From: Joe Stringer <joe@wand.net.nz>
To: daniel@iogearbox.net
Cc: Joe Stringer <joe@wand.net.nz>,
ast@kernel.org, netdev <netdev@vger.kernel.org>,
john fastabend <john.fastabend@gmail.com>,
tgraf@suug.ch, Martin KaFai Lau <kafai@fb.com>,
Nitin Hande <nitin.hande@gmail.com>,
mauricio.vasquez@polito.it
Subject: Re: [PATCHv2 bpf-next 07/11] bpf: Add helper to retrieve socket in BPF
Date: Mon, 24 Sep 2018 11:04:02 -0700 [thread overview]
Message-ID: <CAOftzPgMQ8_9g_hq7e7D3Zxod9e_jXsUUZwNz_8FziunxL2X2Q@mail.gmail.com> (raw)
In-Reply-To: <d2b803a4-509f-6d7f-1177-f3ccc1f875eb@iogearbox.net>
On Mon, 24 Sep 2018 at 05:12, Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> Hi Joe,
>
> couple of comments inline:
Thanks for the review, I'll fix up those bits.
> On 09/21/2018 07:10 PM, Joe Stringer wrote:
> > This patch adds new BPF helper functions, bpf_sk_lookup_tcp() and
> > bpf_sk_lookup_udp() which allows BPF programs to find out if there is a
> > socket listening on this host, and returns a socket pointer which the
> > BPF program can then access to determine, for instance, whether to
> > forward or drop traffic. bpf_sk_lookup_xxx() may take a reference on the
> > socket, so when a BPF program makes use of this function, it must
> > subsequently pass the returned pointer into the newly added sk_release()
> > to return the reference.
> >
> > By way of example, the following pseudocode would filter inbound
> > connections at XDP if there is no corresponding service listening for
> > the traffic:
> >
> > struct bpf_sock_tuple tuple;
> > struct bpf_sock_ops *sk;
> >
> > populate_tuple(ctx, &tuple); // Extract the 5tuple from the packet
> > sk = bpf_sk_lookup_tcp(ctx, &tuple, sizeof tuple, netns, 0);
> > if (!sk) {
> > // Couldn't find a socket listening for this traffic. Drop.
> > return TC_ACT_SHOT;
> > }
> > bpf_sk_release(sk, 0);
> > return TC_ACT_OK;
> >
> > Signed-off-by: Joe Stringer <joe@wand.net.nz>
> >
> > ---
> >
> > v2: Rework 'struct bpf_sock_tuple' to allow passing a packet pointer
> > Limit netns_id field to 32 bits
> > Fix compile error with CONFIG_IPV6 enabled
> > Allow direct packet access from helper
> > ---
> > include/uapi/linux/bpf.h | 57 ++++++++-
> > kernel/bpf/verifier.c | 8 +-
> > net/core/filter.c | 149 ++++++++++++++++++++++
> > tools/include/uapi/linux/bpf.h | 57 ++++++++-
> > tools/testing/selftests/bpf/bpf_helpers.h | 12 ++
> > 5 files changed, 280 insertions(+), 3 deletions(-)
> >
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index aa5ccd2385ed..620adbb09a94 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > ...
> > +/* bpf_sk_lookup performs the core lookup for different types of sockets,
> > + * taking a reference on the socket if it doesn't have the flag SOCK_RCU_FREE.
> > + * Returns the socket as an 'unsigned long' to simplify the casting in the
> > + * callers to satisfy BPF_CALL declarations.
> > + */
> > +static unsigned long
> > +bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
> > + u8 proto, u64 netns_id, u64 flags)
> > +{
> > + struct net *caller_net = dev_net(skb->dev);
>
> For sk_skb programs, are we *always* guaranteed to have a skb->dev assigned?
>
> This definitely holds true for tc programs, but afaik not for sk_skb ones where
> you enable the helpers below, so this would result in a NULL ptr dereference.
I'll update this to take the netns from the skb->sk in those hooks.
> > +BPF_CALL_2(bpf_sk_release, struct sock *, sk, u64, flags)
> > +{
> > + if (!sock_flag(sk, SOCK_RCU_FREE))
> > + sock_gen_put(sk);
> > +
> > + if (unlikely(flags))
> > + return -EINVAL;
>
> I guess it's probably okay to leave here, though I'm wondering whether it's
> worth to have a flags part in general in this helper. We need to release the
> reference in any case beforehands anyway as we otherwise leak it. Personally,
> I'd probably that arg here.
I agree, I can't think of a good reason to have optional behaviour on
socket release. I'll drop it.
> > + return 0;
> > +}
> > +
> > +static const struct bpf_func_proto bpf_sk_release_proto = {
> > + .func = bpf_sk_release,
> > + .gpl_only = false,
> > + .ret_type = RET_INTEGER,
> > + .arg1_type = ARG_PTR_TO_SOCKET,
> > + .arg2_type = ARG_ANYTHING,
> > +};
> > +
> > bool bpf_helper_changes_pkt_data(void *func)
> > {
> > if (func == bpf_skb_vlan_push ||
> > @@ -5018,6 +5155,12 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > case BPF_FUNC_skb_ancestor_cgroup_id:
> > return &bpf_skb_ancestor_cgroup_id_proto;
> > #endif
> > + case BPF_FUNC_sk_lookup_tcp:
> > + return &bpf_sk_lookup_tcp_proto;
> > + case BPF_FUNC_sk_lookup_udp:
> > + return &bpf_sk_lookup_udp_proto;
> > + case BPF_FUNC_sk_release:
> > + return &bpf_sk_release_proto;
> > default:
> > return bpf_base_func_proto(func_id);
> > }
> > @@ -5118,6 +5261,12 @@ sk_skb_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
> > return &bpf_sk_redirect_hash_proto;
> > case BPF_FUNC_get_local_storage:
> > return &bpf_get_local_storage_proto;
> > + case BPF_FUNC_sk_lookup_tcp:
> > + return &bpf_sk_lookup_tcp_proto;
> > + case BPF_FUNC_sk_lookup_udp:
> > + return &bpf_sk_lookup_udp_proto;
> > + case BPF_FUNC_sk_release:
> > + return &bpf_sk_release_proto;
>
> (See comment above.)
next prev parent reply other threads:[~2018-09-25 0:07 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-21 17:10 [PATCHv2 bpf-next 00/11] Add socket lookup support Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 01/11] bpf: Add iterator for spilled registers Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 02/11] bpf: Simplify ptr_min_max_vals adjustment Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 03/11] bpf: Generalize ptr_or_null regs check Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 04/11] bpf: Add PTR_TO_SOCKET verifier type Joe Stringer
2018-09-24 12:24 ` Daniel Borkmann
2018-09-21 17:10 ` [PATCHv2 bpf-next 05/11] bpf: Macrofy stack state copy Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 06/11] bpf: Add reference tracking to verifier Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 07/11] bpf: Add helper to retrieve socket in BPF Joe Stringer
2018-09-24 12:12 ` Daniel Borkmann
2018-09-24 12:38 ` Daniel Borkmann
2018-09-24 18:05 ` Joe Stringer
2018-09-24 19:18 ` Daniel Borkmann
2018-09-24 12:51 ` Daniel Borkmann
2018-09-24 18:09 ` Joe Stringer
2018-09-24 18:04 ` Joe Stringer [this message]
2018-09-21 17:10 ` [PATCHv2 bpf-next 08/11] selftests/bpf: Add tests for reference tracking Joe Stringer
2018-09-24 12:21 ` Daniel Borkmann
2018-09-26 22:31 ` Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 09/11] libbpf: Support loading individual progs Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 10/11] selftests/bpf: Add C tests for reference tracking Joe Stringer
2018-09-21 17:10 ` [PATCHv2 bpf-next 11/11] Documentation: Describe bpf " Joe Stringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAOftzPgMQ8_9g_hq7e7D3Zxod9e_jXsUUZwNz_8FziunxL2X2Q@mail.gmail.com \
--to=joe@wand.net.nz \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=mauricio.vasquez@polito.it \
--cc=netdev@vger.kernel.org \
--cc=nitin.hande@gmail.com \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).