lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 17 Dec 2018 11:24:54 +0100
From:   Björn Töpel <bjorn.topel@...il.com>
To:     bjorn.topel@...il.com, magnus.karlsson@...el.com,
        magnus.karlsson@...il.com, ast@...nel.org, daniel@...earbox.net,
        netdev@...r.kernel.org
Cc:     Björn Töpel <bjorn.topel@...el.com>,
        brouer@...hat.com, u9012063@...il.com, qi.z.zhang@...el.com,
        jakub.kicinski@...ronome.com, andrew@...n.ch
Subject: [PATCH bpf-next v2 0/7] Add support for XDP_ATTACH

From: Björn Töpel <bjorn.topel@...el.com>

Hi!

This patch set adds support for a new XDP socket bind option,
XDP_ATTACH.

XDP_ATTACH associates an XDP socket to a specific netdev Rx queue. To
redirect a packet to an attached socket from XDP, the bpf_xsk_redirect
helper is used. The bpf_xsk_redirect helper is also introduced in this
series.

Many XDP socket users just need a simple way of creating/binding a
socket and receiving frames right away without a complicated XDP
program. "Attached" XDP sockets removes the need for the XSKMAP, and
allows for a trivial XDP program, e.g.:

  SEC("xdp")
  int xdp_prog(struct xdp_md *ctx)
  {
        return bpf_xsk_redirect(ctx);
  }

An attached XDP socket also has better performance than the XSKMAP
based sockets (performance numbers below).

The first three patches of the series add support for the XDP_ATTACH
flag and the BPF helper.

Since the trivial XDP program above will be a very common way of using
AF_XDP sockets, it makes sense to bundle that XDP program to libbpf. 

We call BPF programs that are bundled with libbpf a "builtin
program". To access the bpf_object/bpf_program of a builtin program
the following libbpf API are introduced:

      LIBBPF_API struct bpf_object *bpf_object__open_builtin(
                      enum bpf_prog_type prog_type);
    
      LIBBPF_API struct bpf_program *
      bpf_object__find_xdp_builtin_program(
                    struct bpf_object* obj,
                      enum libbpf_builtin_xdp_prog prog);
    
The first function is used to get a handle to the bpf_object
containing all builtin programs for a certain program type. The latter
is used to access a certain builtin program from the bpf_object. Note
that currenty only XDP is supported. When other program types are
supported, additional bpf_object__find_PROG_TYPE_builtin_program
function are required.
    
Patch 4 and 5 introduce the "builtin" program to libbpf.

The last two patches adds XDP_ATTACH support and the "builtin" libbpf
support to the sample application.

Some questions:

* If the only builtin programs in libbpf will be XDP programs, the
  libbpf API in this series might be a bit over-engineered. Thoughts?

* Is the idea that users of libbpf should use the IS_ERR*
  functionality for checking pointers (e.g. __open), or is that just
  library internal convenience?

Finally, the performance numbers for rxdrop (Intel(R) Xeon(R) Gold
6154 CPU @ 3.00GHz):

XDP_SKB:
XSKMAP:     2.8 Mpps
XDP_ATTACH: 2.9 Mpps

XDP_DRV - copy:
XSKMAP:     8.5 Mpps
XDP_ATTACH: 9.3 Mpps

XDP_DRV - zero-copy:
XSKMAP:     15.1 Mpps
XDP_ATTACH: 17.3 Mpps

Thanks!
Björn

v1->v2: Reworked the "builtin program" concept. The v1 had the builtin
        program as part of the kernel, which simply added too much
        complexity. In v2, the "builtin" was moved to libbpf
        instead. Alexei suggested that XDP_ATTACH was renamed to to
        XDP_BUILTIN_ATTACH, but given that the "builtin" functionality
        was removed, the old name stuck.


Björn Töpel (7):
  xsk: simplify AF_XDP socket teardown
  xsk: add XDP_ATTACH bind() flag
  bpf: add bpf_xsk_redirect function
  tools/bpf: sync kernel uapi bpf.h to tools directory
  libbpf: initial support for builtin BPF programs
  samples: bpf: simplify/cleanup xdpsock
  samples: bpf: add support for XDP_ATTACH to xdpsock

 include/linux/filter.h         |   4 +
 include/linux/netdevice.h      |   1 +
 include/net/xdp_sock.h         |   3 +
 include/trace/events/xdp.h     |  61 ++++++++++++++
 include/uapi/linux/bpf.h       |  14 +++-
 include/uapi/linux/if_xdp.h    |   1 +
 net/core/filter.c              | 100 +++++++++++++++++++++++
 net/xdp/xsk.c                  |  67 +++++++++------
 samples/bpf/xdpsock_user.c     | 145 +++++++++++++++++++++++----------
 tools/include/uapi/linux/bpf.h |  14 +++-
 tools/lib/bpf/libbpf.c         |  85 +++++++++++++++++++
 tools/lib/bpf/libbpf.h         |  14 ++++
 tools/lib/bpf/libbpf.map       |   2 +
 13 files changed, 441 insertions(+), 70 deletions(-)

-- 
2.19.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ