From: Daniel Borkmann <daniel@iogearbox.net>
To: Daniel Mack <daniel@zonque.org>, htejun@fb.com, ast@fb.com
Cc: davem@davemloft.net, kafai@fb.com, fw@strlen.de,
pablo@netfilter.org, harald@redhat.com, netdev@vger.kernel.org,
sargun@sargun.me
Subject: Re: [PATCH v3 1/6] bpf: add new prog type for cgroup socket filtering
Date: Tue, 30 Aug 2016 00:14:46 +0200 [thread overview]
Message-ID: <57C4B3D6.9090000@iogearbox.net> (raw)
In-Reply-To: <1472241532-11682-2-git-send-email-daniel@zonque.org>
On 08/26/2016 09:58 PM, Daniel Mack wrote:
> For now, this program type is equivalent to BPF_PROG_TYPE_SOCKET_FILTER in
> terms of checks during the verification process. It may access the skb as
> well.
>
> Programs of this type will be attached to cgroups for network filtering
> and accounting.
>
> Signed-off-by: Daniel Mack <daniel@zonque.org>
> ---
> include/uapi/linux/bpf.h | 7 +++++++
> kernel/bpf/verifier.c | 1 +
> net/core/filter.c | 6 ++++++
> 3 files changed, 14 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index e4c5a1b..1d5db42 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -95,6 +95,13 @@ enum bpf_prog_type {
> BPF_PROG_TYPE_SCHED_ACT,
> BPF_PROG_TYPE_TRACEPOINT,
> BPF_PROG_TYPE_XDP,
> + BPF_PROG_TYPE_CGROUP_SOCKET_FILTER,
> +};
Nit: can we drop the _FILTER suffix? So just leaving it
at BPF_PROG_TYPE_CGROUP_SOCKET. Some of these use cases
might not always strictly be related to filtering, so
seems cleaner to just leave it out everywhere.
> +
> +enum bpf_attach_type {
> + BPF_ATTACH_TYPE_CGROUP_INET_INGRESS,
> + BPF_ATTACH_TYPE_CGROUP_INET_EGRESS,
> + __MAX_BPF_ATTACH_TYPE
> };
#define BPF_MAX_ATTACH_TYPE __BPF_MAX_ATTACH_TYPE
And then use that in your follow-up patches for declaring
arrays, etc?
>
> #define BPF_PSEUDO_MAP_FD 1
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index abb61f3..12ca880 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1805,6 +1805,7 @@ static bool may_access_skb(enum bpf_prog_type type)
> case BPF_PROG_TYPE_SOCKET_FILTER:
> case BPF_PROG_TYPE_SCHED_CLS:
> case BPF_PROG_TYPE_SCHED_ACT:
> + case BPF_PROG_TYPE_CGROUP_SOCKET_FILTER:
> return true;
> default:
> return false;
> diff --git a/net/core/filter.c b/net/core/filter.c
> index a83766b..bc04e5c 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2848,12 +2848,18 @@ static struct bpf_prog_type_list xdp_type __read_mostly = {
> .type = BPF_PROG_TYPE_XDP,
> };
>
> +static struct bpf_prog_type_list cg_sk_filter_type __read_mostly = {
> + .ops = &sk_filter_ops,
> + .type = BPF_PROG_TYPE_CGROUP_SOCKET_FILTER,
> +};
> +
> static int __init register_sk_filter_ops(void)
> {
> bpf_register_prog_type(&sk_filter_type);
> bpf_register_prog_type(&sched_cls_type);
> bpf_register_prog_type(&sched_act_type);
> bpf_register_prog_type(&xdp_type);
> + bpf_register_prog_type(&cg_sk_filter_type);
>
> return 0;
> }
>
next prev parent reply other threads:[~2016-08-29 22:15 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-26 19:58 [PATCH v3 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-08-26 19:58 ` [PATCH v3 1/6] bpf: add new prog type for cgroup socket filtering Daniel Mack
2016-08-29 22:14 ` Daniel Borkmann [this message]
2016-09-05 12:48 ` Daniel Mack
2016-08-26 19:58 ` [PATCH v3 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-08-27 0:03 ` Alexei Starovoitov
2016-09-05 12:47 ` Daniel Mack
2016-08-29 22:42 ` Daniel Borkmann
2016-09-05 12:50 ` Daniel Mack
2016-08-29 23:04 ` Sargun Dhillon
2016-09-05 14:49 ` Daniel Mack
2016-09-05 21:40 ` Sargun Dhillon
2016-09-05 22:39 ` Alexei Starovoitov
2016-08-26 19:58 ` [PATCH v3 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
2016-08-27 0:08 ` Alexei Starovoitov
2016-09-05 12:56 ` Daniel Mack
2016-09-05 15:30 ` David Laight
2016-09-05 15:40 ` Daniel Mack
2016-09-05 17:29 ` Joe Perches
2016-08-29 23:00 ` Daniel Borkmann
2016-09-05 12:54 ` Daniel Mack
2016-09-05 13:56 ` Daniel Borkmann
2016-09-05 14:09 ` Daniel Mack
2016-09-05 17:09 ` Daniel Borkmann
2016-09-05 18:32 ` Alexei Starovoitov
2016-09-05 18:43 ` Daniel Mack
2016-08-26 19:58 ` [PATCH v3 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-08-29 23:15 ` Daniel Borkmann
2016-08-26 19:58 ` [PATCH v3 5/6] net: core: run cgroup eBPF egress programs Daniel Mack
2016-08-29 22:03 ` Daniel Borkmann
2016-08-29 22:23 ` Sargun Dhillon
2016-09-05 14:22 ` Daniel Mack
2016-09-06 17:14 ` Daniel Borkmann
2016-08-26 19:58 ` [PATCH v3 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack
2016-08-27 13:00 ` [PATCH v3 0/6] Add eBPF hooks for cgroups Rami Rosen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57C4B3D6.9090000@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@fb.com \
--cc=daniel@zonque.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=harald@redhat.com \
--cc=htejun@fb.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sargun@sargun.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.