From: Sowmini Varadhan <sowmini.varadhan@oracle.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: David Ahern <dsahern@kernel.org>,
netdev@vger.kernel.org, davem@davemloft.net,
David Ahern <dsahern@gmail.com>
Subject: Re: [PATCH net-next 0/9] net: Kernel side filtering for route dumps
Date: Thu, 11 Oct 2018 11:46:24 -0400 [thread overview]
Message-ID: <20181011154624.GD28581@oracle.com> (raw)
In-Reply-To: <20181011082637.3e7833c9@xeon-e3>
On (10/11/18 08:26), Stephen Hemminger wrote:
> You can do the something like this already with BPF socket filters.
> But writing BPF for multi-part messages is hard.
Indeed. And I was just experimenting with this for ARP just last week.
So to handle the caes of "ip neigh show a.b.c.d" without walking through
the entire arp table and filtering in userspace, you could add a sk_filter()
hook like this:
@@ -2258,6 +2260,24 @@ static int neigh_fill_info(struct sk_buff *skb, struct ne
goto nla_put_failure;
nlmsg_end(skb, nlh);
+
+ /* XXX skb->sk can be null in the neigh_timer_handler->__neigh_notify
+ * path. Revisit..
+ */
+ if (!skb->sk)
+ return 0;
+
+ /* pull/push skb->data pointers so that sk_filter only sees the
+ * most recent nlh that wasjust added.
+ */
+ len = skb->len - nlh->nlmsg_len;
+ skb_pull(skb, len);
+ ret = sk_filter(skb->sk, skb);
+ skb_push(skb, len);
+ if (ret)
+ nlmsg_cancel(skb, nlh);
return 0;
Writing the cBPF filter is not horrible, due to the nla extension. e.g.,
to pass a filter that matches on if_index and ipv4 address, the bpf_asm
src below will do the job. The benefit of using cBPF is that we can
use this older kernels as well
/*
* Generated from the bpf_asm src
* ldb [20] ; len(nlmsghdr) + offsetof(ndm_ifindex)
* jne sll->sll_ifindex, skip
* ld #28 ; A <- len(nlmsghdr) + len(ndmsg), payload offset
* ldx #1 ; X <- NDA_DST
* ld #nla ; A <- offset(NDA_DST)
* jeq #0, skip
* tax
* ld [x + 4] ; A <- value(NDA_DST)
* jneq htonl(addr), skip
* ret #-1
* skip: ret #0
*/
struct sock_filter bpf_filter[] = {
{ 0x30, 0, 0, 0x00000014 },
{ 0x15, 0, 1, sll->sll_ifindex },
{ 0000, 0, 0, 0x0000001c },
{ 0x01, 0, 0, 0x00000001 },
{ 0x20, 0, 0, 0xfffff00c },
{ 0x15, 4, 0, 0000000000 },
{ 0x07, 0, 0, 0000000000 },
{ 0x40, 0, 0, 0x00000004 },
{ 0x15, 0, 1, htonl(addr) },
{ 0x06, 0, 0, 0xffffffff },
{ 0x06, 0, 0, 0000000000 },
{ 0x06, 0, 0, 0xffffffff },
{ 0x06, 0, 0, 0000000000 },
};
next prev parent reply other threads:[~2018-10-11 23:14 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-11 15:06 [PATCH net-next 0/9] net: Kernel side filtering for route dumps David Ahern
2018-10-11 15:06 ` [PATCH net-next 1/9] net: Add struct for fib dump filter David Ahern
2018-10-11 15:06 ` [PATCH net-next 2/9] net/ipv4: Plumb support for filtering route dumps David Ahern
2018-10-11 15:56 ` Andrew Lunn
2018-10-11 16:44 ` David Ahern
2018-10-11 18:30 ` Andrew Lunn
2018-10-11 15:06 ` [PATCH net-next 3/9] net/ipv6: " David Ahern
2018-10-11 15:06 ` [PATCH net-next 4/9] net/mpls: " David Ahern
2018-10-11 15:06 ` [PATCH net-next 5/9] net: Plumb support for filtering ipv4 and ipv6 multicast " David Ahern
2018-10-11 15:06 ` [PATCH net-next 6/9] net: Enable kernel side filtering of " David Ahern
2018-10-11 15:06 ` [PATCH net-next 7/9] net/mpls: Handle " David Ahern
2018-10-11 15:06 ` [PATCH net-next 8/9] net/ipv6: Bail early if user only wants cloned entries David Ahern
2018-10-11 15:06 ` [PATCH net-next 9/9] net/ipv4: Bail early if user only wants prefix entries David Ahern
2018-10-11 15:26 ` [PATCH net-next 0/9] net: Kernel side filtering for route dumps Stephen Hemminger
2018-10-11 15:32 ` David Ahern
2018-10-11 16:10 ` Sowmini Varadhan
2018-10-11 16:13 ` David Ahern
2018-10-11 15:46 ` Sowmini Varadhan [this message]
2018-10-11 16:07 ` Jamal Hadi Salim
2018-10-11 16:16 ` David Ahern
2018-10-11 16:33 ` Roopa Prabhu
2018-10-11 16:37 ` Sowmini Varadhan
2018-10-11 16:46 ` Jamal Hadi Salim
2018-10-11 17:04 ` David Ahern
2018-10-11 18:05 ` Jamal Hadi Salim
2018-10-11 18:44 ` David Ahern
2018-10-11 19:28 ` David Miller
2018-10-11 19:32 ` Sowmini Varadhan
2018-10-11 19:43 ` David Miller
2018-10-11 19:54 ` Jamal Hadi Salim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181011154624.GD28581@oracle.com \
--to=sowmini.varadhan@oracle.com \
--cc=davem@davemloft.net \
--cc=dsahern@gmail.com \
--cc=dsahern@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).