From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
David Ahern <dsahern@kernel.org>,
"Jesper Dangaard Brouer" <hawk@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
"Nick Desaulniers" <ndesaulniers@google.com>,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@chromium.org>,
Joe Stringer <joe@cilium.io>, Lorenz Bauer <lmb@cloudflare.com>,
Tariq Toukan <tariqt@nvidia.com>, <netdev@vger.kernel.org>,
<bpf@vger.kernel.org>, <clang-built-linux@googlegroups.com>,
Maxim Mikityanskiy <maximmi@nvidia.com>
Subject: [PATCH bpf-next 00/10] New BPF helpers to accelerate synproxy
Date: Tue, 19 Oct 2021 17:46:45 +0300 [thread overview]
Message-ID: <20211019144655.3483197-1-maximmi@nvidia.com> (raw)
This series starts with some cleanup and bugfixing in the existing BPF
helpers for SYN cookies. The second half adds new functionality that
allows XDP to accelerate iptables synproxy.
struct nf_conn is exposed to BPF, new helpers are added to query
conntrack info by 5-tuple. The only field exposed for now is status, but
it can be extended easily in the future.
New helpers are added to issue SYN and timestamp cookies and to check
SYN cookies without binding to a socket, which is useful in the synproxy
scenario.
Finally, a sample XDP and userspace program is added that show how all
components work together. The XDP program uses socketless SYN cookie
helpers and queries conntrack status instead of socket status. A demo
script shows how to deploy the synproxy+XDP solution.
The draft of the new functionality was presented on Netdev 0x15:
https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP
Maxim Mikityanskiy (10):
bpf: Use ipv6_only_sock in bpf_tcp_gen_syncookie
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
bpf: Use EOPNOTSUPP in bpf_tcp_check_syncookie
bpf: Make errors of bpf_tcp_check_syncookie distinguishable
bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie
bpf: Expose struct nf_conn to BPF
bpf: Add helpers to query conntrack info
bpf: Add helpers to issue and check SYN cookies in XDP
bpf: Add a helper to issue timestamp cookies in XDP
bpf: Add sample for raw syncookie helpers
include/linux/bpf.h | 46 +++
include/net/tcp.h | 2 +
include/uapi/linux/bpf.h | 193 ++++++++++-
kernel/bpf/verifier.c | 104 +++++-
net/core/filter.c | 433 +++++++++++++++++++++++-
net/ipv4/syncookies.c | 60 ++++
net/ipv4/tcp_input.c | 3 +-
samples/bpf/.gitignore | 1 +
samples/bpf/Makefile | 3 +
samples/bpf/syncookie_kern.c | 591 +++++++++++++++++++++++++++++++++
samples/bpf/syncookie_test.sh | 55 +++
samples/bpf/syncookie_user.c | 388 ++++++++++++++++++++++
scripts/bpf_doc.py | 1 +
tools/include/uapi/linux/bpf.h | 193 ++++++++++-
14 files changed, 2047 insertions(+), 26 deletions(-)
create mode 100644 samples/bpf/syncookie_kern.c
create mode 100755 samples/bpf/syncookie_test.sh
create mode 100644 samples/bpf/syncookie_user.c
--
2.30.2
next reply other threads:[~2021-10-19 14:47 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-19 14:46 Maxim Mikityanskiy [this message]
2021-10-19 14:46 ` [PATCH bpf-next 01/10] bpf: Use ipv6_only_sock in bpf_tcp_gen_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 02/10] bpf: Support dual-stack sockets in bpf_tcp_check_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 03/10] bpf: Use EOPNOTSUPP " Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 04/10] bpf: Make errors of bpf_tcp_check_syncookie distinguishable Maxim Mikityanskiy
2021-10-20 3:28 ` John Fastabend
2021-10-20 13:16 ` Maxim Mikityanskiy
2021-10-20 15:26 ` Lorenz Bauer
2021-10-19 14:46 ` [PATCH bpf-next 05/10] bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 06/10] bpf: Expose struct nf_conn to BPF Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 07/10] bpf: Add helpers to query conntrack info Maxim Mikityanskiy
2021-10-20 3:56 ` Kumar Kartikeya Dwivedi
2021-10-20 9:28 ` Florian Westphal
2021-10-20 9:48 ` Toke Høiland-Jørgensen
2021-10-20 9:58 ` Florian Westphal
2021-10-20 12:21 ` Toke Høiland-Jørgensen
2021-10-20 12:44 ` Florian Westphal
2021-10-20 20:54 ` Toke Høiland-Jørgensen
2021-10-20 22:55 ` David Ahern
2021-10-21 7:36 ` Florian Westphal
2021-10-20 13:18 ` Maxim Mikityanskiy
2021-10-20 19:17 ` Kumar Kartikeya Dwivedi
2021-10-20 9:46 ` Toke Høiland-Jørgensen
2021-10-19 14:46 ` [PATCH bpf-next 08/10] bpf: Add helpers to issue and check SYN cookies in XDP Maxim Mikityanskiy
2021-10-19 14:46 ` [PATCH bpf-next 09/10] bpf: Add a helper to issue timestamp " Maxim Mikityanskiy
2021-10-19 16:45 ` Eric Dumazet
2021-10-20 13:16 ` Maxim Mikityanskiy
2021-10-20 15:56 ` Lorenz Bauer
2021-10-20 16:16 ` Toke Høiland-Jørgensen
2021-10-22 16:56 ` Maxim Mikityanskiy
2021-10-27 8:34 ` Lorenz Bauer
2021-11-01 11:14 ` Maxim Mikityanskiy
2021-11-03 2:10 ` Yonghong Song
2021-11-03 14:02 ` Maxim Mikityanskiy
2021-11-09 7:11 ` Yonghong Song
2021-11-25 14:34 ` Maxim Mikityanskiy
2021-11-26 5:43 ` Yonghong Song
2021-11-26 16:50 ` Maxim Mikityanskiy
2021-11-26 17:07 ` Yonghong Song
2021-11-29 17:51 ` Maxim Mikityanskiy
2021-12-01 6:39 ` Yonghong Song
2021-12-01 18:06 ` Andrii Nakryiko
2021-10-19 14:46 ` [PATCH bpf-next 10/10] bpf: Add sample for raw syncookie helpers Maxim Mikityanskiy
2021-10-20 18:01 ` Joe Stringer
2021-10-21 17:19 ` Maxim Mikityanskiy
2021-10-21 1:06 ` Alexei Starovoitov
2021-10-21 17:31 ` Maxim Mikityanskiy
2021-10-21 18:50 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211019144655.3483197-1-maximmi@nvidia.com \
--to=maximmi@nvidia.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=hawk@kernel.org \
--cc=jackmanb@google.com \
--cc=joe@cilium.io \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=lmb@cloudflare.com \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=revest@chromium.org \
--cc=songliubraving@fb.com \
--cc=tariqt@nvidia.com \
--cc=yhs@fb.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).