From: Mahe Tardy <mahe.tardy@gmail.com>
To: bot+bpf-ci@kernel.org
Cc: bpf@vger.kernel.org, martin.lau@linux.dev, daniel@iogearbox.net,
john.fastabend@gmail.com, ast@kernel.org, andrii@kernel.org,
yonghong.song@linux.dev, jordan@jrife.io, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, martin.lau@kernel.org,
eddyz87@gmail.com, clm@meta.com, ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v6 6/6] selftests/bpf: add bpf_icmp_send recursion test
Date: Mon, 18 May 2026 16:39:31 +0200 [thread overview]
Message-ID: <agsko7KjEILkHAk4@gmail.com> (raw)
In-Reply-To: <92695da279ff66c47eeab8c93562f171982732ad4f420f0057c773efb6c1db8f@mail.kernel.org>
On Mon, May 18, 2026 at 01:07:53PM +0000, bot+bpf-ci@kernel.org wrote:
> > diff --git a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c
> > index d0ac0502f6df..a9e9806877cf 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/icmp_send_kfunc.c
>
> [ ... ]
>
> > diff --git a/tools/testing/selftests/bpf/progs/icmp_send.c b/tools/testing/selftests/bpf/progs/icmp_send.c
> > index 6e1ba539eeb0..7830334b747a 100644
> > --- a/tools/testing/selftests/bpf/progs/icmp_send.c
> > +++ b/tools/testing/selftests/bpf/progs/icmp_send.c
> > @@ -13,6 +13,9 @@ int unreach_type = 0;
> > int unreach_code = 0;
> > int kfunc_ret = -1;
> >
> > +unsigned int rec_count = 0;
> > +int rec_kfunc_rets[] = { -1, -1 };
> > +
> > SEC("cgroup_skb/egress")
> > int egress(struct __sk_buff *skb)
> > {
> > @@ -65,4 +68,32 @@ int egress(struct __sk_buff *skb)
> > return SK_DROP;
> > }
> >
> > +SEC("cgroup_skb/egress")
> > +int recursion(struct __sk_buff *skb)
> > +{
> > + void *data = (void *)(long)skb->data;
> > + void *data_end = (void *)(long)skb->data_end;
> > + struct iphdr *iph;
> > + int ret;
> > +
> > + iph = data;
> > + if ((void *)(iph + 1) > data_end || iph->version != 4)
> > + return SK_PASS;
> > +
> > + /* This call will provoke a recursion: the ICMP packet generated by the
> > + * kfunc will re-trigger this program since we are in the root cgroup in
> > + * which the kernel ICMP socket belongs. However when re-entering the
> > + * kfunc, it should return EBUSY.
> > + */
> > + ret = bpf_icmp_send(skb, unreach_type, unreach_code);
> > + rec_kfunc_rets[rec_count & 1] = ret;
>
> Will this program affect background traffic when running on the system?
>
> The recursion program is attached to the root cgroup and intercepts all
> IPv4 traffic. While v5 changed SK_DROP to SK_PASS to avoid blocking
> traffic, the program still calls bpf_icmp_send() on every IPv4 packet
> without filtering for test-specific traffic.
>
> This means background IPv4 traffic (SSH, DNS, other tests) will trigger
> ICMP Destination Unreachable messages, potentially causing network
> disruption and test races on rec_kfunc_rets and rec_count.
>
> The egress program demonstrates proper filtering by checking for TCP,
> SERVER_IP, and server_port:
>
> SEC("cgroup_skb/egress")
> int egress(struct __sk_buff *skb)
> {
> void *data = (void *)(long)skb->data;
> void *data_end = (void *)(long)skb->data_end;
> struct iphdr *iph;
> struct ipv6hdr *ip6h;
> struct tcphdr *tcph;
>
> iph = data;
> if ((void *)(iph + 1) > data_end || iph->version != 4)
> return SK_PASS;
>
> if (iph->protocol != IPPROTO_TCP)
> return SK_PASS;
>
> if (bpf_ntohs(iph->daddr) != SERVER_IP)
> return SK_PASS;
>
> tcph = (struct tcphdr *)((void *)iph + sizeof(*iph));
> if ((void *)(tcph + 1) > data_end)
> return SK_PASS;
>
> if (tcph->dest != server_port)
> return SK_PASS;
> ...
> }
>
> Could the recursion program use similar filtering to explicitly check for
> the test's traffic?
I could restrict a little bit more by ignoring all traffic that is
non-TCP for the dest port or non-ICMP but not sure this is actually
needed. E.g. writing something like this before bpf_icmp_send:
if (iph->daddr != bpf_htonl(SERVER_IP))
return SK_PASS;
if (iph->protocol == IPPROTO_TCP) {
tcph = (void *)iph + iph->ihl * 4;
if ((void *)(tcph + 1) > data_end ||
tcph->dest != bpf_htons(server_port))
return SK_PASS;
} else if (iph->protocol != IPPROTO_ICMP) {
return SK_PASS;
}
But not sure this is strictly needed.
>
> > + __sync_fetch_and_add(&rec_count, 1);
> > +
> > + /* Let the first ICMP error message pass */
> > + if (iph->protocol == IPPROTO_ICMP)
> > + return SK_PASS;
> > +
> > + return SK_DROP;
> > +}
> > +
> > char LICENSE[] SEC("license") = "Dual BSD/GPL";
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26034287312
next prev parent reply other threads:[~2026-05-18 14:39 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 12:28 [PATCH bpf-next v6 0/4] bpf: add icmp_send kfunc Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 1/6] net: move netfilter nf_reject_fill_skb_dst to core ipv4 Mahe Tardy
2026-05-18 13:07 ` bot+bpf-ci
2026-05-18 14:21 ` Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 2/6] net: move netfilter nf_reject6_fill_skb_dst to core ipv6 Mahe Tardy
2026-05-18 13:07 ` bot+bpf-ci
2026-05-18 14:22 ` Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 3/6] bpf: add bpf_icmp_send kfunc Mahe Tardy
2026-05-18 13:34 ` bot+bpf-ci
2026-05-18 14:26 ` Mahe Tardy
2026-05-18 16:17 ` Stanislav Fomichev
2026-05-18 17:18 ` Mahe Tardy
2026-05-19 21:20 ` Stanislav Fomichev
2026-05-18 16:25 ` sashiko-bot
2026-05-19 1:33 ` Jordan Rife
2026-05-20 18:48 ` Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 4/6] selftests/bpf: add bpf_icmp_send kfunc tests Mahe Tardy
2026-05-19 1:34 ` Jordan Rife
2026-05-20 19:15 ` Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 5/6] selftests/bpf: add bpf_icmp_send kfunc IPv6 tests Mahe Tardy
2026-05-18 13:21 ` bot+bpf-ci
2026-05-18 14:27 ` Mahe Tardy
2026-05-18 16:45 ` sashiko-bot
2026-05-18 18:13 ` Mahe Tardy
2026-05-18 12:28 ` [PATCH bpf-next v6 6/6] selftests/bpf: add bpf_icmp_send recursion test Mahe Tardy
2026-05-18 13:07 ` bot+bpf-ci
2026-05-18 14:39 ` Mahe Tardy [this message]
2026-05-18 17:07 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agsko7KjEILkHAk4@gmail.com \
--to=mahe.tardy@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=edumazet@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jordan@jrife.io \
--cc=kuba@kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.