From: Shanti Lombard <shanti@mildred.fr>
To: Jakub Sitnicki <jakub@cloudflare.com>
Cc: "Shanti Lombard née Bouchez-Mongardé" <shanti20210120@mildred.fr>,
"Alexei Starovoitov" <alexei.starovoitov@gmail.com>,
bpf <bpf@vger.kernel.org>,
"Network Development" <netdev@vger.kernel.org>,
"Martin KaFai Lau" <kafai@fb.com>
Subject: Re: More flexible BPF socket inet_lookup hooking after listening sockets are dispatched
Date: Thu, 21 Jan 2021 21:40:19 +0100 [thread overview]
Message-ID: <e1fc896faf4ad913e0372bc30461b849@mildred.fr> (raw)
In-Reply-To: <87r1me4k4l.fsf@cloudflare.com>
Le 2021-01-21 12:14, Jakub Sitnicki a écrit :
> On Wed, Jan 20, 2021 at 10:06 PM CET, Alexei Starovoitov wrote:
>
> There is also documentation in the kernel:
>
> https://www.kernel.org/doc/html/latest/bpf/prog_sk_lookup.html
>
Thank you, I saw it, it's well written and very much explains it all.
>
> Existing hook is placed before regular listening/unconnected socket
> lookup to prevent port hijacking on the unprivileged range.
>
Yes, from the point of view of the BPF program. However from the point
of view of a legitimate service listening on a port that might be
blocked by the BPF program, BPF is actually hijacking a port bind.
That being said, if you install the BPF filter, you should know what you
are doing.
>>> The suggestion above would work for my use case, but there is another
>>> possibility to make the same use cases possible : implement in BPF
>>> (or
>>> allow BPF to call) the C and E steps above so the BPF program can
>>> supplant the kernel behavior. I find this solution less elegant and
>>> it
>>> might not work well in case there are multiple inet_lookup BPF
>>> programs
>>> installed.
>
> Having a BPF helper available to BPF sk_lookup programs that looks up a
> socket by packet 4-tuple and netns ID in tcp/udp hashtables sounds
> reasonable to me. You gain the flexibility that you describe without
> adding code on the hot path.
True, if you consider that hot path should not be slowed down. It makes
sense. However, for me, it seems the implementation would be more
difficult.
Looking at existing BPF helpers
<https://man7.org/linux/man-pages/man7/bpf-helpers.7.html> I found
bpf_sk_lookup_tcp and bpf_sk_lookup_ucp that should yield a socket from
a matching tuple and netns. If that's true and usable from within BPF
sk_lookup then it's just a matter of implementing it and the kernel is
already ready for such use cases.
Shanti
next prev parent reply other threads:[~2021-01-21 20:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <afb4e544-d081-eee8-e792-a480364a6572@mildred.fr>
2021-01-20 21:06 ` More flexible BPF socket inet_lookup hooking after listening sockets are dispatched Alexei Starovoitov
2021-01-21 11:14 ` Jakub Sitnicki
2021-01-21 20:40 ` Shanti Lombard [this message]
2021-01-21 22:08 ` Martin KaFai Lau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1fc896faf4ad913e0372bc30461b849@mildred.fr \
--to=shanti@mildred.fr \
--cc=alexei.starovoitov@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=jakub@cloudflare.com \
--cc=kafai@fb.com \
--cc=netdev@vger.kernel.org \
--cc=shanti20210120@mildred.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).