| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Aug 2019 07:15:22 +0900
From: "Daniel T. Lee" <danieltimlee@...il.com>
To: Jakub Kicinski <jakub.kicinski@...ronome.com>
Cc: Daniel Borkmann <daniel@...earbox.net>,
Alexei Starovoitov <ast@...nel.org>,
netdev <netdev@...r.kernel.org>
Subject: Re: [v3,1/4] tools: bpftool: add net attach command to attach XDP on interface
On Thu, Aug 8, 2019 at 5:42 AM Jakub Kicinski
<jakub.kicinski@...ronome.com> wrote:
>
> On Wed, 7 Aug 2019 11:25:06 +0900, Daniel T. Lee wrote:
> > By this commit, using `bpftool net attach`, user can attach XDP prog on
> > interface. New type of enum 'net_attach_type' has been made, as stated at
> > cover-letter, the meaning of 'attach' is, prog will be attached on interface.
> >
> > With 'overwrite' option at argument, attached XDP program could be replaced.
> > Added new helper 'net_parse_dev' to parse the network device at argument.
> >
> > BPF prog will be attached through libbpf 'bpf_set_link_xdp_fd'.
> >
> > Signed-off-by: Daniel T. Lee <danieltimlee@...il.com>
> > ---
> > tools/bpf/bpftool/net.c | 141 ++++++++++++++++++++++++++++++++++++----
> > 1 file changed, 130 insertions(+), 11 deletions(-)
> >
> > diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
> > index 67e99c56bc88..c05a3fac5cac 100644
> > --- a/tools/bpf/bpftool/net.c
> > +++ b/tools/bpf/bpftool/net.c
> > @@ -55,6 +55,35 @@ struct bpf_attach_info {
> > __u32 flow_dissector_id;
> > };
> >
> > +enum net_attach_type {
> > + NET_ATTACH_TYPE_XDP,
> > + NET_ATTACH_TYPE_XDP_GENERIC,
> > + NET_ATTACH_TYPE_XDP_DRIVER,
> > + NET_ATTACH_TYPE_XDP_OFFLOAD,
> > +};
> > +
> > +static const char * const attach_type_strings[] = {
> > + [NET_ATTACH_TYPE_XDP] = "xdp",
> > + [NET_ATTACH_TYPE_XDP_GENERIC] = "xdpgeneric",
> > + [NET_ATTACH_TYPE_XDP_DRIVER] = "xdpdrv",
> > + [NET_ATTACH_TYPE_XDP_OFFLOAD] = "xdpoffload",
> > +};
> > +
> > +const size_t max_net_attach_type = ARRAY_SIZE(attach_type_strings);
>
> Nit: in practice max_.._type is num_types - 1, so perhaps rename this
> to num_.. or such?
>
I can see at 'map.c', it declares ARRAY_SIZE with '_size' suffix.
const size_t map_type_name_size = ARRAY_SIZE(map_type_name);
I'll change this variable name 'max_net_attach_type' to 'net_attach_type_size'.
> > +static enum net_attach_type parse_attach_type(const char *str)
> > +{
> > + enum net_attach_type type;
> > +
> > + for (type = 0; type < max_net_attach_type; type++) {
> > + if (attach_type_strings[type] &&
> > + is_prefix(str, attach_type_strings[type]))
>
> ^
> this is misaligned by one space
>
> Please try checkpatch with the --strict option to catch these.
>
I didn't know checkpatch has strict option.
Thanks for letting me know!
> > + return type;
> > + }
> > +
> > + return max_net_attach_type;
> > +}
> > +
> > static int dump_link_nlmsg(void *cookie, void *msg, struct nlattr **tb)
> > {
> > struct bpf_netdev_t *netinfo = cookie;
> > @@ -223,6 +252,97 @@ static int query_flow_dissector(struct bpf_attach_info *attach_info)
> > return 0;
> > }
> >
> > +static int net_parse_dev(int *argc, char ***argv)
> > +{
> > + int ifindex;
> > +
> > + if (is_prefix(**argv, "dev")) {
> > + NEXT_ARGP();
> > +
> > + ifindex = if_nametoindex(**argv);
> > + if (!ifindex)
> > + p_err("invalid devname %s", **argv);
> > +
> > + NEXT_ARGP();
> > + } else {
> > + p_err("expected 'dev', got: '%s'?", **argv);
> > + return -1;
> > + }
> > +
> > + return ifindex;
> > +}
> > +
> > +static int do_attach_detach_xdp(int progfd, enum net_attach_type attach_type,
> > + int ifindex, bool overwrite)
> > +{
> > + __u32 flags = 0;
> > +
> > + if (!overwrite)
> > + flags = XDP_FLAGS_UPDATE_IF_NOEXIST;
> > + if (attach_type == NET_ATTACH_TYPE_XDP_GENERIC)
> > + flags |= XDP_FLAGS_SKB_MODE;
> > + if (attach_type == NET_ATTACH_TYPE_XDP_DRIVER)
> > + flags |= XDP_FLAGS_DRV_MODE;
> > + if (attach_type == NET_ATTACH_TYPE_XDP_OFFLOAD)
> > + flags |= XDP_FLAGS_HW_MODE;
> > +
> > + return bpf_set_link_xdp_fd(ifindex, progfd, flags);
> > +}
> > +
> > +static int do_attach(int argc, char **argv)
> > +{
> > + enum net_attach_type attach_type;
> > + int progfd, ifindex, err = 0;
> > + bool overwrite = false;
> > +
> > + /* parse attach args */
> > + if (!REQ_ARGS(5))
> > + return -EINVAL;
> > +
> > + attach_type = parse_attach_type(*argv);
> > + if (attach_type == max_net_attach_type) {
> > + p_err("invalid net attach/detach type");
>
> worth adding the type to the error message so that user know which part
> of command line was wrong:
>
> p_err("invalid net attach/detach type '%s'", *argv);
>
It sounds reasonable.
I'll update the error message.
> > + return -EINVAL;
> > + }
> > +
> > + NEXT_ARG();
>
> nit: the new line should be before NEXT_ARG(), IOV NEXT_ARG() belongs
> to the code which consumed the argument
>
I'm not sure I'm following.
Are you saying that, at here the newline shouldn't be necessary?
> > + progfd = prog_parse_fd(&argc, &argv);
> > + if (progfd < 0)
> > + return -EINVAL;
> > +
> > + ifindex = net_parse_dev(&argc, &argv);
> > + if (ifindex < 1) {
> > + close(progfd);
> > + return -EINVAL;
> > + }
> > +
> > + if (argc) {
> > + if (is_prefix(*argv, "overwrite")) {
> > + overwrite = true;
> > + } else {
> > + p_err("expected 'overwrite', got: '%s'?", *argv);
> > + close(progfd);
> > + return -EINVAL;
> > + }
> > + }
> > +
> > + /* attach xdp prog */
> > + if (is_prefix("xdp", attach_type_strings[attach_type]))
>
> I'm still unclear on why this if is needed
>
Just an code structure that shows extensibility for other attachment types.
Well, for now there's no other type than XDP, so it's not necessary.
> > + err = do_attach_detach_xdp(progfd, attach_type, ifindex,
> > + overwrite);
> > +
> > + if (err < 0) {
> > + p_err("interface %s attach failed",
> > + attach_type_strings[attach_type]);
>
> Please add the error string, like:
>
> p_err("interface %s attach failed: %s",
> attach_type_strings[attach_type], strerror(errno));
>
>
Oh. Didn't think of propagate errno to error message.
I'll update it right away.
> > + return err;
> > + }
> > +
> > + if (json_output)
> > + jsonw_null(json_wtr);
> > +
> > + return 0;
> > +}
> > +
> > static int do_show(int argc, char **argv)
> > {
> > struct bpf_attach_info attach_info = {};
> > @@ -231,17 +351,10 @@ static int do_show(int argc, char **argv)
> > unsigned int nl_pid;
> > char err_buf[256];
> >
> > - if (argc == 2) {
> > - if (strcmp(argv[0], "dev") != 0)
> > - usage();
> > - filter_idx = if_nametoindex(argv[1]);
> > - if (filter_idx == 0) {
> > - fprintf(stderr, "invalid dev name %s\n", argv[1]);
> > - return -1;
> > - }
> > - } else if (argc != 0) {
> > + if (argc == 2)
> > + filter_idx = net_parse_dev(&argc, &argv);
>
> You should check filter_idx is not negative here, no?
>
You're right.
I'll update it.
> > + else if (argc != 0)
> > usage();
> > - }
> >
> > ret = query_flow_dissector(&attach_info);
> > if (ret)
Thank you for your assistance.
Powered by blists - more mailing lists