lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 17 Dec 2020 15:46:55 +0100
From:   Jesper Dangaard Brouer <brouer@...hat.com>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     bpf@...r.kernel.org, netdev@...r.kernel.org,
        Daniel Borkmann <borkmann@...earbox.net>,
        Alexei Starovoitov <alexei.starovoitov@...il.com>,
        maze@...gle.com, lmb@...udflare.com, shaun@...era.io,
        Lorenzo Bianconi <lorenzo@...nel.org>, marek@...udflare.com,
        John Fastabend <john.fastabend@...il.com>,
        Jakub Kicinski <kuba@...nel.org>, eyal.birger@...il.com,
        colrack@...il.com, brouer@...hat.com
Subject: Re: [PATCH bpf-next V8 5/8] bpf: drop MTU check when doing TC-BPF
 redirect to ingress

On Thu, 3 Dec 2020 00:43:36 +0100
Daniel Borkmann <daniel@...earbox.net> wrote:

> On 11/27/20 7:06 PM, Jesper Dangaard Brouer wrote:
> > The use-case for dropping the MTU check when TC-BPF does redirect to
> > ingress, is described by Eyal Birger in email[0]. The summary is the
> > ability to increase packet size (e.g. with IPv6 headers for NAT64) and
> > ingress redirect packet and let normal netstack fragment packet as needed.
> > 
> > [0] https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19Qo4W4Q@mail.gmail.com/
> > 
> > V4:
> >   - Keep net_device "up" (IFF_UP) check.
> >   - Adjustment to handle bpf_redirect_peer() helper
> > 
> > Signed-off-by: Jesper Dangaard Brouer <brouer@...hat.com>
> > ---
> >   include/linux/netdevice.h |   31 +++++++++++++++++++++++++++++--
> >   net/core/dev.c            |   19 ++-----------------
> >   net/core/filter.c         |   14 +++++++++++---
> >   3 files changed, 42 insertions(+), 22 deletions(-)
> > 
> > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> > index 7ce648a564f7..4a854e09e918 100644
> > --- a/include/linux/netdevice.h
> > +++ b/include/linux/netdevice.h
> > @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb);
> >   bool is_skb_forwardable(const struct net_device *dev,
> >   			const struct sk_buff *skb);
> >   
> > +static __always_inline bool __is_skb_forwardable(const struct net_device *dev,
> > +						 const struct sk_buff *skb,
> > +						 const bool check_mtu)
> > +{
> > +	const u32 vlan_hdr_len = 4; /* VLAN_HLEN */
> > +	unsigned int len;
> > +
> > +	if (!(dev->flags & IFF_UP))
> > +		return false;
> > +
> > +	if (!check_mtu)
> > +		return true;
> > +
> > +	len = dev->mtu + dev->hard_header_len + vlan_hdr_len;
> > +	if (skb->len <= len)
> > +		return true;
> > +
> > +	/* if TSO is enabled, we don't care about the length as the packet
> > +	 * could be forwarded without being segmented before
> > +	 */
> > +	if (skb_is_gso(skb))
> > +		return true;
> > +
> > +	return false;
> > +}
> > +
> >   static __always_inline int ____dev_forward_skb(struct net_device *dev,
> > -					       struct sk_buff *skb)
> > +					       struct sk_buff *skb,
> > +					       const bool check_mtu)
> >   {
> >   	if (skb_orphan_frags(skb, GFP_ATOMIC) ||
> > -	    unlikely(!is_skb_forwardable(dev, skb))) {
> > +	    unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) {
> >   		atomic_long_inc(&dev->rx_dropped);
> >   		kfree_skb(skb);
> >   		return NET_RX_DROP;
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 60d325bda0d7..6ceb6412ee97 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff *skb)
> >   
> >   bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb)
> >   {
> > -	unsigned int len;
> > -
> > -	if (!(dev->flags & IFF_UP))
> > -		return false;
> > -
> > -	len = dev->mtu + dev->hard_header_len + VLAN_HLEN;
> > -	if (skb->len <= len)
> > -		return true;
> > -
> > -	/* if TSO is enabled, we don't care about the length as the packet
> > -	 * could be forwarded without being segmented before
> > -	 */
> > -	if (skb_is_gso(skb))
> > -		return true;
> > -
> > -	return false;
> > +	return __is_skb_forwardable(dev, skb, true);
> >   }
> >   EXPORT_SYMBOL_GPL(is_skb_forwardable);  
> 
> Only user of is_skb_forwardable() that is left after this patch is bridge, maybe
> the whole thing should be moved into the header?

Well, yes, maybe... I just felt it belongs in another patchset.


> >   int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
> >   {
> > -	int ret = ____dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, true);
> >   
> >   	if (likely(!ret)) {
> >   		skb->protocol = eth_type_trans(skb, dev);
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index d6125cfc49c3..4673afe59533 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = {
> >   
> >   static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb)
> >   {
> > -	return dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, false);
> > +
> > +	if (likely(!ret)) {
> > +		skb->protocol = eth_type_trans(skb, dev);
> > +		skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
> > +		ret = netif_rx(skb);  
> 
> Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally?
> One extra call otherwise.

This is because the function below calls netif_rx(), which is just
outside patch-diff-window.  Thus, it looked wrong/strange to call
netif_rx_internal(), but sure I can use netif_rx_internal() instead.

> 
> > +	}
> > +
> > +	return ret;
> >   }
> >   
> >   static inline int __bpf_rx_skb_no_mac(struct net_device *dev,
> >   				      struct sk_buff *skb)
> >   {
> > -	int ret = ____dev_forward_skb(dev, skb);
> > +	int ret = ____dev_forward_skb(dev, skb, false);
> >   
> >   	if (likely(!ret)) {
> >   		skb->dev = dev;
> > @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb)
> >   			goto out_drop;
> >   		dev = ops->ndo_get_peer_dev(dev);
> >   		if (unlikely(!dev ||
> > -			     !is_skb_forwardable(dev, skb) ||
> > +			     !__is_skb_forwardable(dev, skb, false) ||  
> 
> If we only use __is_skb_forwardable() with false directly here, maybe then
> lets just have the !(dev->flags & IFF_UP) test here instead..

Sure, let do that.

> >   			     net_eq(net, dev_net(dev))))
> >   			goto out_drop;
> >   		skb->dev = dev;
> > 


-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Principal Kernel Engineer at Red Hat
  LinkedIn: http://www.linkedin.com/in/brouer

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ