[PATCH v6 1/6] bpf: add new prog type for cgroup socket filtering

public inbox for cgroups@vger.kernel.org
 help / color / mirror / Atom feed

From: Daniel Mack <daniel@zonque.org>
To: htejun@fb.com, daniel@iogearbox.net, ast@fb.com
Cc: davem@davemloft.net, kafai@fb.com, fw@strlen.de,
	pablo@netfilter.org, harald@redhat.com, netdev@vger.kernel.org,
	sargun@sargun.me, cgroups@vger.kernel.org,
	Daniel Mack <daniel@zonque.org>
Subject: [PATCH v6 1/6] bpf: add new prog type for cgroup socket filtering
Date: Mon, 19 Sep 2016 18:43:56 +0200	[thread overview]
Message-ID: <1474303441-3745-2-git-send-email-daniel@zonque.org> (raw)
In-Reply-To: <1474303441-3745-1-git-send-email-daniel@zonque.org>

This program type is similar to BPF_PROG_TYPE_SOCKET_FILTER, except that
it does not allow BPF_LD_[ABS|IND] instructions and hooks up the
bpf_skb_load_bytes() helper.

Programs of this type will be attached to cgroups for network filtering
and accounting.

Signed-off-by: Daniel Mack <daniel@zonque.org>
---
 include/uapi/linux/bpf.h |  9 +++++++++
 net/core/filter.c        | 23 +++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index f896dfa..55f815e 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -96,8 +96,17 @@ enum bpf_prog_type {
 	BPF_PROG_TYPE_TRACEPOINT,
 	BPF_PROG_TYPE_XDP,
 	BPF_PROG_TYPE_PERF_EVENT,
+	BPF_PROG_TYPE_CGROUP_SOCKET,
 };
 
+enum bpf_attach_type {
+	BPF_CGROUP_INET_INGRESS,
+	BPF_CGROUP_INET_EGRESS,
+	__MAX_BPF_ATTACH_TYPE
+};
+
+#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
+
 #define BPF_PSEUDO_MAP_FD	1
 
 /* flags for BPF_MAP_UPDATE_ELEM command */
diff --git a/net/core/filter.c b/net/core/filter.c
index 298b146..e46c98e 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2496,6 +2496,17 @@ xdp_func_proto(enum bpf_func_id func_id)
 	}
 }
 
+static const struct bpf_func_proto *
+cg_sk_func_proto(enum bpf_func_id func_id)
+{
+	switch (func_id) {
+	case BPF_FUNC_skb_load_bytes:
+		return &bpf_skb_load_bytes_proto;
+	default:
+		return sk_filter_func_proto(func_id);
+	}
+}
+
 static bool __is_valid_access(int off, int size, enum bpf_access_type type)
 {
 	if (off < 0 || off >= sizeof(struct __sk_buff))
@@ -2818,6 +2829,12 @@ static const struct bpf_verifier_ops xdp_ops = {
 	.convert_ctx_access	= xdp_convert_ctx_access,
 };
 
+static const struct bpf_verifier_ops cg_sk_ops = {
+	.get_func_proto		= cg_sk_func_proto,
+	.is_valid_access	= sk_filter_is_valid_access,
+	.convert_ctx_access	= sk_filter_convert_ctx_access,
+};
+
 static struct bpf_prog_type_list sk_filter_type __read_mostly = {
 	.ops	= &sk_filter_ops,
 	.type	= BPF_PROG_TYPE_SOCKET_FILTER,
@@ -2838,12 +2855,18 @@ static struct bpf_prog_type_list xdp_type __read_mostly = {
 	.type	= BPF_PROG_TYPE_XDP,
 };
 
+static struct bpf_prog_type_list cg_sk_type __read_mostly = {
+	.ops	= &cg_sk_ops,
+	.type	= BPF_PROG_TYPE_CGROUP_SOCKET,
+};
+
 static int __init register_sk_filter_ops(void)
 {
 	bpf_register_prog_type(&sk_filter_type);
 	bpf_register_prog_type(&sched_cls_type);
 	bpf_register_prog_type(&sched_act_type);
 	bpf_register_prog_type(&xdp_type);
+	bpf_register_prog_type(&cg_sk_type);
 
 	return 0;
 }
-- 
2.5.5

next prev parent reply	other threads:[~2016-09-19 16:43 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-19 16:43 [PATCH v6 0/6] Add eBPF hooks for cgroups Daniel Mack
2016-09-19 16:43 ` Daniel Mack [this message]
2016-09-19 16:43 ` [PATCH v6 3/6] bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands Daniel Mack
     [not found] ` <1474303441-3745-1-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 16:43   ` [PATCH v6 2/6] cgroup: add support for eBPF programs Daniel Mack
2016-09-19 16:43   ` [PATCH v6 4/6] net: filter: run cgroup eBPF ingress programs Daniel Mack
2016-09-19 16:44   ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF egress programs Daniel Mack
2016-09-19 19:19     ` Pablo Neira Ayuso
2016-09-19 19:30       ` Daniel Mack
     [not found]         ` <ac88bb4c-ab7c-1f74-c7fd-79e523b50ae4-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-19 20:35           ` Pablo Neira Ayuso
2016-09-19 20:56             ` Daniel Mack
2016-09-20 14:29               ` Pablo Neira Ayuso
2016-09-20 16:43                 ` Daniel Mack
     [not found]                   ` <6584b975-fa3e-8d98-f0c7-a2c6b194b2b6-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-21 15:45                     ` Pablo Neira Ayuso
2016-09-21 18:48                       ` Thomas Graf
     [not found]                         ` <20160921184827.GA15732-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22  9:21                           ` Pablo Neira Ayuso
2016-09-22  9:54                             ` Thomas Graf
     [not found]                               ` <20160922095411.GA5654-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-09-22 12:05                                 ` Pablo Neira Ayuso
2016-09-22 15:12                                   ` Daniel Borkmann
     [not found]                                     ` <57E3F4F9.70300-FeC+5ew28dpmcu3hnIyYJQ@public.gmane.org>
2016-09-22 15:53                                       ` Daniel Mack
2016-09-23 13:17                                       ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup ebpf " Pablo Neira Ayuso
2016-09-26 10:10                                         ` Daniel Borkmann
2016-09-20 16:53                 ` [PATCH v6 5/6] net: ipv4, ipv6: run cgroup eBPF " Thomas Graf
2016-09-19 20:13       ` Alexei Starovoitov
2016-09-19 20:39         ` Pablo Neira Ayuso
     [not found]         ` <20160919201322.GA84770-+o4/htvd0TDFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-09-19 21:28           ` Thomas Graf
     [not found]     ` <1474303441-3745-6-git-send-email-daniel-cYrQPVfZoowdnm+yROfE0A@public.gmane.org>
2016-09-20  5:44       ` kbuild test robot
2016-10-21  5:32   ` [PATCH v6 0/6] Add eBPF hooks for cgroups David Ahern
2016-09-19 16:44 ` [PATCH v6 6/6] samples: bpf: add userspace example for attaching eBPF programs to cgroups Daniel Mack

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f896dfa dfblob:55f815e dfblob:298b146 dfblob:e46c98e )
 OR (
bs:"[PATCH v6 1/6] bpf: add new prog type for cgroup socket filtering" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1474303441-3745-2-git-send-email-daniel@zonque.org \
    --to=daniel@zonque.org \
    --cc=ast@fb.com \
    --cc=cgroups@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=harald@redhat.com \
    --cc=htejun@fb.com \
    --cc=kafai@fb.com \
    --cc=netdev@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=sargun@sargun.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox