lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 31 May 2023 15:38:47 -0400
From: Louis DeLosSantos <louis.delos.devel@...il.com>
To: bpf@...r.kernel.org, netdev@...r.kernel.org
Cc: Martin KaFai Lau <martin.lau@...ux.dev>, 
 Stanislav Fomichev <sdf@...gle.com>, razor@...ckwall.org, 
 John Fastabend <john.fastabend@...il.com>, Yonghong Song <yhs@...a.com>, 
 Louis DeLosSantos <louis.delos.devel@...il.com>
Subject: [PATCH v2 0/2] bpf: utilize table ID in bpf_fib_lookup helper

This patchset adds the ability to specify a table ID to the
`bpf_fib_lookup` BPF helper. 

A new `tbid` field is added to `struct fib_bpf_lookup`.
When the `fib_bpf_lookup` helper is called with the `BPF_FIB_LOOKUP_DIRECT` and 
`BPF_FIB_LOOKUP_TBID' flag the `tbid` field will be interpreted as the table ID 
to use for the fib lookup.

If the `tbid` specifies a table that does not exist the lookup fails
with `BPF_FIB_LKUP_RET_NOT_FWDED`

This functionality is useful in containerized environments. 

For instance, if a CNI wants to dictate the next-hop for traffic leaving
a container it can create a container-specific routing table and perform
a fib lookup against this table in a "host-net-namespace-side" TC program.

This functionality also allows `ip rule` like functionality at the TC
layer, allowing an eBPF program to pick a routing table based on some
aspect of the sk_buff.

As a concrete use case, this feature will be used in Cilium's SRv6 L3VPN
datapath. 
When egress traffic leaves a Pod an eBPF program attached by Cilium will
determine which VRF the egress traffic should target, and then perform a
FIB lookup in a specific table representing this VRF's FIB.

The existing `fib_lookup.c` bpf selftest was appended several test cases
to ensure this feature works as expected. 

```
$ sudo ./test_progs -a "*fib*"

Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED
```

Signed-off-by: Louis DeLosSantos <louis.delos.devel@...il.com>
---
Changes in v2:
- Utilize a new flag `BPF_FIB_LOOKUP_TBID` for performing table ID fib
  lookups.
- Update fib lookup selftest to reflect new flag usage.
- Change second commit message subject to `selftests/bpf`.
- Link to v1: https://lore.kernel.org/r/20230505-bpf-add-tbid-fib-lookup-v1-0-fd99f7162e76@gmail.com

---
Louis DeLosSantos (2):
      bpf: add table ID to bpf_fib_lookup BPF helper
      selftests/bpf: test table ID fib lookup BPF helper

 include/uapi/linux/bpf.h                           | 21 ++++++--
 net/core/filter.c                                  | 14 ++++-
 tools/include/uapi/linux/bpf.h                     | 21 ++++++--
 .../testing/selftests/bpf/prog_tests/fib_lookup.c  | 61 +++++++++++++++++++---
 4 files changed, 102 insertions(+), 15 deletions(-)
---
base-commit: fbc0b0253001c397a481d258a88ce5f08996574f
change-id: 20230505-bpf-add-tbid-fib-lookup-aa46fa098603

Best regards,
-- 
Louis DeLosSantos <louis.delos.devel@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ