Re: [PATCH] bpf: export the net namespace for bpf_sock_ops

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Sitnicki <jakub@cloudflare.com>
To: Wang Li <wangli8850@gmail.com>
Cc: bpf@vger.kernel.org, daniel@iogearbox.net,
	Wang Li <wangli09@kuaishou.com>,
	huangxuesen <huangxuesen@kuaishou.com>,
	yangxingwu <yangxingwu@kuaishou.com>
Subject: Re: [PATCH] bpf: export the net namespace for bpf_sock_ops
Date: Fri, 05 Jun 2020 16:53:50 +0200	[thread overview]
Message-ID: <875zc536o1.fsf@cloudflare.com> (raw)
In-Reply-To: <20200605124011.71043-1-wangli09@kuaishou.com>

On Fri, Jun 05, 2020 at 02:40 PM CEST, Wang Li wrote:
> Sometimes we need net namespace as part of the key for BPF_MAP_TYPE_SOCKHASH to
> distinguish the connections with same five-tuples, for example when we do the
> sock_map acceleration for the proxy that uses 127.0.0.1 to 127.0.0.1 connections
> in different containers on same node.
> And we export the netns inum instead of the real pointer of struct net to avoid
> the potential security issue.
>
> Signed-off-by: Wang Li <wangli09@kuaishou.com>
> Signed-off-by: huangxuesen <huangxuesen@kuaishou.com>
> Signed-off-by: yangxingwu <yangxingwu@kuaishou.com>
> ---
>  include/uapi/linux/bpf.h       |  2 ++
>  net/core/filter.c              | 17 +++++++++++++++++
>  tools/include/uapi/linux/bpf.h |  2 ++
>  3 files changed, 21 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index c65b374a5090..0fe7e459f023 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -3947,6 +3947,8 @@ struct bpf_sock_ops {
>  				 * there is a full socket. If not, the
>  				 * fields read as zero.
>  				 */
> +	__u32 netns_inum;	/* The net namespace this sock belongs to */
> +

In uapi/linux/bpf.h we have a field `netns_ino` for storing net
namespace inode number in a couple structs (bpf_prog_info,
bpf_map_info). Would be nice to keep the naming constent.

>  	__u32 snd_cwnd;
>  	__u32 srtt_us;		/* Averaged RTT << 3 in usecs */
>  	__u32 bpf_sock_ops_cb_flags; /* flags defined in uapi/linux/tcp.h */
> diff --git a/net/core/filter.c b/net/core/filter.c
> index d01a244b5087..bfe448ace25f 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -8450,6 +8450,23 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type,
>  					       is_fullsock));
>  		break;
>
> +	case offsetof(struct bpf_sock_ops, netns_inum):
> +#ifdef CONFIG_NET_NS
> +		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
> +						struct bpf_sock_ops_kern, sk),
> +				      si->dst_reg, si->src_reg,
> +				      offsetof(struct bpf_sock_ops_kern, sk));
> +		*insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF(
> +						struct sock_common, skc_net),
> +				      si->dst_reg, si->dst_reg,
> +				      offsetof(struct sock_common, skc_net));
> +		*insn++ = BPF_LDX_MEM(BPF_W, si->dst_reg, si->dst_reg,
> +				      offsetof(struct net, ns.inum));
> +#else
> +		*insn++ = BPF_MOV32_IMM(si->dst_reg, 0);
> +#endif
> +		break;
> +
>  	case offsetof(struct bpf_sock_ops, state):
>  		BUILD_BUG_ON(sizeof_field(struct sock_common, skc_state) != 1);
>
> diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
> index c65b374a5090..0fe7e459f023 100644
> --- a/tools/include/uapi/linux/bpf.h
> +++ b/tools/include/uapi/linux/bpf.h
> @@ -3947,6 +3947,8 @@ struct bpf_sock_ops {
>  				 * there is a full socket. If not, the
>  				 * fields read as zero.
>  				 */
> +	__u32 netns_inum;	/* The net namespace this sock belongs to */
> +
>  	__u32 snd_cwnd;
>  	__u32 srtt_us;		/* Averaged RTT << 3 in usecs */
>  	__u32 bpf_sock_ops_cb_flags; /* flags defined in uapi/linux/tcp.h */

next prev parent reply	other threads:[~2020-06-05 14:53 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-05 12:40 [PATCH] bpf: export the net namespace for bpf_sock_ops Wang Li
2020-06-05 14:53 ` Jakub Sitnicki [this message]
2020-06-05 15:22   ` Daniel Borkmann
2020-06-08  2:51     ` 王黎
2020-06-08  4:12       ` 王黎
2020-06-08  2:45   ` 王黎

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875zc536o1.fsf@cloudflare.com \
    --to=jakub@cloudflare.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=huangxuesen@kuaishou.com \
    --cc=wangli09@kuaishou.com \
    --cc=wangli8850@gmail.com \
    --cc=yangxingwu@kuaishou.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.