--to=fw@strlen.de \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dxu@dxuuu.xyz \
--cc=kadlec@netfilter.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.