From: Martin KaFai Lau <martin.lau@linux.dev>
To: Jakub Sitnicki <jakub@cloudflare.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>,
Stefano Garzarella <sgarzare@redhat.com>,
Bobby Eshleman <bobby.eshleman@bytedance.com>,
Stefan Hajnoczi <stefanha@redhat.com>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
John Fastabend <john.fastabend@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Michal Luczaj <mhal@rbox.co>,
netdev@vger.kernel.org, bpf@vger.kernel.org
Subject: Re: [PATCH bpf 1/4] bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock
Date: Thu, 10 Oct 2024 11:54:12 -0700 [thread overview]
Message-ID: <7f4bf2ad-3085-4190-a9fe-58672f744bae@linux.dev> (raw)
In-Reply-To: <20241009-vsock-fixes-for-redir-v1-1-e455416f6d78@rbox.co>
On 10/9/24 2:20 PM, Michal Luczaj wrote:
> Don't mislead the callers of bpf_{sk,msg}_redirect_{map,hash}(): make sure
> to immediately and visibly fail the forwarding of unsupported af_vsock
> packets.
>
> Fixes: 634f1a7110b4 ("vsock: support sockmap")
> Signed-off-by: Michal Luczaj <mhal@rbox.co>
> ---
> include/net/sock.h | 5 +++++
> net/core/sock_map.c | 8 ++++++++
> 2 files changed, 13 insertions(+)
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index c58ca8dd561b7312ffc0836585c04d9fe917a124..c87295f3476db23934d4fcbeabc7851c61ad2bc4 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -2715,6 +2715,11 @@ static inline bool sk_is_stream_unix(const struct sock *sk)
> return sk->sk_family == AF_UNIX && sk->sk_type == SOCK_STREAM;
> }
>
> +static inline bool sk_is_vsock(const struct sock *sk)
> +{
> + return sk->sk_family == AF_VSOCK;
> +}
> +
> /**
> * sk_eat_skb - Release a skb if it is no longer needed
> * @sk: socket to eat this skb from
> diff --git a/net/core/sock_map.c b/net/core/sock_map.c
> index 242c91a6e3d3870ec6da6fa095d180a933d1d3d4..07d6aa4e39ef606aab33bd0d95711ecf156596b9 100644
> --- a/net/core/sock_map.c
> +++ b/net/core/sock_map.c
> @@ -647,6 +647,8 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
> sk = __sock_map_lookup_elem(map, key);
> if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
> return SK_DROP;
> + if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
> + return SK_DROP;
>
> skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
> return SK_PASS;
> @@ -675,6 +677,8 @@ BPF_CALL_4(bpf_msg_redirect_map, struct sk_msg *, msg,
> return SK_DROP;
> if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
> return SK_DROP;
> + if (sk_is_vsock(sk))
> + return SK_DROP;
>
> msg->flags = flags;
> msg->sk_redir = sk;
> @@ -1249,6 +1253,8 @@ BPF_CALL_4(bpf_sk_redirect_hash, struct sk_buff *, skb,
> sk = __sock_hash_lookup_elem(map, key);
> if (unlikely(!sk || !sock_map_redirect_allowed(sk)))
> return SK_DROP;
> + if ((flags & BPF_F_INGRESS) && sk_is_vsock(sk))
> + return SK_DROP;
>
> skb_bpf_set_redir(skb, sk, flags & BPF_F_INGRESS);
> return SK_PASS;
> @@ -1277,6 +1283,8 @@ BPF_CALL_4(bpf_msg_redirect_hash, struct sk_msg *, msg,
> return SK_DROP;
> if (!(flags & BPF_F_INGRESS) && !sk_is_tcp(sk))
> return SK_DROP;
> + if (sk_is_vsock(sk))
> + return SK_DROP;
Jakub Sitnicki, I think you have been on another thread about this change.
Please help to take a look and ack if it looks good. Thanks.
>
> msg->flags = flags;
> msg->sk_redir = sk;
>
next prev parent reply other threads:[~2024-10-10 18:54 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-09 21:20 [PATCH bpf 0/4] bpf, vsock: Fixes related to sockmap/sockhash redirection Michal Luczaj
2024-10-09 21:20 ` [PATCH bpf 1/4] bpf, sockmap: SK_DROP on attempted redirects of unsupported af_vsock Michal Luczaj
2024-10-10 18:54 ` Martin KaFai Lau [this message]
2024-10-09 21:20 ` [PATCH bpf 2/4] vsock: Update rx_bytes on read_skb() Michal Luczaj
2024-10-10 8:49 ` Stefano Garzarella
[not found] ` <CALa-AnBQAhpBn2cPG4wW9c-dMq0JXAbkd4NSJL+Vtv=r=+hn2w@mail.gmail.com>
2024-10-11 8:40 ` [External] " Stefano Garzarella
2024-10-13 16:28 ` Michal Luczaj
2024-10-09 21:20 ` [PATCH bpf 3/4] vsock: Update msg_count " Michal Luczaj
2024-10-10 8:51 ` Stefano Garzarella
2024-10-09 21:20 ` [PATCH bpf 4/4] bpf, vsock: Drop static vsock_bpf_prot initialization Michal Luczaj
2024-10-10 8:55 ` [PATCH bpf 0/4] bpf, vsock: Fixes related to sockmap/sockhash redirection Stefano Garzarella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7f4bf2ad-3085-4190-a9fe-58672f744bae@linux.dev \
--to=martin.lau@linux.dev \
--cc=bobby.eshleman@bytedance.com \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=mhal@rbox.co \
--cc=mst@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sgarzare@redhat.com \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.