From: Daniel Borkmann <daniel@iogearbox.net>
To: David Ahern <dsa@cumulusnetworks.com>,
netdev@vger.kernel.org, davem@davemloft.net
Cc: ast@kernel.org, tj@kernel.org, luto@amacapital.net,
ebiederm@xmission.com
Subject: Re: [PATCH net v5] bpf: add helper to compare network namespaces
Date: Fri, 17 Feb 2017 15:15:11 +0100 [thread overview]
Message-ID: <58A7056F.7040206@iogearbox.net> (raw)
In-Reply-To: <16fcf613-fc8d-e2a1-5f49-40ddbade65b5@cumulusnetworks.com>
On 02/17/2017 05:01 AM, David Ahern wrote:
> On 2/16/17 3:08 AM, Daniel Borkmann wrote:
>> Is there anything that speaks against doing the comparison itself
>> outside of the helper? Meaning, the helper would get a buffer
>> passed from stack f.e. struct foo { u64 ns_dev; u64 ns_ino; }
>> and fills both out with the netns info belonging to the sk/skb.
>
> How do you handle CONFIG_NET_NS not set?
>
> You call something like bpf_get_netns_id(sk, &foo), it has to exist
> regardless of the config. What should it return if netns is disabled?
In rough semi pseudo code, it could look like the below. In case we have
!CONFIG_NET_NS then that would be hidden behind the netns_get_kstat() (or
whatever function name it has) as a static inline that just returns an
error such as -ENOTSUPP.
If the entity installing the program is aware that CONFIG_NET_NS is set
and that the input is exactly of size struct bpf_netns, then it can also
skip the error test in the BPF program itself. Anyway, just a thought
so that the helper could be more flexible and used as a key for lookups
on maps, too ...
BPF_CALL_3(bpf_sk_netns_get, struct sock *, sk, struct bpf_netns *, ns,
u32, size)
{
struct ns_kstat tmp;
int ret;
if (unlikely(size != sizeof(struct bpf_netns)))
return -EINVAL;
ret = netns_get_kstat(sock_net(sk), &tmp);
if (unlikely(ret))
return ret;
ns->dev = tmp.dev;
ns->ino = tmp.ino;
return 0;
}
static const struct bpf_func_proto bpf_sk_netns_get_proto = {
.func = bpf_sk_netns_get,
.gpl_only = false,
.ret_type = RET_INTEGER,
.arg1_type = ARG_PTR_TO_CTX,
.arg2_type = ARG_PTR_TO_UNINIT_MEM,
.arg3_type = ARG_CONST_SIZE,
};
Thanks,
Daniel
next prev parent reply other threads:[~2017-02-17 14:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-16 1:29 [PATCH net v5] bpf: add helper to compare network namespaces David Ahern
2017-02-16 3:24 ` Eric W. Biederman
2017-02-16 10:08 ` Daniel Borkmann
2017-02-17 4:01 ` David Ahern
2017-02-17 14:15 ` Daniel Borkmann [this message]
2017-02-20 4:17 ` Eric W. Biederman
2017-02-23 3:28 ` David Ahern
2017-02-23 14:55 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=58A7056F.7040206@iogearbox.net \
--to=daniel@iogearbox.net \
--cc=ast@kernel.org \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=ebiederm@xmission.com \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.