From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7EFD4C282D7 for ; Wed, 30 Jan 2019 23:51:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 327F621473 for ; Wed, 30 Jan 2019 23:51:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="HZlNMOXc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727846AbfA3Xvu (ORCPT ); Wed, 30 Jan 2019 18:51:50 -0500 Received: from mail-pf1-f202.google.com ([209.85.210.202]:48182 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725811AbfA3Xvt (ORCPT ); Wed, 30 Jan 2019 18:51:49 -0500 Received: by mail-pf1-f202.google.com with SMTP id t2so990791pfj.15 for ; Wed, 30 Jan 2019 15:51:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=zzaR14K4VzcAFPicenemY619M2AaPc9K15z75YS6cOA=; b=HZlNMOXcWRJguD/6l35PyjPgBCk515hbDLQe4G8iSCpQgEle0vEzuZDjNJVjX1g1WW BhRar5IV9d+K7UJhXyk4K5YbRNd9tJsWoc68AGrevafzo70J86ySz6IrwdYb0n6GWouu Ai2Biqne9EP57cG7p4XoV1pJ9D+CrvhK23qOcaQtkfaHu68ZgmYFOo43qv1uncZNczn+ R8Lc6cy+XT8CLF2HDG6dC8J/uRp42jFt6tzOPpYHgeTK1PGZxK7hz9VvNKlJc9IIq5rz mmOeEOncmsbJHBHX+qXFMET8I1GCJt28tA/OGkDkfVwTtK7bfzPF8GAcqjoIpw6TTIR0 aQUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=zzaR14K4VzcAFPicenemY619M2AaPc9K15z75YS6cOA=; b=sT1yBHVUH7MH3jR2zXsyFUwZvvCrYsaFT/vPEcU6NLrCGtE0qNWYMjQgPL0ST3iCT4 Qt788LH8qh4IFU9BSwxPQPKfpCHowuB+e+xjLL1bHwBJo+womXIUFipUh9o6H9pTFD/4 ZM3D3L7YAOLwTAvJ1qixB7KRW39N6E3Bf+kLNhKf1I+tRJKAsPnYHNOy5m0V+BuA6FPY Puy5GS+K1XoJvZQ6BxV21j4v9mvoXpNtOh+q/ZS8WkkLSfOP21TeWPeX9vxinzZ0XIDd OCPPPwaiv2CzXkRnJKkVKAXlrog2hYYYrJ/QCASXfD+psfRAtS74N7I8LvoX3UfN0vqi XOgg== X-Gm-Message-State: AHQUAubIJSGyVnHjhPht2aPJkWanFvsnz5oBKHILfsfwKO6djQkEu3wy r8JQfZTF2UxiTaFpvh0Xy85AqFHD X-Google-Smtp-Source: AHgI3IaRD2f1KDhncBHDFHQckD6PaGDOWrAmC/7tpi3ExF5st2GznKxOqi8eUEwiladCNSIf/D2hjKhV X-Received: by 2002:a63:180c:: with SMTP id y12mr5185196pgl.68.1548892308402; Wed, 30 Jan 2019 15:51:48 -0800 (PST) Date: Wed, 30 Jan 2019 15:51:33 -0800 In-Reply-To: <20190130235136.136527-1-posk@google.com> Message-Id: <20190130235136.136527-3-posk@google.com> Mime-Version: 1.0 References: <20190130235136.136527-1-posk@google.com> X-Mailer: git-send-email 2.20.1.495.gaa96b0ce6b-goog Subject: [PATCH bpf-next v5 2/5] bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap From: Peter Oskolkov To: Alexei Starovoitov , Daniel Borkmann , netdev@vger.kernel.org Cc: Peter Oskolkov , David Ahern , Peter Oskolkov Content-Type: text/plain; charset="UTF-8" Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch implements BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap BPF helper. It enables BPF programs (specifically, BPF_PROG_TYPE_LWT_IN and BPF_PROG_TYPE_LWT_XMIT prog types) to add IP encapsulation headers to packets (e.g. IP/GRE, GUE, IPIP). This is useful when thousands of different short-lived flows should be encapped, each with different and dynamically determined destination. Although lwtunnels can be used in some of these scenarios, the ability to dynamically generate encap headers adds more flexibility, e.g. when routing depends on the state of the host (reflected in global bpf maps). Signed-off-by: Peter Oskolkov --- include/net/lwtunnel.h | 3 +++ net/core/filter.c | 3 ++- net/core/lwt_bpf.c | 59 ++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h index 33fd9ba7e0e5..f0973eca8036 100644 --- a/include/net/lwtunnel.h +++ b/include/net/lwtunnel.h @@ -126,6 +126,8 @@ int lwtunnel_cmp_encap(struct lwtunnel_state *a, struct lwtunnel_state *b); int lwtunnel_output(struct net *net, struct sock *sk, struct sk_buff *skb); int lwtunnel_input(struct sk_buff *skb); int lwtunnel_xmit(struct sk_buff *skb); +int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, + bool ingress); static inline void lwtunnel_set_redirect(struct dst_entry *dst) { @@ -138,6 +140,7 @@ static inline void lwtunnel_set_redirect(struct dst_entry *dst) dst->input = lwtunnel_input; } } + #else static inline void lwtstate_free(struct lwtunnel_state *lws) diff --git a/net/core/filter.c b/net/core/filter.c index 27d3fbe4b77b..de6bd4b4e0a3 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -73,6 +73,7 @@ #include #include #include +#include /** * sk_filter_trim_cap - run a packet through a socket filter @@ -4804,7 +4805,7 @@ static int bpf_push_seg6_encap(struct sk_buff *skb, u32 type, void *hdr, u32 len static int bpf_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress) { - return -EINVAL; /* Implemented in the next patch. */ + return bpf_lwt_push_ip_encap(skb, hdr, len, ingress); } BPF_CALL_4(bpf_lwt_in_push_encap, struct sk_buff *, skb, u32, type, void *, hdr, diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index a648568c5e8f..6a6e9acab73d 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -390,6 +390,65 @@ static const struct lwtunnel_encap_ops bpf_encap_ops = { .owner = THIS_MODULE, }; +int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress) +{ + struct iphdr *iph; + bool ipv4; + int err; + + if (unlikely(len < sizeof(struct iphdr) || len > LWT_BPF_MAX_HEADROOM)) + return -EINVAL; + + /* validate protocol and length */ + iph = (struct iphdr *)hdr; + if (iph->version == 4) { + ipv4 = true; + if (unlikely(len < iph->ihl * 4)) + return -EINVAL; + } else if (iph->version == 6) { + ipv4 = false; + if (unlikely(len < sizeof(struct ipv6hdr))) + return -EINVAL; + } else { + return -EINVAL; + } + + if (ingress) + err = skb_cow_head(skb, len + skb->mac_len); + else + err = skb_cow_head(skb, + len + LL_RESERVED_SPACE(skb_dst(skb)->dev)); + if (unlikely(err)) + return err; + + /* push the encap headers and fix pointers */ + skb_reset_inner_headers(skb); + skb->encapsulation = 1; + skb_push(skb, len); + if (ingress) + skb_postpush_rcsum(skb, iph, len); + skb_reset_network_header(skb); + memcpy(skb_network_header(skb), hdr, len); + bpf_compute_data_pointers(skb); + + if (ipv4) { + skb->protocol = htons(ETH_P_IP); + iph = ip_hdr(skb); + if (iph->ihl * 4 < len) + skb_set_transport_header(skb, iph->ihl * 4); + + if (!iph->check) + iph->check = ip_fast_csum((unsigned char *)iph, + iph->ihl); + } else { + skb->protocol = htons(ETH_P_IPV6); + if (sizeof(struct ipv6hdr) < len) + skb_set_transport_header(skb, sizeof(struct ipv6hdr)); + } + + return 0; +} + static int __init bpf_lwt_init(void) { return lwtunnel_encap_add_ops(&bpf_encap_ops, LWTUNNEL_ENCAP_BPF); -- 2.20.1.495.gaa96b0ce6b-goog