From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, bpf@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH nf-next] netfilter: nf_tables: add ebpf expression
Date: Wed, 31 Aug 2022 15:41:44 +0200 [thread overview]
Message-ID: <87o7w04jjb.fsf@toke.dk> (raw)
In-Reply-To: <20220831125608.GA8153@breakpoint.cc>
Florian Westphal <fw@strlen.de> writes:
> Toke Høiland-Jørgensen <toke@kernel.org> wrote:
>> > Tag and program id are dumped to userspace on 'list' to allow to see which
>> > program is in use in case the filename isn't available/present.
>>
>> It seems a bit odd to include the file path in the kernel as well.
>
> Its needed to be able to re-load the ruleset.
How does that work, exactly? Is this so that the userspace binary can
query the current ruleset, and feed it back to the kernel expecting it
to stay the same? Because in that case, if the pinned object goes away
in the meantime (or changes to a different program), this could lead to
some really hard to debug errors, where a reload subtly changes the
behaviour because the BPF program is not in fact the same.
Using IDs would avoid this ambiguity at least, so I think that's a
better solution. We'd have to make sure the BPF program is not released
completely until after the reload has finished, so that it doesn't
suddenly disappear.
>> But doesn't NFT already have a per-rule comment feature,
>> so why add another specifically for BPF?
>
> You can attach up to 256 bytes to a rule, yes.
> Might not be enough for a longer path, and there could be multiple
> expressions in the same rule.
>
> This way was the most simple solution.
My point here was more that if it's just a label for human consumption,
the comment field should be fine, didn't realise it was needed for the
tool operation (and see above re: that).
>> Instead we could just teach the
>> userspace utility to extract metadata from the BPF program (based on the
>> ID) like bpftool does. This would include the program name, BTW, so it
>> does have a semantic identifier.
>
> Sure, I could change the grammar so it expects a tag or ID, e.g.
> 'ebpf id 42'
>
> If thats preferred, I can change this, it avoids the need for storing
> the name.
I think for echoing back, just relying on the ID is better as that is at
least guaranteed to stay constant for the lifetime of the BPF program in
the kernel. We could still support the 'pinned <path>' syntax on the
command line so that the initial load could be done from a pinned file,
just as a user interface improvement...
>> > cbpf bytecode isn't supported.
>> > add rule ... ebpf pinned "/sys/fs/bpf/myprog"
>>
>> Any plan to also teach the nft binary to load a BPF program from an ELF
>> file (instead of relying on pinning)?
>
> I used pinning because that is what '-m bpf' uses.
I'm not against supporting pinning, per se (except for the issues noted
above), but we could do multiple things, including supporting loading
the program from an object file. This is similar to how TC operates, for
instance...
-Toke
next prev parent reply other threads:[~2022-08-31 13:41 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-31 10:16 [PATCH nf-next] netfilter: nf_tables: add ebpf expression Florian Westphal
2022-08-31 12:13 ` Toke Høiland-Jørgensen
2022-08-31 12:56 ` Florian Westphal
2022-08-31 13:41 ` Toke Høiland-Jørgensen [this message]
2022-08-31 13:57 ` Florian Westphal
2022-08-31 14:43 ` Toke Høiland-Jørgensen
2022-08-31 15:09 ` Pablo Neira Ayuso
2022-08-31 15:35 ` Florian Westphal
2022-08-31 20:38 ` Pablo Neira Ayuso
2022-08-31 15:26 ` Florian Westphal
2022-08-31 15:39 ` Alexei Starovoitov
2022-08-31 15:53 ` Florian Westphal
2022-08-31 17:26 ` Alexei Starovoitov
2022-08-31 21:49 ` Daniel Borkmann
2022-09-01 5:18 ` Eyal Birger
2022-09-02 16:53 ` Alexei Starovoitov
2022-09-05 17:50 ` Eyal Birger
2022-09-01 10:14 ` Florian Westphal
2022-09-02 17:06 ` Alexei Starovoitov
2022-09-02 17:52 ` Florian Westphal
2022-08-31 21:57 ` Florian Westphal
2022-09-06 6:57 ` Nicolas Dichtel
2022-09-07 3:04 ` Alexei Starovoitov
2022-09-07 15:52 ` Nicolas Dichtel
2022-09-01 8:08 ` Jan Engelhardt
2022-08-31 20:44 ` Toke Høiland-Jørgensen
2022-08-31 13:44 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o7w04jjb.fsf@toke.dk \
--to=toke@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).