[PATCH net-next 0/3] Minor cls_bpf updates

[PATCH net-next 0/3] Minor cls_bpf updates

[Daniel Borkmann]

Some minor updates resp. follow-ups on cls_bpf, please see
individual patches for details. Will follow with the iproute2
patch after this series.

Thanks!

Daniel Borkmann (3):
  cls_bpf: also dump TCA_BPF_FLAGS
  cls_bpf: make binding to classid optional
  cls_bpf: limit allowed exec opcodes subset

 net/sched/cls_bpf.c | 31 ++++++++++++++++---------------
 1 file changed, 16 insertions(+), 15 deletions(-)

-- 
1.9.3

[PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS

[Daniel Borkmann]

In commit 43388da42a49 ("cls_bpf: introduce integrated actions") we
have added TCA_BPF_FLAGS. We can also retrieve this information from
the prog, dump it back to user space as well. It's useful in tc when
displaying/dumping filter info.

Also, remove tp from cls_bpf_prog_from_efd(), came in as a conflict
from a rebase and it's unused here (later work may add it along with
a real user).

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/sched/cls_bpf.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 0590816..7d92415 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -265,8 +265,7 @@ static int cls_bpf_prog_from_ops(struct nlattr **tb, struct cls_bpf_prog *prog)
 	return 0;
 }
 
-static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog,
-				 const struct tcf_proto *tp)
+static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog)
 {
 	struct bpf_prog *fp;
 	char *name = NULL;
@@ -339,7 +338,7 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
 	prog->exts_integrated = have_exts;
 
 	ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) :
-		       cls_bpf_prog_from_efd(tb, prog, tp);
+		       cls_bpf_prog_from_efd(tb, prog);
 	if (ret < 0) {
 		tcf_exts_destroy(&exts);
 		return ret;
@@ -468,6 +467,7 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
 {
 	struct cls_bpf_prog *prog = (struct cls_bpf_prog *) fh;
 	struct nlattr *nest;
+	u32 bpf_flags = 0;
 	int ret;
 
 	if (prog == NULL)
@@ -492,6 +492,11 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
 	if (tcf_exts_dump(skb, &prog->exts) < 0)
 		goto nla_put_failure;
 
+	if (prog->exts_integrated)
+		bpf_flags |= TCA_BPF_FLAG_ACT_DIRECT;
+	if (bpf_flags && nla_put_u32(skb, TCA_BPF_FLAGS, bpf_flags))
+		goto nla_put_failure;
+
 	nla_nest_end(skb, nest);
 
 	if (tcf_exts_dump_stats(skb, &prog->exts) < 0)
-- 
1.9.3

[PATCH net-next 2/3] cls_bpf: make binding to classid optional

[Daniel Borkmann]

The binding to a particular classid was so far always mandatory for
cls_bpf, but it doesn't need to be. Therefore, lift this restriction
as similarly done in other classifiers.

Only a couple of qdiscs make use of class from the tcf_result, others
don't strictly care, so let the user choose his needs (those that read
out class can handle situations where it could be NULL).

An explicit check for tcf_unbind_filter() is also not needed here, as
the previous r->class was 0, so the xchg() will return that and
therefore a callback to the qdisc's unbind_tcf() is skipped.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/sched/cls_bpf.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 7d92415..d6c0a0b 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -307,14 +307,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
 {
 	bool is_bpf, is_ebpf, have_exts = false;
 	struct tcf_exts exts;
-	u32 classid;
 	int ret;
 
 	is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS];
 	is_ebpf = tb[TCA_BPF_FD];
-
-	if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf) ||
-	    !tb[TCA_BPF_CLASSID])
+	if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf))
 		return -EINVAL;
 
 	tcf_exts_init(&exts, TCA_BPF_ACT, TCA_BPF_POLICE);
@@ -322,7 +319,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
 	if (ret < 0)
 		return ret;
 
-	classid = nla_get_u32(tb[TCA_BPF_CLASSID]);
 	if (tb[TCA_BPF_FLAGS]) {
 		u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]);
 
@@ -334,7 +330,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
 		have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT;
 	}
 
-	prog->res.classid = classid;
 	prog->exts_integrated = have_exts;
 
 	ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) :
@@ -344,9 +339,12 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
 		return ret;
 	}
 
-	tcf_bind_filter(tp, &prog->res, base);
-	tcf_exts_change(tp, &prog->exts, &exts);
+	if (tb[TCA_BPF_CLASSID]) {
+		prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]);
+		tcf_bind_filter(tp, &prog->res, base);
+	}
 
+	tcf_exts_change(tp, &prog->exts, &exts);
 	return 0;
 }
 
@@ -479,7 +477,8 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
 	if (nest == NULL)
 		goto nla_put_failure;
 
-	if (nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid))
+	if (prog->res.classid &&
+	    nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid))
 		goto nla_put_failure;
 
 	if (cls_bpf_is_ebpf(prog))
-- 
1.9.3

[PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset

[Daniel Borkmann]

Jamal suggested to further limit the currently allowed subset of opcodes
that may be used by a direct action return code as the intention is not
to replace the full action engine, but rather to have a minimal set that
can be used in the fast-path on things like ingress for some features
that cls_bpf supports.

Classifiers can, of course, still be chained together that have direct
action mode with those that have a full exec pass. For more complex
scenarios that go beyond this minimal set here, the full tcf_exts_exec()
path must be used.

Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
 net/sched/cls_bpf.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index d6c0a0b..7eeffaf6 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code)
 {
 	switch (code) {
 	case TC_ACT_OK:
-	case TC_ACT_RECLASSIFY:
 	case TC_ACT_SHOT:
-	case TC_ACT_PIPE:
 	case TC_ACT_STOLEN:
-	case TC_ACT_QUEUED:
 	case TC_ACT_REDIRECT:
 	case TC_ACT_UNSPEC:
 		return code;
-- 
1.9.3

Re: [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS

[Alexei Starovoitov]

On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> In commit 43388da42a49 ("cls_bpf: introduce integrated actions") we
> have added TCA_BPF_FLAGS. We can also retrieve this information from
> the prog, dump it back to user space as well. It's useful in tc when
> displaying/dumping filter info.
>
> Also, remove tp from cls_bpf_prog_from_efd(), came in as a conflict
> from a rebase and it's unused here (later work may add it along with
> a real user).
>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>

Acked-by: Alexei Starovoitov <ast@plumgrid.com>

Re: [PATCH net-next 2/3] cls_bpf: make binding to classid optional

[Alexei Starovoitov]

On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> The binding to a particular classid was so far always mandatory for
> cls_bpf, but it doesn't need to be. Therefore, lift this restriction
> as similarly done in other classifiers.
>
> Only a couple of qdiscs make use of class from the tcf_result, others
> don't strictly care, so let the user choose his needs (those that read
> out class can handle situations where it could be NULL).
>
> An explicit check for tcf_unbind_filter() is also not needed here, as
> the previous r->class was 0, so the xchg() will return that and
> therefore a callback to the qdisc's unbind_tcf() is skipped.
>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>

Acked-by: Alexei Starovoitov <ast@plumgrid.com>

Re: [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset

[Alexei Starovoitov]

On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> Jamal suggested to further limit the currently allowed subset of opcodes
> that may be used by a direct action return code as the intention is not
> to replace the full action engine, but rather to have a minimal set that
> can be used in the fast-path on things like ingress for some features
> that cls_bpf supports.
>
> Classifiers can, of course, still be chained together that have direct
> action mode with those that have a full exec pass. For more complex
> scenarios that go beyond this minimal set here, the full tcf_exts_exec()
> path must be used.
>
> Suggested-by: Jamal Hadi Salim<jhs@mojatatu.com>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>

Acked-by: Alexei Starovoitov <ast@plumgrid.com>

Re: [PATCH net-next 0/3] Minor cls_bpf updates

[David Miller]

From: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed, 23 Sep 2015 21:56:45 +0200

> Some minor updates resp. follow-ups on cls_bpf, please see
> individual patches for details. Will follow with the iproute2
> patch after this series.

Series applied, thanks.