From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
To: bpf@vger.kernel.org
Cc: "Alexei Starovoitov" <ast@kernel.org>,
"Andrii Nakryiko" <andrii@kernel.org>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Pablo Neira Ayuso" <pablo@netfilter.org>,
"Florian Westphal" <fw@strlen.de>,
"Jesper Dangaard Brouer" <brouer@redhat.com>,
"Toke Høiland-Jørgensen" <toke@redhat.com>,
"Lorenzo Bianconi" <lorenzo@kernel.org>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: [PATCH bpf-next v6 00/13] New nf_conntrack kfuncs for insertion, changing timeout, status
Date: Tue, 19 Jul 2022 15:24:17 +0200 [thread overview]
Message-ID: <20220719132430.19993-1-memxor@gmail.com> (raw)
Introduce the following new kfuncs:
- bpf_{xdp,skb}_ct_alloc
- bpf_ct_insert_entry
- bpf_ct_{set,change}_timeout
- bpf_ct_{set,change}_status
The setting of timeout and status on allocated or inserted/looked up CT
is same as the ctnetlink interface, hence code is refactored and shared
with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs
that expected inserted CT, and vice versa. Please see individual patches
for details.
Changelog:
----------
v5 -> v6:
v5: https://lore.kernel.org/bpf/20220623192637.3866852-1-memxor@gmail.com
* Introduce kfunc flags, rework verifier to work with them
* Add documentation for kfuncs
* Add comment explaining TRUSTED_ARGS kfunc flag (Alexei)
* Fix missing offset check for trusted arguments (Alexei)
* Change nf_conntrack test minimum delta value to 8
v4 -> v5:
v4: https://lore.kernel.org/bpf/cover.1653600577.git.lorenzo@kernel.org
* Drop read-only PTR_TO_BTF_ID approach, use struct nf_conn___init (Alexei)
* Drop acquire release pair code that is no longer required (Alexei)
* Disable writes into nf_conn, use dedicated helpers (Florian, Alexei)
* Refactor and share ctnetlink code for setting timeout and status
* Do strict type matching on finding __ref suffix on argument to
prevent passing nf_conn___init as nf_conn (offset = 0, match on walk)
* Remove bpf_ct_opts parameter from bpf_ct_insert_entry
* Update selftests for new additions, add more negative tests
v3 -> v4:
v3: https://lore.kernel.org/bpf/cover.1652870182.git.lorenzo@kernel.org
* split bpf_xdp_ct_add in bpf_xdp_ct_alloc/bpf_skb_ct_alloc and
bpf_ct_insert_entry
* add verifier code to properly populate/configure ct entry
* improve selftests
v2 -> v3:
v2: https://lore.kernel.org/bpf/cover.1652372970.git.lorenzo@kernel.org
* add bpf_xdp_ct_add and bpf_ct_refresh_timeout kfunc helpers
* remove conntrack dependency from selftests
* add support for forcing kfunc args to be referenced and related selftests
v1 -> v2:
v1: https://lore.kernel.org/bpf/1327f8f5696ff2bc60400e8f3b79047914ccc837.1651595019.git.lorenzo@kernel.org
* add bpf_ct_refresh_timeout kfunc selftest
Kumar Kartikeya Dwivedi (10):
bpf: Introduce BTF ID flags and 8-byte BTF set
tools/resolve_btfids: Add support for resolving kfunc flags
bpf: Switch to new kfunc flags infrastructure
bpf: Add support for forcing kfunc args to be trusted
bpf: Add documentation for kfuncs
net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup
net: netfilter: Add kfuncs to set and change CT timeout
selftests/bpf: Add verifier tests for trusted kfunc args
selftests/bpf: Add negative tests for new nf_conntrack kfuncs
selftests/bpf: Fix test_verifier failed test in unprivileged mode
Lorenzo Bianconi (3):
net: netfilter: Add kfuncs to allocate and insert CT
net: netfilter: Add kfuncs to set and change CT status
selftests/bpf: Add tests for new nf_conntrack kfuncs
Documentation/bpf/index.rst | 1 +
Documentation/bpf/kfuncs.rst | 171 ++++++++
include/linux/bpf.h | 3 +-
include/linux/btf.h | 68 ++--
include/linux/btf_ids.h | 64 +++
include/net/netfilter/nf_conntrack_core.h | 19 +
kernel/bpf/btf.c | 120 +++---
kernel/bpf/verifier.c | 14 +-
net/bpf/test_run.c | 75 ++--
net/ipv4/bpf_tcp_ca.c | 18 +-
net/ipv4/tcp_bbr.c | 24 +-
net/ipv4/tcp_cubic.c | 20 +-
net/ipv4/tcp_dctcp.c | 20 +-
net/netfilter/nf_conntrack_bpf.c | 365 +++++++++++++-----
net/netfilter/nf_conntrack_core.c | 62 +++
net/netfilter/nf_conntrack_netlink.c | 54 +--
tools/bpf/resolve_btfids/main.c | 115 +++++-
.../selftests/bpf/bpf_testmod/bpf_testmod.c | 10 +-
.../testing/selftests/bpf/prog_tests/bpf_nf.c | 64 ++-
.../testing/selftests/bpf/progs/test_bpf_nf.c | 85 +++-
.../selftests/bpf/progs/test_bpf_nf_fail.c | 134 +++++++
.../selftests/bpf/verifier/bpf_loop_inline.c | 1 +
tools/testing/selftests/bpf/verifier/calls.c | 53 +++
23 files changed, 1214 insertions(+), 346 deletions(-)
create mode 100644 Documentation/bpf/kfuncs.rst
create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c
--
2.34.1
next reply other threads:[~2022-07-19 14:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-19 13:24 Kumar Kartikeya Dwivedi [this message]
2022-07-19 13:24 ` [PATCH bpf-next v6 01/13] bpf: Introduce BTF ID flags and 8-byte BTF set Kumar Kartikeya Dwivedi
2022-07-19 18:37 ` Alexei Starovoitov
2022-07-20 18:42 ` Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 02/13] tools/resolve_btfids: Add support for resolving kfunc flags Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 03/13] bpf: Switch to new kfunc flags infrastructure Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 04/13] bpf: Add support for forcing kfunc args to be trusted Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 05/13] bpf: Add documentation for kfuncs Kumar Kartikeya Dwivedi
2022-07-20 17:03 ` Toke Høiland-Jørgensen
2022-07-20 18:45 ` Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 06/13] net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 07/13] net: netfilter: Add kfuncs to allocate and insert CT Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 08/13] net: netfilter: Add kfuncs to set and change CT timeout Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 09/13] net: netfilter: Add kfuncs to set and change CT status Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 10/13] selftests/bpf: Add verifier tests for trusted kfunc args Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 11/13] selftests/bpf: Add tests for new nf_conntrack kfuncs Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 12/13] selftests/bpf: Add negative " Kumar Kartikeya Dwivedi
2022-07-19 13:24 ` [PATCH bpf-next v6 13/13] selftests/bpf: Fix test_verifier failed test in unprivileged mode Kumar Kartikeya Dwivedi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220719132430.19993-1-memxor@gmail.com \
--to=memxor@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brouer@redhat.com \
--cc=daniel@iogearbox.net \
--cc=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=toke@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).