From: "Toke Høiland-Jørgensen" <toke@redhat.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>
Cc: David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
brouer@redhat.com
Subject: Re: [PATCH net-next v2 2/2] devmap: Allow map lookups from eBPF
Date: Thu, 06 Jun 2019 15:49:37 +0200 [thread overview]
Message-ID: <87zhmuddse.fsf@toke.dk> (raw)
In-Reply-To: <20190606153344.4871ffa2@carbon>
Jesper Dangaard Brouer <brouer@redhat.com> writes:
> On Thu, 06 Jun 2019 15:24:14 +0200
> Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
>> From: Toke Høiland-Jørgensen <toke@redhat.com>
>>
>> We don't currently allow lookups into a devmap from eBPF, because the map
>> lookup returns a pointer directly to the dev->ifindex, which shouldn't be
>> modifiable from eBPF.
>>
>> However, being able to do lookups in devmaps is useful to know (e.g.)
>> whether forwarding to a specific interface is enabled. Currently, programs
>> work around this by keeping a shadow map of another type which indicates
>> whether a map index is valid.
>>
>> Since we now have a flag to make maps read-only from the eBPF side, we can
>> simply lift the lookup restriction if we make sure this flag is always set.
>
> Nice, I didn't know this was possible. I like it! :-)
Me neither; discovered it while looking through the verifier code to
figure out what would be needed to get the verifier to enforce read-only
semantics. Not much, as it turned out :)
The functionality was introduced in:
591fe9888d78 ("bpf: add program side {rd, wr}only support for maps") by
Daniel from April 9th.
-Toke
next prev parent reply other threads:[~2019-06-06 13:49 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-06 13:24 [PATCH net-next v2 0/2] xdp: Allow lookup into devmaps before redirect Toke Høiland-Jørgensen
2019-06-06 13:24 ` [PATCH net-next v2 1/2] bpf_xdp_redirect_map: Add flag to return XDP_PASS on map lookup failure Toke Høiland-Jørgensen
2019-06-06 15:51 ` Daniel Borkmann
2019-06-06 15:56 ` Alexei Starovoitov
2019-06-06 16:15 ` Toke Høiland-Jørgensen
2019-06-06 18:15 ` Jonathan Lemon
2019-06-06 19:24 ` Daniel Borkmann
2019-06-06 20:13 ` Jonathan Lemon
2019-06-06 21:14 ` Toke Høiland-Jørgensen
2019-06-06 21:53 ` Jonathan Lemon
2019-06-06 22:31 ` Toke Høiland-Jørgensen
2019-06-06 13:24 ` [PATCH net-next v2 2/2] devmap: Allow map lookups from eBPF Toke Høiland-Jørgensen
2019-06-06 13:33 ` Jesper Dangaard Brouer
2019-06-06 13:49 ` Toke Høiland-Jørgensen [this message]
2019-06-06 18:20 ` [PATCH net-next v2 0/2] xdp: Allow lookup into devmaps before redirect David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zhmuddse.fsf@toke.dk \
--to=toke@redhat.com \
--cc=ast@kernel.org \
--cc=brouer@redhat.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.