| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Jan 2022 13:27:17 -0800
From: Stanislav Fomichev <sdf@...gle.com>
To: Pavel Begunkov <asml.silence@...il.com>
Cc: Martin KaFai Lau <kafai@...com>, netdev@...r.kernel.org,
bpf@...r.kernel.org, Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Song Liu <songliubraving@...com>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] cgroup/bpf: fast path skb BPF filtering
On Tue, Jan 25, 2022 at 10:55 AM Pavel Begunkov <asml.silence@...il.com> wrote:
>
> On 1/24/22 18:25, Stanislav Fomichev wrote:
> > On Mon, Jan 24, 2022 at 7:49 AM Pavel Begunkov <asml.silence@...il.com> wrote:
> >>
> >> On 12/16/21 18:24, Stanislav Fomichev wrote:
> >>> On Thu, Dec 16, 2021 at 10:14 AM Martin KaFai Lau <kafai@...com> wrote:
> >>>> On Thu, Dec 16, 2021 at 01:21:26PM +0000, Pavel Begunkov wrote:
> >>>>> On 12/15/21 22:07, Stanislav Fomichev wrote:
> >>>>>>> I'm skeptical I'll be able to measure inlining one function,
> >>>>>>> variability between boots/runs is usually greater and would hide it.
> >>>>>>
> >>>>>> Right, that's why I suggested to mirror what we do in set/getsockopt
> >>>>>> instead of the new extra CGROUP_BPF_TYPE_ENABLED. But I'll leave it up
> >>>>>> to you, Martin and the rest.
> >>>> I also suggested to try to stay with one way for fullsock context in v2
> >>>> but it is for code readability reason.
> >>>>
> >>>> How about calling CGROUP_BPF_TYPE_ENABLED() just next to cgroup_bpf_enabled()
> >>>> in BPF_CGROUP_RUN_PROG_*SOCKOPT_*() instead ?
> >>>
> >>> SG!
> >>>
> >>>> It is because both cgroup_bpf_enabled() and CGROUP_BPF_TYPE_ENABLED()
> >>>> want to check if there is bpf to run before proceeding everything else
> >>>> and then I don't need to jump to the non-inline function itself to see
> >>>> if there is other prog array empty check.
> >>>>
> >>>> Stan, do you have concern on an extra inlined sock_cgroup_ptr()
> >>>> when there is bpf prog to run for set/getsockopt()? I think
> >>>> it should be mostly noise from looking at
> >>>> __cgroup_bpf_run_filter_*sockopt()?
> >>>
> >>> Yeah, my concern is also mostly about readability/consistency. Either
> >>> __cgroup_bpf_prog_array_is_empty everywhere or this new
> >>> CGROUP_BPF_TYPE_ENABLED everywhere. I'm slightly leaning towards
> >>> __cgroup_bpf_prog_array_is_empty because I don't believe direct
> >>> function calls add any visible overhead and macros are ugly :-) But
> >>> either way is fine as long as it looks consistent.
> >>
> >> Martin, Stanislav, do you think it's good to go? Any other concerns?
> >> It feels it might end with bikeshedding and would be great to finally
> >> get it done, especially since I find the issue to be pretty simple.
> >
> > I'll leave it up to the bpf maintainers/reviewers. Personally, I'd
> > still prefer a respin with a consistent
> > __cgroup_bpf_prog_array_is_empty or CGROUP_BPF_TYPE_ENABLED everywhere
> > (shouldn't be a lot of effort?)
>
> I can make CGROUP_BPF_TYPE_ENABLED() used everywhere, np.
>
> I'll leave out unification with cgroup_bpf_enabled() as don't
> really understand the fullsock dancing in
> BPF_CGROUP_RUN_PROG_INET_EGRESS(). Any idea whether it's needed
> and/or how to shove it out of inlined checks?
I'm not sure we can do anything better than whatever you did in your
patch. This request_sk->full_sk conversion is needed because
request_sk doesn't really have any cgroup association and we need to
pull it from the listener ("full_sk"). So you wave to get full_sk and
then run CGROUP_BPF_TYPE_ENABLED on it.
Powered by blists - more mailing lists