From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tushar Dave <tushar.n.dave@oracle.com>
Subject: Re: [RFC PATCH 1/3] ebpf: add next_skb_frag bpf helper for sk filter
Date: Fri, 8 Jun 2018 15:24:12 -0700
Message-ID: <f28447e6-c0cb-e27e-ce67-cd2c31c1f5c4@oracle.com>
References: <1528491607-10399-1-git-send-email-tushar.n.dave@oracle.com>
 <1528491607-10399-2-git-send-email-tushar.n.dave@oracle.com>
 <9588eb72-f1d5-f6ce-b2a3-aefb431e70d5@iogearbox.net>
 <39186936-9af3-f609-7b2a-26c908558a5a@oracle.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
To: Daniel Borkmann <daniel@iogearbox.net>, netdev@vger.kernel.org,
        ast@kernel.org, davem@davemloft.net, john.fastabend@gmail.com,
        jakub.kicinski@netronome.com, kafai@fb.com, rdna@fb.com,
        quentin.monnet@netronome.com, brakmo@fb.com, acme@redhat.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from userp2120.oracle.com ([156.151.31.85]:45292 "EHLO
        userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751558AbeFHWZZ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 8 Jun 2018 18:25:25 -0400
In-Reply-To: <39186936-9af3-f609-7b2a-26c908558a5a@oracle.com>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>



On 06/08/2018 02:46 PM, Tushar Dave wrote:
> 
> 
> On 06/08/2018 02:27 PM, Daniel Borkmann wrote:
>> On 06/08/2018 11:00 PM, Tushar Dave wrote:
>>> Today socket filter only deals with linear skbs. This change allows
>>> ebpf programs to look into non-linear skb e.g. skb frags. This will be
>>> useful when users need to look into data which is not contained in the
>>> linear part of skb.
>>
>> Hmm, I don't think this statement is correct in its form here ... they
>> can handle non-linear skbs just fine.
> Thanks Daniel for your reply.
>>
>> Straight forward way is to use bpf_skb_load_bytes(). It's simple and uses
>> internally skb_header_pointer(), and that one of course walks everything
>> if it really has to via skb_copy_bits() (page frags _and_ frag list). And
>> if you need to look into mac/net headers that may otherwise not be 
>> accessible
>> anymore from socket layer, there's bpf_skb_load_bytes_relative() helper
>> which is effectively doing the negative offset trick from ld_abs/ind more
>> efficient for multi-byte loads.
> I'm looking into bpf_skb_load_bytes and friends.

Daniel,

While I am trying to see if I can use exiting bpf_skb_load helpers, I am
wondering socket filter based ebpf program are allowed to change packet
data? In other words, can we use them to build firewall?

Thanks.

-Tushar
> 
> Thanks.
> -Tushar
>>
>> Thanks,
>> Daniel
>>
>