From: Martin KaFai Lau <martin.lau@linux.dev>
To: Brad Cowie <brad@faucet.nz>
Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
coreteam@netfilter.org, daniel@iogearbox.net,
davem@davemloft.net, john.fastabend@gmail.com, jolsa@kernel.org,
kuba@kernel.org, lorenzo@kernel.org, memxor@gmail.com,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
pabeni@redhat.com, pablo@netfilter.org, sdf@google.com,
song@kernel.org
Subject: Re: [PATCH bpf-next v2 1/2] net: netfilter: Make ct zone opts configurable for bpf ct helpers
Date: Wed, 1 May 2024 15:11:09 -0700 [thread overview]
Message-ID: <f3721e87-10dc-46d7-86b1-432d8afa4b21@linux.dev> (raw)
In-Reply-To: <20240501045931.157041-1-brad@faucet.nz>
On 4/30/24 9:59 PM, Brad Cowie wrote:
> On Fri, 26 Apr 2024 at 11:27, Martin KaFai Lau <martin.lau@linux.dev> wrote:
>> On 4/23/24 8:00 PM, Brad Cowie wrote:
>>> };
>>>
>>> static int bpf_nf_ct_tuple_parse(struct bpf_sock_tuple *bpf_tuple,
>>> @@ -104,11 +107,13 @@ __bpf_nf_ct_alloc_entry(struct net *net, struct bpf_sock_tuple *bpf_tuple,
>>> u32 timeout)
>>> {
>>> struct nf_conntrack_tuple otuple, rtuple;
>>> + struct nf_conntrack_zone ct_zone;
>>> struct nf_conn *ct;
>>> int err;
>>>
>>> - if (!opts || !bpf_tuple || opts->reserved[0] || opts->reserved[1] ||
>>> - opts_len != NF_BPF_CT_OPTS_SZ)
>>> + if (!opts || !bpf_tuple)
>>> + return ERR_PTR(-EINVAL);
>>> + if (!(opts_len == NF_BPF_CT_OPTS_SZ || opts_len == NF_BPF_CT_OPTS_OLD_SZ))
>>> return ERR_PTR(-EINVAL);
>>>
>>> if (unlikely(opts->netns_id < BPF_F_CURRENT_NETNS))
>>> @@ -130,7 +135,16 @@ __bpf_nf_ct_alloc_entry(struct net *net, struct bpf_sock_tuple *bpf_tuple,
>>> return ERR_PTR(-ENONET);
>>> }
>>>
>>> - ct = nf_conntrack_alloc(net, &nf_ct_zone_dflt, &otuple, &rtuple,
>>> + if (opts_len == NF_BPF_CT_OPTS_SZ) {
>>> + if (opts->ct_zone_dir == 0)
>>
>> I don't know the details about the dir in ct_zone, so a question: a 0
>> ct_zone_dir is invalid and can be reused to mean NF_CT_DEFAULT_ZONE_DIR?
>
> ct_zone_dir is a bitmask that can have two different bits set,
> NF_CT_ZONE_DIR_ORIG (1) and NF_CT_ZONE_DIR_REPL (2).
>
> The comparison function nf_ct_zone_matches_dir() in nf_conntrack_zones.h
> checks if ct_zone_dir & (1 << ip_conntrack_dir dir). ip_conntrack_dir
> has two possible values IP_CT_DIR_ORIGINAL (0) and IP_CT_DIR_REPLY (1).
>
> If ct_zone_dir has a value of 0, this makes nf_ct_zone_matches_dir()
> always return false which makes nf_ct_zone_id() always return
> NF_CT_DEFAULT_ZONE_ID instead of the specified ct zone id.
>
> I chose to override ct_zone_dir here and set NF_CT_DEFAULT_ZONE_DIR (3),
> to make the behaviour more obvious when a user calls the bpf ct helper
> kfuncs while only setting ct_zone_id but not ct_zone_dir.
Ok. make sense.
>
>>> + opts->ct_zone_dir = NF_CT_DEFAULT_ZONE_DIR;
>>> + nf_ct_zone_init(&ct_zone,
>>> + opts->ct_zone_id, opts->ct_zone_dir, opts->ct_zone_flags);
>>> + } else {
>>
>> Better enforce "ct_zone_id == 0" also instead of ignoring it.
>
> Could I ask for clarification here, do you mean changing this
> else statement to:
>
> + } else if (opts->ct_zone_id == 0) {
>
> Or should I be setting opts->ct_zone_id = 0 inside the else block?
Testing non zero inside the else and return error instead of silently ignoring
it and then use nf_ct_zone_dflt:
} else {
if (opts->ct_zone_id)
/* don't ignore the opts->ct_zone_id */
return ERR_PTR(-EINVAL);
ct_zone = nf_ct_zone_dflt;
}
prev parent reply other threads:[~2024-05-01 22:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-24 3:00 [PATCH bpf-next v2 1/2] net: netfilter: Make ct zone opts configurable for bpf ct helpers Brad Cowie
2024-04-24 3:00 ` [PATCH bpf-next v2 2/2] selftests/bpf: Update tests for new ct zone opts for nf_conntrack kfuncs Brad Cowie
2024-04-25 23:34 ` Martin KaFai Lau
2024-05-01 5:03 ` Brad Cowie
2024-04-25 23:27 ` [PATCH bpf-next v2 1/2] net: netfilter: Make ct zone opts configurable for bpf ct helpers Martin KaFai Lau
2024-05-01 4:59 ` Brad Cowie
2024-05-01 22:11 ` Martin KaFai Lau [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f3721e87-10dc-46d7-86b1-432d8afa4b21@linux.dev \
--to=martin.lau@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brad@faucet.nz \
--cc=coreteam@netfilter.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kuba@kernel.org \
--cc=lorenzo@kernel.org \
--cc=memxor@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=sdf@google.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.