* [PATCH net-next 0/3] Minor cls_bpf updates
@ 2015-09-23 19:56 Daniel Borkmann
2015-09-23 19:56 ` [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS Daniel Borkmann
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: Daniel Borkmann @ 2015-09-23 19:56 UTC (permalink / raw)
To: davem; +Cc: ast, jhs, netdev, Daniel Borkmann
Some minor updates resp. follow-ups on cls_bpf, please see
individual patches for details. Will follow with the iproute2
patch after this series.
Thanks!
Daniel Borkmann (3):
cls_bpf: also dump TCA_BPF_FLAGS
cls_bpf: make binding to classid optional
cls_bpf: limit allowed exec opcodes subset
net/sched/cls_bpf.c | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
--
1.9.3
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS
2015-09-23 19:56 [PATCH net-next 0/3] Minor cls_bpf updates Daniel Borkmann
@ 2015-09-23 19:56 ` Daniel Borkmann
2015-09-23 20:52 ` Alexei Starovoitov
2015-09-23 19:56 ` [PATCH net-next 2/3] cls_bpf: make binding to classid optional Daniel Borkmann
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: Daniel Borkmann @ 2015-09-23 19:56 UTC (permalink / raw)
To: davem; +Cc: ast, jhs, netdev, Daniel Borkmann
In commit 43388da42a49 ("cls_bpf: introduce integrated actions") we
have added TCA_BPF_FLAGS. We can also retrieve this information from
the prog, dump it back to user space as well. It's useful in tc when
displaying/dumping filter info.
Also, remove tp from cls_bpf_prog_from_efd(), came in as a conflict
from a rebase and it's unused here (later work may add it along with
a real user).
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
net/sched/cls_bpf.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 0590816..7d92415 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -265,8 +265,7 @@ static int cls_bpf_prog_from_ops(struct nlattr **tb, struct cls_bpf_prog *prog)
return 0;
}
-static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog,
- const struct tcf_proto *tp)
+static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog)
{
struct bpf_prog *fp;
char *name = NULL;
@@ -339,7 +338,7 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
prog->exts_integrated = have_exts;
ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) :
- cls_bpf_prog_from_efd(tb, prog, tp);
+ cls_bpf_prog_from_efd(tb, prog);
if (ret < 0) {
tcf_exts_destroy(&exts);
return ret;
@@ -468,6 +467,7 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
{
struct cls_bpf_prog *prog = (struct cls_bpf_prog *) fh;
struct nlattr *nest;
+ u32 bpf_flags = 0;
int ret;
if (prog == NULL)
@@ -492,6 +492,11 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
if (tcf_exts_dump(skb, &prog->exts) < 0)
goto nla_put_failure;
+ if (prog->exts_integrated)
+ bpf_flags |= TCA_BPF_FLAG_ACT_DIRECT;
+ if (bpf_flags && nla_put_u32(skb, TCA_BPF_FLAGS, bpf_flags))
+ goto nla_put_failure;
+
nla_nest_end(skb, nest);
if (tcf_exts_dump_stats(skb, &prog->exts) < 0)
--
1.9.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net-next 2/3] cls_bpf: make binding to classid optional
2015-09-23 19:56 [PATCH net-next 0/3] Minor cls_bpf updates Daniel Borkmann
2015-09-23 19:56 ` [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS Daniel Borkmann
@ 2015-09-23 19:56 ` Daniel Borkmann
2015-09-23 20:53 ` Alexei Starovoitov
2015-09-23 19:56 ` [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset Daniel Borkmann
2015-09-23 21:29 ` [PATCH net-next 0/3] Minor cls_bpf updates David Miller
3 siblings, 1 reply; 8+ messages in thread
From: Daniel Borkmann @ 2015-09-23 19:56 UTC (permalink / raw)
To: davem; +Cc: ast, jhs, netdev, Daniel Borkmann
The binding to a particular classid was so far always mandatory for
cls_bpf, but it doesn't need to be. Therefore, lift this restriction
as similarly done in other classifiers.
Only a couple of qdiscs make use of class from the tcf_result, others
don't strictly care, so let the user choose his needs (those that read
out class can handle situations where it could be NULL).
An explicit check for tcf_unbind_filter() is also not needed here, as
the previous r->class was 0, so the xchg() will return that and
therefore a callback to the qdisc's unbind_tcf() is skipped.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
net/sched/cls_bpf.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index 7d92415..d6c0a0b 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -307,14 +307,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
{
bool is_bpf, is_ebpf, have_exts = false;
struct tcf_exts exts;
- u32 classid;
int ret;
is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS];
is_ebpf = tb[TCA_BPF_FD];
-
- if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf) ||
- !tb[TCA_BPF_CLASSID])
+ if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf))
return -EINVAL;
tcf_exts_init(&exts, TCA_BPF_ACT, TCA_BPF_POLICE);
@@ -322,7 +319,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
if (ret < 0)
return ret;
- classid = nla_get_u32(tb[TCA_BPF_CLASSID]);
if (tb[TCA_BPF_FLAGS]) {
u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]);
@@ -334,7 +330,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT;
}
- prog->res.classid = classid;
prog->exts_integrated = have_exts;
ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) :
@@ -344,9 +339,12 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp,
return ret;
}
- tcf_bind_filter(tp, &prog->res, base);
- tcf_exts_change(tp, &prog->exts, &exts);
+ if (tb[TCA_BPF_CLASSID]) {
+ prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]);
+ tcf_bind_filter(tp, &prog->res, base);
+ }
+ tcf_exts_change(tp, &prog->exts, &exts);
return 0;
}
@@ -479,7 +477,8 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh,
if (nest == NULL)
goto nla_put_failure;
- if (nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid))
+ if (prog->res.classid &&
+ nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid))
goto nla_put_failure;
if (cls_bpf_is_ebpf(prog))
--
1.9.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset
2015-09-23 19:56 [PATCH net-next 0/3] Minor cls_bpf updates Daniel Borkmann
2015-09-23 19:56 ` [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS Daniel Borkmann
2015-09-23 19:56 ` [PATCH net-next 2/3] cls_bpf: make binding to classid optional Daniel Borkmann
@ 2015-09-23 19:56 ` Daniel Borkmann
2015-09-23 20:54 ` Alexei Starovoitov
2015-09-23 21:29 ` [PATCH net-next 0/3] Minor cls_bpf updates David Miller
3 siblings, 1 reply; 8+ messages in thread
From: Daniel Borkmann @ 2015-09-23 19:56 UTC (permalink / raw)
To: davem; +Cc: ast, jhs, netdev, Daniel Borkmann
Jamal suggested to further limit the currently allowed subset of opcodes
that may be used by a direct action return code as the intention is not
to replace the full action engine, but rather to have a minimal set that
can be used in the fast-path on things like ingress for some features
that cls_bpf supports.
Classifiers can, of course, still be chained together that have direct
action mode with those that have a full exec pass. For more complex
scenarios that go beyond this minimal set here, the full tcf_exts_exec()
path must be used.
Suggested-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
net/sched/cls_bpf.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c
index d6c0a0b..7eeffaf6 100644
--- a/net/sched/cls_bpf.c
+++ b/net/sched/cls_bpf.c
@@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code)
{
switch (code) {
case TC_ACT_OK:
- case TC_ACT_RECLASSIFY:
case TC_ACT_SHOT:
- case TC_ACT_PIPE:
case TC_ACT_STOLEN:
- case TC_ACT_QUEUED:
case TC_ACT_REDIRECT:
case TC_ACT_UNSPEC:
return code;
--
1.9.3
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS
2015-09-23 19:56 ` [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS Daniel Borkmann
@ 2015-09-23 20:52 ` Alexei Starovoitov
0 siblings, 0 replies; 8+ messages in thread
From: Alexei Starovoitov @ 2015-09-23 20:52 UTC (permalink / raw)
To: Daniel Borkmann, davem; +Cc: jhs, netdev
On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> In commit 43388da42a49 ("cls_bpf: introduce integrated actions") we
> have added TCA_BPF_FLAGS. We can also retrieve this information from
> the prog, dump it back to user space as well. It's useful in tc when
> displaying/dumping filter info.
>
> Also, remove tp from cls_bpf_prog_from_efd(), came in as a conflict
> from a rebase and it's unused here (later work may add it along with
> a real user).
>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net-next 2/3] cls_bpf: make binding to classid optional
2015-09-23 19:56 ` [PATCH net-next 2/3] cls_bpf: make binding to classid optional Daniel Borkmann
@ 2015-09-23 20:53 ` Alexei Starovoitov
0 siblings, 0 replies; 8+ messages in thread
From: Alexei Starovoitov @ 2015-09-23 20:53 UTC (permalink / raw)
To: Daniel Borkmann, davem; +Cc: jhs, netdev
On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> The binding to a particular classid was so far always mandatory for
> cls_bpf, but it doesn't need to be. Therefore, lift this restriction
> as similarly done in other classifiers.
>
> Only a couple of qdiscs make use of class from the tcf_result, others
> don't strictly care, so let the user choose his needs (those that read
> out class can handle situations where it could be NULL).
>
> An explicit check for tcf_unbind_filter() is also not needed here, as
> the previous r->class was 0, so the xchg() will return that and
> therefore a callback to the qdisc's unbind_tcf() is skipped.
>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset
2015-09-23 19:56 ` [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset Daniel Borkmann
@ 2015-09-23 20:54 ` Alexei Starovoitov
0 siblings, 0 replies; 8+ messages in thread
From: Alexei Starovoitov @ 2015-09-23 20:54 UTC (permalink / raw)
To: Daniel Borkmann, davem; +Cc: jhs, netdev
On 9/23/15 12:56 PM, Daniel Borkmann wrote:
> Jamal suggested to further limit the currently allowed subset of opcodes
> that may be used by a direct action return code as the intention is not
> to replace the full action engine, but rather to have a minimal set that
> can be used in the fast-path on things like ingress for some features
> that cls_bpf supports.
>
> Classifiers can, of course, still be chained together that have direct
> action mode with those that have a full exec pass. For more complex
> scenarios that go beyond this minimal set here, the full tcf_exts_exec()
> path must be used.
>
> Suggested-by: Jamal Hadi Salim<jhs@mojatatu.com>
> Signed-off-by: Daniel Borkmann<daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net-next 0/3] Minor cls_bpf updates
2015-09-23 19:56 [PATCH net-next 0/3] Minor cls_bpf updates Daniel Borkmann
` (2 preceding siblings ...)
2015-09-23 19:56 ` [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset Daniel Borkmann
@ 2015-09-23 21:29 ` David Miller
3 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2015-09-23 21:29 UTC (permalink / raw)
To: daniel; +Cc: ast, jhs, netdev
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed, 23 Sep 2015 21:56:45 +0200
> Some minor updates resp. follow-ups on cls_bpf, please see
> individual patches for details. Will follow with the iproute2
> patch after this series.
Series applied, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-09-23 21:29 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-23 19:56 [PATCH net-next 0/3] Minor cls_bpf updates Daniel Borkmann
2015-09-23 19:56 ` [PATCH net-next 1/3] cls_bpf: also dump TCA_BPF_FLAGS Daniel Borkmann
2015-09-23 20:52 ` Alexei Starovoitov
2015-09-23 19:56 ` [PATCH net-next 2/3] cls_bpf: make binding to classid optional Daniel Borkmann
2015-09-23 20:53 ` Alexei Starovoitov
2015-09-23 19:56 ` [PATCH net-next 3/3] cls_bpf: further limit exec opcodes subset Daniel Borkmann
2015-09-23 20:54 ` Alexei Starovoitov
2015-09-23 21:29 ` [PATCH net-next 0/3] Minor cls_bpf updates David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).