From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f180.google.com (mail-yw1-f180.google.com [209.85.128.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D7D6C3DA7D6 for ; Wed, 25 Feb 2026 15:45:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.180 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772034314; cv=none; b=KKsic7DUzE7ih7G7t6PS6376SLF82T/6yEXILeOrW7Am+Mn59wQ0V1mEBzeF/69pIEcZXJWHEizAc9bGGvyScY+tm9YBGooilwJhAB5btVtNDNmWUEF2mUsPHLIoJAKp7p5uikOnzd0vBTXmCXWmjQIY1fkBRSeNtfvP4NnGn0o= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1772034314; c=relaxed/simple; bh=gPvFcEfXiqPuy7lYBnMUvduvXgSEpCGhKTVWVx2/xH4=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: Mime-Version:Content-Type; b=iNUSRlXUy379/aE0j/6O1D/Pzb712VqZuVKzTB7YEbWAhTigfpR1+cl2pn9imvlMLQMP2N0jInpYjNu/G8rIS/m/mkY5KlKn2q2N8TWLxj1h3lNpK4QdST7nrqZ9u3Z1EEo1OF1eVoaiQmKEsYLiPLJJakmrw3ftWiARwBpBXYs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=eGDskJud; arc=none smtp.client-ip=209.85.128.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="eGDskJud" Received: by mail-yw1-f180.google.com with SMTP id 00721157ae682-798617c0ad5so11948447b3.1 for ; Wed, 25 Feb 2026 07:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1772034312; x=1772639112; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=uO65KSWBr0mQ6tb0/2KN58uTscIuAO7gxPT58NJtVsw=; b=eGDskJudULKb/RUybAan/2Ryee8o0N11aDPibQUfrc9YGkz/71ZBZTqdyYUvyLokoE MtVLmwz2KoHoXbwumeTFJe2VroVsRQHeqbSkV227hLYQr7fBMaYd6GFVZmccAWV95aSN VT2Czwc6ZCrtb8gDL3y8oDfRemKfUnbNN4Uq0wn5uybtnyJWThAIyMRN350xWD66OHqg jiTrTciICrM/tl1e0Oep2PvQWr3dQ1qC4mS5SD7l4Aq1sSaSDFdZBKhyDWsSUNJMKXgQ FAIjJzvqhbiAH4KuUG7B5hGBBROn/EMpRP9Luue0YJx1kkF/1oDTPSRPpQTQcSwUsGna 5bgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772034312; x=1772639112; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=uO65KSWBr0mQ6tb0/2KN58uTscIuAO7gxPT58NJtVsw=; b=T98xvatWcKv7C+KlDTWbjKkyk354wNT3R3yZqMGiS597xac3SILmckpTe2souL4+pr Tdn5ZDwnBmjrs+V9YW+zkQ9iLRxXbO+kICQie5e05zPsDG9l3aB/zNbO96aSmP/wzLxI OxKXKG8fkr01fhPpwFOm5O+KIWjuO8dRpFjEgxsurh814mcJOPVdAIa3fttQGIk7CeS/ reO8k51b/mFvmaSsFdFVCQLcvjFUvphXSEFTovXYIqthi3NewRyPt6Hrf/9N5qLiWG4D 4c+aDtivw9Vu4eqmUiF62CH/ruM985Xx018rd2x4mHvZZSmlS2MYkcWid6x8jCpaz18r hCXA== X-Forwarded-Encrypted: i=1; AJvYcCXcOyOHfEy+F8Yw+m4TTfMDWmgUymI3XBTvcPAhnQs4bWri2EKJfemCGjTOwy6eq71yfJYtT7vsB3obEfw=@vger.kernel.org X-Gm-Message-State: AOJu0YwIsiIG/wVJUZ0i41JzNgiN1Zily0Zk6ZzaWYJ/glDFU+ECWZRi 5sZPRSRJNyGeJpUGyZmRmLUyxKYGfqp6rndBgnCBDwQUn7QHp//X5iho X-Gm-Gg: ATEYQzwOSXqd1zv7eHmiRYKVo9IGoItirTZZHVzQ9NkPKCFOXoc4X8SpbqE+zA99qlT CtUoqmdQQhUpGTArOh+8T8xBQrgdPCQCLR+KQqXNNObXNDIxvd9QrILrf9YVnVoXWCWVaKf2FxG Mb6oVGHIevI94GR6snw1nnZxTo40XuLuUVS3ZUQB2pY7RcPNW1J+EzRZIxgK3/JcKY8/5pjTCHz AJadMr3eoXRQ1bQ/8eJwyu7vPgiOgdqL5GYlYxj1KsBGMwbfoXW3o8kHXvcXWoNLl+i6rwSm4FX GY3eUwU7bV8dojBUn18uaWu1bL2p+y+pIUpwdDhc/est4vL/fKi8cNQU8uez5K2Mx089YX5RLPt MrsSBOH5Up5C3C6dB12TWjlYEO9D6indP5uasi4zcg/9T2SIUfC5caXuEGHAW5atWzsD/yiZCrM OsNkHKp1CywKpQ+UA6t7qSTQLRJpKWuVSYU9qkZn57vcij3rmebQJKgmCRJe2bsd3Eggs1lYa7M 53de545YA== X-Received: by 2002:a05:690c:6010:b0:796:3079:ab9 with SMTP id 00721157ae682-7986fca012dmr7700337b3.23.1772034311854; Wed, 25 Feb 2026 07:45:11 -0800 (PST) Received: from gmail.com (15.60.86.34.bc.googleusercontent.com. [34.86.60.15]) by smtp.gmail.com with UTF8SMTPSA id 00721157ae682-79868dc683csm8102117b3.3.2026.02.25.07.45.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Feb 2026 07:45:10 -0800 (PST) Date: Wed, 25 Feb 2026 10:45:09 -0500 From: Willem de Bruijn To: "Hudson, Nick" , Willem de Bruijn Cc: "Glasgall, Anna" , "Tottenham, Max" , "Hunt, Joshua" , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Jason Xing , Willem de Bruijn , Paul Chaignon , Mykyta Yatsenko , Tao Chen , Kumar Kartikeya Dwivedi , Anton Protopopov , Tobias Klauser , "bpf@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" Message-ID: In-Reply-To: <7C8018C7-B0E2-435F-B155-60F29BCF5018@akamai.com> References: <20260219104710.1490304-1-nhudson@akamai.com> <20260219104710.1490304-2-nhudson@akamai.com> <7C8018C7-B0E2-435F-B155-60F29BCF5018@akamai.com> Subject: Re: [RFC PATCH 1/1] bpf: Add tunnel decapsulation and GSO state updates per new flags Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hudson, Nick wrote: > = > = > > On 20 Feb 2026, at 21:08, Willem de Bruijn wrote: > > = > > !-------------------------------------------------------------------|= > > This Message Is From an External Sender > > This message came from outside your organization. > > |-------------------------------------------------------------------!= > > = > > Nick Hudson wrote: > >> Enable BPF programs to properly handle GSO state when decapsulating > >> tunneled packets by adding selective GSO flag clearing and a trusted= > >> mode for GSO handling. > >> = > >> New decapsulation flags: > >> = > >> - BPF_F_ADJ_ROOM_DECAP_L4_UDP: Clear UDP tunnel GSO flags > >> (SKB_GSO_UDP_TUNNEL, SKB_GSO_UDP_TUNNEL_CSUM) > >> - BPF_F_ADJ_ROOM_DECAP_L4_GRE: Clear GRE tunnel GSO flags > >> (SKB_GSO_GRE, SKB_GSO_GRE_CSUM) > >> - BPF_F_ADJ_ROOM_DECAP_IPXIP4: Clear SKB_GSO_IPXIP4 flag for > >> IPv4-in-IPv4 (IPIP) and IPv6-in-IPv4 (SIT) tunnels > >> - BPF_F_ADJ_ROOM_DECAP_IPXIP6: Clear SKB_GSO_IPXIP6 flag for > >> IPv6-in-IPv6 and IPv4-in-IPv6 tunnels > >> - BPF_F_ADJ_ROOM_NO_DODGY: Preserve gso_segs and don't set > >> SKB_GSO_DODGY when the BPF program is trusted and modifications > >> are known to be valid > >> = > >> The existing anonymous enum for BPF_FUNC_skb_adjust_room flags is > >> renamed to enum bpf_adj_room_flags to enable CO-RE (Compile Once - > >> Run Everywhere) lookups in BPF programs. > >> = > >> By default, bpf_skb_adjust_room sets SKB_GSO_DODGY and resets > >> gso_segs to 0, forcing revalidation. The NO_DODGY flag bypasses this= > >> for trusted programs that guarantee GSO correctness. > >> = > >> Usage example (decapsulating UDP tunnel with IPv4 inner packet): > >> bpf_skb_adjust_room(skb, -hdr_len, BPF_ADJ_ROOM_NET, > >> BPF_F_ADJ_ROOM_DECAP_L3_IPV4 | > >> BPF_F_ADJ_ROOM_DECAP_L4_UDP); > > = > > This patch is doing to much in one patch. > = > Sure, I=E2=80=99ll split it up. > = > > = > > Also not convinced of the need for the NO_DODGY flag. > = > The reason for NO_DODGY is that, without it, the egress interface will = see the > SKB_GSO_DODGY flag. In our use case, we want to avoid marking the egres= s tap as > NETIF_F_GSO_ROBUST, so the skb will fail skb_gso_ok() with SKB_GSO_DODG= Y set. > When skb_gso_ok() fails, validate_xmit_skb() calls skb_gso_segment(). I understand why you might want it. But the dodgy check has long been there for a reason: becauses these transformations are not blindly accepted by the kernel. This use case does not change that.=