[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200325055745.10710-1-joe@wand.net.nz>
Date: Tue, 24 Mar 2020 22:57:40 -0700
From: Joe Stringer <joe@...d.net.nz>
To: bpf@...r.kernel.org
Cc: netdev@...r.kernel.org, daniel@...earbox.net, ast@...nel.org,
eric.dumazet@...il.com, lmb@...udflare.com, kafai@...com
Subject: [PATCHv2 bpf-next 0/5] Add bpf_sk_assign eBPF helper
Introduce a new helper that allows assigning a previously-found socket
to the skb as the packet is received towards the stack, to cause the
stack to guide the packet towards that socket subject to local routing
configuration.
This series the successor to previous discussions on-list[0], in-person
at LPC2019[1], and the previous version[2] to support TProxy use cases
more directly from eBPF programs attached at TC ingress, to simplify and
streamline Linux stack configuration in scale environments with Cilium.
Normally in ip{,6}_rcv_core(), the skb will be orphaned, dropping any
existing socket reference associated with the skb. Existing tproxy
implementations in netfilter get around this restriction by running the
tproxy logic after ip_rcv_core() in the PREROUTING table. However, this
is not an option for TC-based logic (including eBPF programs attached at
TC ingress).
This series introduces the BPF helper bpf_sk_assign() to associate the
socket with the skb on the ingress path as the packet is passed up the
stack. The initial patch in the series simply takes a reference on the
socket to ensure safety, but later patches relax this for listen
sockets.
To ensure delivery to the relevant socket, we still consult the routing
table, for full examples of how to configure see the tests in patch #5;
the simplest form of the route would look like this:
$ ip route add local default dev lo
This series is laid out as follows:
* Patch 1 extends the eBPF API to add sk_assign() and defines a new
socket free function to allow the later paths to understand when the
socket associated with the skb should be kept through receive.
* Patches 2-4 optimizate the receive path to prefetch the socket
destination and avoid taking a reference on listener sockets during
receive.
* Patches 5 extends the selftests with examples of the new
functionality and validation of correct behaviour.
Changes since v1:
* Replace the metadata_dst approach with using the skb->destructor to
determine whether the socket has been prefetched. This is much
simpler.
* Avoid taking a reference on listener sockets during receive
* Restrict assigning sockets across namespaces
* Restrict assigning SO_REUSEPORT sockets
* Fix cookie usage for socket dst check
* Rebase the tests against test_progs infrastructure
* Tidy up commit messages
[0] https://www.mail-archive.com/netdev@vger.kernel.org/msg303645.html
[1] https://linuxplumbersconf.org/event/4/contributions/464/
[2] https://lore.kernel.org/netdev/20200312233648.1767-1-joe@wand.net.nz/T/#m4028efa9381856049ae5633986ec562d6b94a146
Joe Stringer (4):
bpf: Add socket assign support
bpf: Prefetch established socket destinations
net: Track socket refcounts in skb_steal_sock()
bpf: Don't refcount LISTEN sockets in sk_assign()
Lorenz Bauer (1):
selftests: bpf: add test for sk_assign
include/net/inet6_hashtables.h | 3 +-
include/net/inet_hashtables.h | 3 +-
include/net/sock.h | 42 ++-
include/uapi/linux/bpf.h | 25 +-
net/core/filter.c | 50 +++-
net/core/sock.c | 10 +
net/ipv4/ip_input.c | 3 +-
net/ipv4/udp.c | 6 +-
net/ipv6/ip6_input.c | 3 +-
net/ipv6/udp.c | 9 +-
net/sched/act_bpf.c | 2 +
tools/include/uapi/linux/bpf.h | 25 +-
tools/testing/selftests/bpf/Makefile | 2 +-
.../selftests/bpf/prog_tests/sk_assign.c | 244 ++++++++++++++++++
.../selftests/bpf/progs/test_sk_assign.c | 127 +++++++++
15 files changed, 529 insertions(+), 25 deletions(-)
create mode 100644 tools/testing/selftests/bpf/prog_tests/sk_assign.c
create mode 100644 tools/testing/selftests/bpf/progs/test_sk_assign.c
--
2.20.1
Powered by blists - more mailing lists