From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Ahern <dsahern@gmail.com>
Subject: Re: netns_id in bpf_sk_lookup_{tcp,udp}
Date: Mon, 19 Nov 2018 16:46:23 -0700
Message-ID: <077323f3-3026-06b5-fb4b-54383e5387f6@gmail.com>
References: <15bf5496-523f-564f-443e-f3262bb9e668@gmail.com>
 <CAOftzPjoAadwrYzhMY_P36D+ZpKAzYBAFth=S3LyGrqKGy9e2g@mail.gmail.com>
 <90ae2d6b-049a-90a2-05e5-66700e885b39@gmail.com>
 <CAOftzPjkOp=7V1n1Vpz2VV3A=xy5qKhkpZvhyttjF21BzivNzQ@mail.gmail.com>
 <c9400c6a-67a7-dd89-cf64-4f1b8ece89a2@gmail.com>
 <55816e4b-1a00-a1f3-6514-f755b992a049@6wind.com>
 <CAOftzPidHn+hWsYY5UMRHaD35t_+bu6Amy2dZOS8DwGFFwNMkg@mail.gmail.com>
 <CAOftzPgviq+J6kCCXEiWjtpR25ZPhZYFaWpNOFJ3i9pOoDg6cg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: nicolas.dichtel@6wind.com, netdev <netdev@vger.kernel.org>,
        daniel@iogearbox.net
To: Joe Stringer <joe@wand.net.nz>
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-pl1-f178.google.com ([209.85.214.178]:37056 "EHLO
        mail-pl1-f178.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727583AbeKTKMd (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 20 Nov 2018 05:12:33 -0500
Received: by mail-pl1-f178.google.com with SMTP id b5so40515plr.4
        for <netdev@vger.kernel.org>; Mon, 19 Nov 2018 15:46:26 -0800 (PST)
In-Reply-To: <CAOftzPgviq+J6kCCXEiWjtpR25ZPhZYFaWpNOFJ3i9pOoDg6cg@mail.gmail.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On 11/19/18 2:59 PM, Joe Stringer wrote:
> @@ -2221,12 +2222,13 @@ union bpf_attr {
>  *             **sizeof**\ (*tuple*\ **->ipv6**)
>  *                     Look for an IPv6 socket.
>  *
> - *             If the *netns* is zero, then the socket lookup table in the
> - *             netns associated with the *ctx* will be used. For the TC hooks,
> - *             this in the netns of the device in the skb. For socket hooks,
> - *             this in the netns of the socket. If *netns* is non-zero, then
> - *             it specifies the ID of the netns relative to the netns
> - *             associated with the *ctx*.
> + *             If the *netns* is **BPF_F_SK_CURRENT_NS** or greater, then the
> + *             socket lookup table in the netns associated with the *ctx* will
> + *             will be used. For the TC hooks, this is the netns of the device
> + *             in the skb. For socket hooks, this is the netns of the socket.
> + *             If *netns* is less than **BPF_F_SK_CURRENT_NS**, then it
> + *             specifies the ID of the netns relative to the netns associated
> + *             with the *ctx*.
>  *
>  *             All values for *flags* are reserved for future usage, and must
>  *             be left at zero.
> @@ -2409,6 +2411,9 @@ enum bpf_func_id {
> /* BPF_FUNC_perf_event_output for sk_buff input context. */
> #define BPF_F_CTXLEN_MASK              (0xfffffULL << 32)
> 
> +/* BPF_FUNC_sk_lookup_tcp and BPF_FUNC_sk_lookup_udp flags. */
> +#define BPF_F_SK_CURRENT_NS            0x80000000 /* For netns argument */
> +
> /* Mode for BPF_FUNC_skb_adjust_room helper. */
> enum bpf_adj_room_mode {
>        BPF_ADJ_ROOM_NET,
> 
> Plus adjusting all of the internal types and the helper headers to use
> u32. With the highest bit used to specify that the netns should be the
> current netns, all other netns IDs should be available.
> 

That seems reasonable if the nsid limit is s32.

That revelation shows another hole:
$ ip netns add foo
$ ip netns set foo 0xffffffff
$ ip netns list
foo (id: 0)

Seems like alloc_netid() should error out if reqid < -1 (-1 being the
NETNSA_NSID_NOT_ASSIGNED flag) as opposed to blindly ignoring it.