lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZTfza8hC_79X10F8@google.com>
Date: Tue, 24 Oct 2023 09:40:11 -0700
From: Stanislav Fomichev <sdf@...gle.com>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: bpf@...r.kernel.org, netdev@...r.kernel.org, martin.lau@...ux.dev, 
	razor@...ckwall.org, ast@...nel.org, andrii@...nel.org, 
	john.fastabend@...il.com, toke@...nel.org, kuba@...nel.org, andrew@...n.ch
Subject: Re: [PATCH bpf-next v3 1/7] netkit, bpf: Add bpf programmable net device

On 10/23, Daniel Borkmann wrote:
> This work adds a new, minimal BPF-programmable device called "netkit"
> (former PoC code-name "meta") we recently presented at LSF/MM/BPF. The
> core idea is that BPF programs are executed within the drivers xmit routine
> and therefore e.g. in case of containers/Pods moving BPF processing closer
> to the source.
> 
> One of the goals was that in case of Pod egress traffic, this allows to
> move BPF programs from hostns tcx ingress into the device itself, providing
> earlier drop or forward mechanisms, for example, if the BPF program
> determines that the skb must be sent out of the node, then a redirect to
> the physical device can take place directly without going through per-CPU
> backlog queue. This helps to shift processing for such traffic from softirq
> to process context, leading to better scheduling decisions/performance (see
> measurements in the slides).
> 
> In this initial version, the netkit device ships as a pair, but we plan to
> extend this further so it can also operate in single device mode. The pair
> comes with a primary and a peer device. Only the primary device, typically
> residing in hostns, can manage BPF programs for itself and its peer. The
> peer device is designated for containers/Pods and cannot attach/detach
> BPF programs. Upon the device creation, the user can set the default policy
> to 'forward' or 'drop' for the case when no BPF program is attached.
> 
> Additionally, the device can be operated in L3 (default) or L2 mode. The
> management of BPF programs is done via bpf_mprog, so that multi-attach is
> supported right from the beginning with similar API and dependency controls
> as tcx. For details on the latter see commit 053c8e1f235d ("bpf: Add generic
> attach/detach/query API for multi-progs"). tc BPF compatibility is provided,
> so that existing programs can be easily migrated.
> 
> Going forward, we plan to use netkit devices in Cilium as the main device
> type for connecting Pods. They will be operated in L3 mode in order to
> simplify a Pod's neighbor management and the peer will operate in default
> drop mode, so that no traffic is leaving between the time when a Pod is
> brought up by the CNI plugin and programs attached by the agent.
> Additionally, the programs we attach via tcx on the physical devices are
> using bpf_redirect_peer() for inbound traffic into netkit device, hence the
> latter is also supporting the ndo_get_peer_dev callback. Similarly, we use
> bpf_redirect_neigh() for the way out, pushing from netkit peer to phys device
> directly. Also, BIG TCP is supported on netkit device. For the follow-up
> work in single device mode, we plan to convert Cilium's cilium_host/_net
> devices into a single one.
> 
> An extensive test suite for checking device operations and the BPF program
> and link management API comes as BPF selftests in this series.
> 
> Co-developed-by: Nikolay Aleksandrov <razor@...ckwall.org>
> Signed-off-by: Nikolay Aleksandrov <razor@...ckwall.org>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> Link: https://github.com/borkmann/iproute2/tree/pr/netkit
> Link: http://vger.kernel.org/bpfconf2023_material/tcx_meta_netdev_borkmann.pdf (24ff.)
> ---
>  MAINTAINERS                    |   9 +
>  drivers/net/Kconfig            |   9 +
>  drivers/net/Makefile           |   1 +
>  drivers/net/netkit.c           | 934 +++++++++++++++++++++++++++++++++
>  include/net/netkit.h           |  38 ++
>  include/uapi/linux/bpf.h       |  14 +
>  include/uapi/linux/if_link.h   |  24 +
>  kernel/bpf/syscall.c           |  30 +-
>  tools/include/uapi/linux/bpf.h |  14 +
>  9 files changed, 1068 insertions(+), 5 deletions(-)
>  create mode 100644 drivers/net/netkit.c
>  create mode 100644 include/net/netkit.h
> 
> diff --git a/MAINTAINERS b/MAINTAINERS
> index ed33b9df8b3d..43be6197e655 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -3795,6 +3795,15 @@ L:	bpf@...r.kernel.org
>  S:	Odd Fixes
>  K:	(?:\b|_)bpf(?:\b|_)
>  
> +BPF [NETKIT] (BPF-programmable network device)
> +M:	Daniel Borkmann <daniel@...earbox.net>
> +M:	Nikolay Aleksandrov <razor@...ckwall.org>
> +L:	bpf@...r.kernel.org
> +L:	netdev@...r.kernel.org
> +S:	Supported
> +F:	drivers/net/netkit.c
> +F:	include/net/netkit.h
> +
>  BPF [NETWORKING] (struct_ops, reuseport)
>  M:	Martin KaFai Lau <martin.lau@...ux.dev>
>  L:	bpf@...r.kernel.org
> diff --git a/drivers/net/Kconfig b/drivers/net/Kconfig
> index 44eeb5d61ba9..af0da4bb429b 100644
> --- a/drivers/net/Kconfig
> +++ b/drivers/net/Kconfig
> @@ -448,6 +448,15 @@ config NLMON
>  	  diagnostics, etc. This is mostly intended for developers or support
>  	  to debug netlink issues. If unsure, say N.
>  
> +config NETKIT
> +	bool "BPF-programmable network device"
> +	depends on BPF_SYSCALL
> +	help
> +	  The netkit device is a virtual networking device where BPF programs
> +	  can be attached to the device(s) transmission routine in order to
> +	  implement the driver's internal logic. The device can be configured
> +	  to operate in L3 or L2 mode. If unsure, say N.
> +
>  config NET_VRF
>  	tristate "Virtual Routing and Forwarding (Lite)"
>  	depends on IP_MULTIPLE_TABLES
> diff --git a/drivers/net/Makefile b/drivers/net/Makefile
> index 8a83db32509d..7cab36f94782 100644
> --- a/drivers/net/Makefile
> +++ b/drivers/net/Makefile
> @@ -22,6 +22,7 @@ obj-$(CONFIG_MDIO) += mdio.o
>  obj-$(CONFIG_NET) += loopback.o
>  obj-$(CONFIG_NETDEV_LEGACY_INIT) += Space.o
>  obj-$(CONFIG_NETCONSOLE) += netconsole.o
> +obj-$(CONFIG_NETKIT) += netkit.o
>  obj-y += phy/
>  obj-y += pse-pd/
>  obj-y += mdio/
> diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c
> new file mode 100644
> index 000000000000..faf756702aa1
> --- /dev/null
> +++ b/drivers/net/netkit.c
> @@ -0,0 +1,934 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/* Copyright (c) 2023 Isovalent */
> +
> +#include <linux/netdevice.h>
> +#include <linux/ethtool.h>
> +#include <linux/etherdevice.h>
> +#include <linux/filter.h>
> +#include <linux/netfilter_netdev.h>
> +#include <linux/bpf_mprog.h>
> +
> +#include <net/netkit.h>
> +#include <net/dst.h>
> +#include <net/tcx.h>
> +
> +#define DRV_NAME "netkit"
> +
> +struct netkit {
> +	/* Needed in fast-path */
> +	struct net_device __rcu *peer;
> +	struct bpf_mprog_entry __rcu *active;
> +	enum netkit_action policy;
> +	struct bpf_mprog_bundle	bundle;
> +
> +	/* Needed in slow-path */
> +	enum netkit_mode mode;
> +	bool primary;
> +	u32 headroom;
> +};
> +
> +struct netkit_link {
> +	struct bpf_link link;
> +	struct net_device *dev;
> +	u32 location;
> +};
> +
> +static __always_inline int
> +netkit_run(const struct bpf_mprog_entry *entry, struct sk_buff *skb,
> +	   enum netkit_action ret)
> +{
> +	const struct bpf_mprog_fp *fp;
> +	const struct bpf_prog *prog;
> +
> +	bpf_mprog_foreach_prog(entry, fp, prog) {
> +		bpf_compute_data_pointers(skb);
> +		ret = bpf_prog_run(prog, skb);
> +		if (ret != NETKIT_NEXT)
> +			break;
> +	}
> +	return ret;
> +}
> +
> +static void netkit_prep_forward(struct sk_buff *skb, bool xnet)
> +{
> +	skb_scrub_packet(skb, xnet);
> +	skb->priority = 0;
> +	nf_skip_egress(skb, true);
> +}
> +
> +static struct netkit *netkit_priv(const struct net_device *dev)
> +{
> +	return netdev_priv(dev);
> +}
> +
> +static netdev_tx_t netkit_xmit(struct sk_buff *skb, struct net_device *dev)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	enum netkit_action ret = READ_ONCE(nk->policy);
> +	netdev_tx_t ret_dev = NET_XMIT_SUCCESS;
> +	const struct bpf_mprog_entry *entry;
> +	struct net_device *peer;
> +
> +	rcu_read_lock();
> +	peer = rcu_dereference(nk->peer);
> +	if (unlikely(!peer || !(peer->flags & IFF_UP) ||
> +		     !pskb_may_pull(skb, ETH_HLEN) ||
> +		     skb_orphan_frags(skb, GFP_ATOMIC)))
> +		goto drop;
> +	netkit_prep_forward(skb, !net_eq(dev_net(dev), dev_net(peer)));
> +	skb->dev = peer;
> +	entry = rcu_dereference(nk->active);
> +	if (entry)
> +		ret = netkit_run(entry, skb, ret);
> +	switch (ret) {
> +	case NETKIT_NEXT:
> +	case NETKIT_PASS:
> +		skb->protocol = eth_type_trans(skb, skb->dev);
> +		skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
> +		__netif_rx(skb);
> +		break;
> +	case NETKIT_REDIRECT:
> +		skb_do_redirect(skb);
> +		break;
> +	case NETKIT_DROP:
> +	default:
> +drop:
> +		kfree_skb(skb);
> +		dev_core_stats_tx_dropped_inc(dev);
> +		ret_dev = NET_XMIT_DROP;
> +		break;
> +	}
> +	rcu_read_unlock();
> +	return ret_dev;
> +}
> +
> +static int netkit_open(struct net_device *dev)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	struct net_device *peer = rtnl_dereference(nk->peer);
> +
> +	if (!peer)
> +		return -ENOTCONN;
> +	if (peer->flags & IFF_UP) {
> +		netif_carrier_on(dev);
> +		netif_carrier_on(peer);
> +	}
> +	return 0;
> +}
> +
> +static int netkit_close(struct net_device *dev)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	struct net_device *peer = rtnl_dereference(nk->peer);
> +
> +	netif_carrier_off(dev);
> +	if (peer)
> +		netif_carrier_off(peer);
> +	return 0;
> +}
> +
> +static int netkit_get_iflink(const struct net_device *dev)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	struct net_device *peer;
> +	int iflink = 0;
> +
> +	rcu_read_lock();
> +	peer = rcu_dereference(nk->peer);
> +	if (peer)
> +		iflink = peer->ifindex;
> +	rcu_read_unlock();
> +	return iflink;
> +}
> +
> +static void netkit_set_multicast(struct net_device *dev)
> +{
> +	/* Nothing to do, we receive whatever gets pushed to us! */
> +}
> +
> +static void netkit_set_headroom(struct net_device *dev, int headroom)
> +{
> +	struct netkit *nk = netkit_priv(dev), *nk2;
> +	struct net_device *peer;
> +
> +	if (headroom < 0)
> +		headroom = NET_SKB_PAD;
> +
> +	rcu_read_lock();
> +	peer = rcu_dereference(nk->peer);
> +	if (unlikely(!peer))
> +		goto out;
> +
> +	nk2 = netkit_priv(peer);
> +	nk->headroom = headroom;
> +	headroom = max(nk->headroom, nk2->headroom);
> +
> +	peer->needed_headroom = headroom;
> +	dev->needed_headroom = headroom;
> +out:
> +	rcu_read_unlock();
> +}
> +
> +static struct net_device *netkit_peer_dev(struct net_device *dev)
> +{
> +	return rcu_dereference(netkit_priv(dev)->peer);
> +}
> +
> +static const struct net_device_ops netkit_netdev_ops = {
> +	.ndo_open		= netkit_open,
> +	.ndo_stop		= netkit_close,
> +	.ndo_start_xmit		= netkit_xmit,
> +	.ndo_set_rx_mode	= netkit_set_multicast,
> +	.ndo_set_rx_headroom	= netkit_set_headroom,
> +	.ndo_get_iflink		= netkit_get_iflink,
> +	.ndo_get_peer_dev	= netkit_peer_dev,
> +	.ndo_features_check	= passthru_features_check,
> +};
> +
> +static void netkit_get_drvinfo(struct net_device *dev,
> +			       struct ethtool_drvinfo *info)
> +{
> +	strscpy(info->driver, DRV_NAME, sizeof(info->driver));
> +}
> +
> +static const struct ethtool_ops netkit_ethtool_ops = {
> +	.get_drvinfo		= netkit_get_drvinfo,
> +};
> +
> +static void netkit_setup(struct net_device *dev)
> +{
> +	static const netdev_features_t netkit_features_hw_vlan =
> +		NETIF_F_HW_VLAN_CTAG_TX |
> +		NETIF_F_HW_VLAN_CTAG_RX |
> +		NETIF_F_HW_VLAN_STAG_TX |
> +		NETIF_F_HW_VLAN_STAG_RX;
> +	static const netdev_features_t netkit_features =
> +		netkit_features_hw_vlan |
> +		NETIF_F_SG |
> +		NETIF_F_FRAGLIST |
> +		NETIF_F_HW_CSUM |
> +		NETIF_F_RXCSUM |
> +		NETIF_F_SCTP_CRC |
> +		NETIF_F_HIGHDMA |
> +		NETIF_F_GSO_SOFTWARE |
> +		NETIF_F_GSO_ENCAP_ALL;
> +
> +	ether_setup(dev);
> +	dev->max_mtu = ETH_MAX_MTU;
> +
> +	dev->flags |= IFF_NOARP;
> +	dev->priv_flags &= ~IFF_TX_SKB_SHARING;
> +	dev->priv_flags |= IFF_LIVE_ADDR_CHANGE;
> +	dev->priv_flags |= IFF_PHONY_HEADROOM;
> +	dev->priv_flags |= IFF_NO_QUEUE;
> +
> +	dev->ethtool_ops = &netkit_ethtool_ops;
> +	dev->netdev_ops  = &netkit_netdev_ops;
> +
> +	dev->features |= netkit_features | NETIF_F_LLTX;
> +	dev->hw_features = netkit_features;
> +	dev->hw_enc_features = netkit_features;
> +	dev->mpls_features = NETIF_F_HW_CSUM | NETIF_F_GSO_SOFTWARE;
> +	dev->vlan_features = dev->features & ~netkit_features_hw_vlan;
> +
> +	dev->needs_free_netdev = true;
> +
> +	netif_set_tso_max_size(dev, GSO_MAX_SIZE);
> +}
> +
> +static struct net *netkit_get_link_net(const struct net_device *dev)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	struct net_device *peer = rtnl_dereference(nk->peer);
> +
> +	return peer ? dev_net(peer) : dev_net(dev);
> +}
> +
> +static int netkit_check_policy(int policy, struct nlattr *tb,
> +			       struct netlink_ext_ack *extack)
> +{
> +	switch (policy) {
> +	case NETKIT_PASS:
> +	case NETKIT_DROP:
> +		return 0;
> +	default:
> +		NL_SET_ERR_MSG_ATTR(extack, tb,
> +				    "Provided default xmit policy not supported");
> +		return -EINVAL;
> +	}
> +}
> +
> +static int netkit_check_mode(int mode, struct nlattr *tb,
> +			     struct netlink_ext_ack *extack)
> +{
> +	switch (mode) {
> +	case NETKIT_L2:
> +	case NETKIT_L3:
> +		return 0;
> +	default:
> +		NL_SET_ERR_MSG_ATTR(extack, tb,
> +				    "Provided device mode can only be L2 or L3");
> +		return -EINVAL;
> +	}
> +}
> +
> +static int netkit_validate(struct nlattr *tb[], struct nlattr *data[],
> +			   struct netlink_ext_ack *extack)
> +{
> +	struct nlattr *attr = tb[IFLA_ADDRESS];
> +
> +	if (!attr)
> +		return 0;
> +	NL_SET_ERR_MSG_ATTR(extack, attr,
> +			    "Setting Ethernet address is not supported");
> +	return -EOPNOTSUPP;
> +}
> +
> +static struct rtnl_link_ops netkit_link_ops;
> +
> +static int netkit_new_link(struct net *src_net, struct net_device *dev,
> +			   struct nlattr *tb[], struct nlattr *data[],
> +			   struct netlink_ext_ack *extack)
> +{
> +	struct nlattr *peer_tb[IFLA_MAX + 1], **tbp = tb, *attr;
> +	enum netkit_action default_prim = NETKIT_PASS;
> +	enum netkit_action default_peer = NETKIT_PASS;
> +	enum netkit_mode mode = NETKIT_L3;
> +	unsigned char ifname_assign_type;
> +	struct ifinfomsg *ifmp = NULL;
> +	struct net_device *peer;
> +	char ifname[IFNAMSIZ];
> +	struct netkit *nk;
> +	struct net *net;
> +	int err;
> +
> +	if (data) {
> +		if (data[IFLA_NETKIT_MODE]) {
> +			attr = data[IFLA_NETKIT_MODE];
> +			mode = nla_get_u32(attr);
> +			err = netkit_check_mode(mode, attr, extack);
> +			if (err < 0)
> +				return err;
> +		}
> +		if (data[IFLA_NETKIT_PEER_INFO]) {
> +			attr = data[IFLA_NETKIT_PEER_INFO];
> +			ifmp = nla_data(attr);
> +			err = rtnl_nla_parse_ifinfomsg(peer_tb, attr, extack);
> +			if (err < 0)
> +				return err;
> +			err = netkit_validate(peer_tb, NULL, extack);
> +			if (err < 0)
> +				return err;
> +			tbp = peer_tb;
> +		}
> +		if (data[IFLA_NETKIT_POLICY]) {
> +			attr = data[IFLA_NETKIT_POLICY];
> +			default_prim = nla_get_u32(attr);
> +			err = netkit_check_policy(default_prim, attr, extack);
> +			if (err < 0)
> +				return err;
> +		}
> +		if (data[IFLA_NETKIT_PEER_POLICY]) {
> +			attr = data[IFLA_NETKIT_PEER_POLICY];
> +			default_peer = nla_get_u32(attr);
> +			err = netkit_check_policy(default_peer, attr, extack);
> +			if (err < 0)
> +				return err;
> +		}
> +	}
> +
> +	if (ifmp && tbp[IFLA_IFNAME]) {
> +		nla_strscpy(ifname, tbp[IFLA_IFNAME], IFNAMSIZ);
> +		ifname_assign_type = NET_NAME_USER;
> +	} else {
> +		strscpy(ifname, "nk%d", IFNAMSIZ);
> +		ifname_assign_type = NET_NAME_ENUM;
> +	}
> +
> +	net = rtnl_link_get_net(src_net, tbp);
> +	if (IS_ERR(net))
> +		return PTR_ERR(net);
> +
> +	peer = rtnl_create_link(net, ifname, ifname_assign_type,
> +				&netkit_link_ops, tbp, extack);
> +	if (IS_ERR(peer)) {
> +		put_net(net);
> +		return PTR_ERR(peer);
> +	}
> +
> +	netif_inherit_tso_max(peer, dev);
> +
> +	if (mode == NETKIT_L2)
> +		eth_hw_addr_random(peer);
> +	if (ifmp && dev->ifindex)
> +		peer->ifindex = ifmp->ifi_index;
> +
> +	nk = netkit_priv(peer);
> +	nk->primary = false;
> +	nk->policy = default_peer;
> +	nk->mode = mode;
> +	bpf_mprog_bundle_init(&nk->bundle);
> +	RCU_INIT_POINTER(nk->active, NULL);
> +	RCU_INIT_POINTER(nk->peer, NULL);
> +
> +	err = register_netdevice(peer);
> +	put_net(net);
> +	if (err < 0)
> +		goto err_register_peer;
> +	netif_carrier_off(peer);
> +	if (mode == NETKIT_L2)
> +		dev_change_flags(peer, peer->flags & ~IFF_NOARP, NULL);
> +
> +	err = rtnl_configure_link(peer, NULL, 0, NULL);
> +	if (err < 0)
> +		goto err_configure_peer;
> +
> +	if (mode == NETKIT_L2)
> +		eth_hw_addr_random(dev);
> +	if (tb[IFLA_IFNAME])
> +		nla_strscpy(dev->name, tb[IFLA_IFNAME], IFNAMSIZ);
> +	else
> +		strscpy(dev->name, "nk%d", IFNAMSIZ);
> +
> +	nk = netkit_priv(dev);
> +	nk->primary = true;
> +	nk->policy = default_prim;
> +	nk->mode = mode;
> +	bpf_mprog_bundle_init(&nk->bundle);
> +	RCU_INIT_POINTER(nk->active, NULL);
> +	RCU_INIT_POINTER(nk->peer, NULL);
> +
> +	err = register_netdevice(dev);
> +	if (err < 0)
> +		goto err_configure_peer;
> +	netif_carrier_off(dev);
> +	if (mode == NETKIT_L2)
> +		dev_change_flags(dev, dev->flags & ~IFF_NOARP, NULL);
> +
> +	rcu_assign_pointer(netkit_priv(dev)->peer, peer);
> +	rcu_assign_pointer(netkit_priv(peer)->peer, dev);
> +	return 0;
> +err_configure_peer:
> +	unregister_netdevice(peer);
> +	return err;
> +err_register_peer:
> +	free_netdev(peer);
> +	return err;
> +}
> +
> +static struct bpf_mprog_entry *netkit_entry_fetch(struct net_device *dev,
> +						  bool bundle_fallback)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +	struct bpf_mprog_entry *entry;
> +
> +	ASSERT_RTNL();
> +	entry = rcu_dereference_rtnl(nk->active);
> +	if (entry)
> +		return entry;
> +	if (bundle_fallback)
> +		return &nk->bundle.a;
> +	return NULL;
> +}
> +
> +static void netkit_entry_update(struct net_device *dev,
> +				struct bpf_mprog_entry *entry)
> +{
> +	struct netkit *nk = netkit_priv(dev);
> +
> +	ASSERT_RTNL();
> +	rcu_assign_pointer(nk->active, entry);
> +}
> +
> +static void netkit_entry_sync(void)
> +{
> +	synchronize_rcu();
> +}
> +
> +static struct net_device *netkit_dev_fetch(struct net *net, u32 ifindex, u32 which)
> +{
> +	struct net_device *dev;
> +	struct netkit *nk;
> +
> +	ASSERT_RTNL();
> +
> +	switch (which) {
> +	case BPF_NETKIT_PRIMARY:
> +	case BPF_NETKIT_PEER:
> +		break;
> +	default:
> +		return ERR_PTR(-EINVAL);
> +	}
> +
> +	dev = __dev_get_by_index(net, ifindex);
> +	if (!dev)
> +		return ERR_PTR(-ENODEV);
> +	if (dev->netdev_ops != &netkit_netdev_ops)
> +		return ERR_PTR(-ENXIO);
> +
> +	nk = netkit_priv(dev);
> +	if (!nk->primary)
> +		return ERR_PTR(-EACCES);
> +	if (which == BPF_NETKIT_PEER) {
> +		dev = rcu_dereference_rtnl(nk->peer);
> +		if (!dev)
> +			return ERR_PTR(-ENODEV);
> +	}
> +	return dev;
> +}
> +
> +int netkit_prog_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> +{
> +	struct bpf_mprog_entry *entry, *entry_new;
> +	struct bpf_prog *replace_prog = NULL;
> +	struct net_device *dev;
> +	int ret;
> +
> +	rtnl_lock();
> +	dev = netkit_dev_fetch(current->nsproxy->net_ns, attr->target_ifindex,
> +			       attr->attach_type);
> +	if (IS_ERR(dev)) {
> +		ret = PTR_ERR(dev);
> +		goto out;
> +	}
> +	entry = netkit_entry_fetch(dev, true);
> +	if (attr->attach_flags & BPF_F_REPLACE) {
> +		replace_prog = bpf_prog_get_type(attr->replace_bpf_fd,
> +						 prog->type);
> +		if (IS_ERR(replace_prog)) {
> +			ret = PTR_ERR(replace_prog);
> +			replace_prog = NULL;
> +			goto out;
> +		}
> +	}
> +	ret = bpf_mprog_attach(entry, &entry_new, prog, NULL, replace_prog,
> +			       attr->attach_flags, attr->relative_fd,
> +			       attr->expected_revision);
> +	if (!ret) {
> +		if (entry != entry_new) {
> +			netkit_entry_update(dev, entry_new);
> +			netkit_entry_sync();
> +		}
> +		bpf_mprog_commit(entry);
> +	}
> +out:
> +	if (replace_prog)
> +		bpf_prog_put(replace_prog);
> +	rtnl_unlock();
> +	return ret;
> +}
> +
> +int netkit_prog_detach(const union bpf_attr *attr, struct bpf_prog *prog)
> +{
> +	struct bpf_mprog_entry *entry, *entry_new;
> +	struct net_device *dev;
> +	int ret;
> +
> +	rtnl_lock();
> +	dev = netkit_dev_fetch(current->nsproxy->net_ns, attr->target_ifindex,
> +			       attr->attach_type);
> +	if (IS_ERR(dev)) {
> +		ret = PTR_ERR(dev);
> +		goto out;
> +	}
> +	entry = netkit_entry_fetch(dev, false);
> +	if (!entry) {
> +		ret = -ENOENT;
> +		goto out;
> +	}
> +	ret = bpf_mprog_detach(entry, &entry_new, prog, NULL, attr->attach_flags,
> +			       attr->relative_fd, attr->expected_revision);
> +	if (!ret) {
> +		if (!bpf_mprog_total(entry_new))
> +			entry_new = NULL;
> +		netkit_entry_update(dev, entry_new);
> +		netkit_entry_sync();
> +		bpf_mprog_commit(entry);
> +	}
> +out:
> +	rtnl_unlock();
> +	return ret;
> +}
> +
> +int netkit_prog_query(const union bpf_attr *attr, union bpf_attr __user *uattr)
> +{
> +	struct net_device *dev;
> +	int ret;
> +
> +	rtnl_lock();
> +	dev = netkit_dev_fetch(current->nsproxy->net_ns,
> +			       attr->query.target_ifindex,
> +			       attr->query.attach_type);
> +	if (IS_ERR(dev)) {
> +		ret = PTR_ERR(dev);
> +		goto out;
> +	}
> +	ret = bpf_mprog_query(attr, uattr, netkit_entry_fetch(dev, false));
> +out:
> +	rtnl_unlock();
> +	return ret;
> +}
> +
> +static struct netkit_link *netkit_link(const struct bpf_link *link)
> +{
> +	return container_of(link, struct netkit_link, link);
> +}
> +
> +static int netkit_link_prog_attach(struct bpf_link *link, u32 flags,
> +				   u32 id_or_fd, u64 revision)
> +{
> +	struct netkit_link *nkl = netkit_link(link);
> +	struct bpf_mprog_entry *entry, *entry_new;
> +	struct net_device *dev = nkl->dev;
> +	int ret;
> +
> +	ASSERT_RTNL();
> +	entry = netkit_entry_fetch(dev, true);
> +	ret = bpf_mprog_attach(entry, &entry_new, link->prog, link, NULL, flags,
> +			       id_or_fd, revision);
> +	if (!ret) {
> +		if (entry != entry_new) {
> +			netkit_entry_update(dev, entry_new);
> +			netkit_entry_sync();
> +		}
> +		bpf_mprog_commit(entry);
> +	}
> +	return ret;
> +}
> +
> +static void netkit_link_release(struct bpf_link *link)
> +{
> +	struct netkit_link *nkl = netkit_link(link);
> +	struct bpf_mprog_entry *entry, *entry_new;
> +	struct net_device *dev;
> +	int ret = 0;
> +
> +	rtnl_lock();
> +	dev = nkl->dev;
> +	if (!dev)
> +		goto out;
> +	entry = netkit_entry_fetch(dev, false);
> +	if (!entry) {
> +		ret = -ENOENT;
> +		goto out;
> +	}
> +	ret = bpf_mprog_detach(entry, &entry_new, link->prog, link, 0, 0, 0);
> +	if (!ret) {
> +		if (!bpf_mprog_total(entry_new))
> +			entry_new = NULL;
> +		netkit_entry_update(dev, entry_new);
> +		netkit_entry_sync();
> +		bpf_mprog_commit(entry);
> +		nkl->dev = NULL;
> +	}
> +out:
> +	WARN_ON_ONCE(ret);
> +	rtnl_unlock();
> +}
> +
> +static int netkit_link_update(struct bpf_link *link, struct bpf_prog *nprog,
> +			      struct bpf_prog *oprog)
> +{
> +	struct netkit_link *nkl = netkit_link(link);
> +	struct bpf_mprog_entry *entry, *entry_new;
> +	struct net_device *dev;
> +	int ret = 0;
> +
> +	rtnl_lock();
> +	dev = nkl->dev;
> +	if (!dev) {
> +		ret = -ENOLINK;
> +		goto out;
> +	}
> +	if (oprog && link->prog != oprog) {
> +		ret = -EPERM;
> +		goto out;
> +	}
> +	oprog = link->prog;
> +	if (oprog == nprog) {
> +		bpf_prog_put(nprog);
> +		goto out;
> +	}
> +	entry = netkit_entry_fetch(dev, false);
> +	if (!entry) {
> +		ret = -ENOENT;
> +		goto out;
> +	}
> +	ret = bpf_mprog_attach(entry, &entry_new, nprog, link, oprog,
> +			       BPF_F_REPLACE | BPF_F_ID,
> +			       link->prog->aux->id, 0);
> +	if (!ret) {
> +		WARN_ON_ONCE(entry != entry_new);
> +		oprog = xchg(&link->prog, nprog);
> +		bpf_prog_put(oprog);
> +		bpf_mprog_commit(entry);
> +	}
> +out:
> +	rtnl_unlock();
> +	return ret;
> +}
> +
> +static void netkit_link_dealloc(struct bpf_link *link)
> +{
> +	kfree(netkit_link(link));
> +}
> +
> +static void netkit_link_fdinfo(const struct bpf_link *link, struct seq_file *seq)
> +{
> +	const struct netkit_link *nkl = netkit_link(link);
> +	u32 ifindex = 0;
> +
> +	rtnl_lock();
> +	if (nkl->dev)
> +		ifindex = nkl->dev->ifindex;
> +	rtnl_unlock();
> +
> +	seq_printf(seq, "ifindex:\t%u\n", ifindex);
> +	seq_printf(seq, "attach_type:\t%u (%s)\n",
> +		   nkl->location,
> +		   nkl->location == BPF_NETKIT_PRIMARY ? "primary" : "peer");
> +}
> +
> +static int netkit_link_fill_info(const struct bpf_link *link,
> +				 struct bpf_link_info *info)
> +{
> +	const struct netkit_link *nkl = netkit_link(link);
> +	u32 ifindex = 0;
> +
> +	rtnl_lock();
> +	if (nkl->dev)
> +		ifindex = nkl->dev->ifindex;
> +	rtnl_unlock();
> +
> +	info->netkit.ifindex = ifindex;
> +	info->netkit.attach_type = nkl->location;
> +	return 0;
> +}
> +
> +static int netkit_link_detach(struct bpf_link *link)
> +{
> +	netkit_link_release(link);
> +	return 0;
> +}
> +
> +static const struct bpf_link_ops netkit_link_lops = {
> +	.release	= netkit_link_release,
> +	.detach		= netkit_link_detach,
> +	.dealloc	= netkit_link_dealloc,
> +	.update_prog	= netkit_link_update,
> +	.show_fdinfo	= netkit_link_fdinfo,
> +	.fill_link_info	= netkit_link_fill_info,
> +};
> +
> +static int netkit_link_init(struct netkit_link *nkl,
> +			    struct bpf_link_primer *link_primer,
> +			    const union bpf_attr *attr,
> +			    struct net_device *dev,
> +			    struct bpf_prog *prog)
> +{
> +	bpf_link_init(&nkl->link, BPF_LINK_TYPE_NETKIT,
> +		      &netkit_link_lops, prog);
> +	nkl->location = attr->link_create.attach_type;
> +	nkl->dev = dev;
> +	return bpf_link_prime(&nkl->link, link_primer);
> +}
> +
> +int netkit_link_attach(const union bpf_attr *attr, struct bpf_prog *prog)
> +{
> +	struct bpf_link_primer link_primer;
> +	struct netkit_link *nkl;
> +	struct net_device *dev;
> +	int ret;
> +
> +	rtnl_lock();
> +	dev = netkit_dev_fetch(current->nsproxy->net_ns,
> +			       attr->link_create.target_ifindex,
> +			       attr->link_create.attach_type);
> +	if (IS_ERR(dev)) {
> +		ret = PTR_ERR(dev);
> +		goto out;
> +	}
> +	nkl = kzalloc(sizeof(*nkl), GFP_KERNEL_ACCOUNT);
> +	if (!nkl) {
> +		ret = -ENOMEM;
> +		goto out;
> +	}
> +	ret = netkit_link_init(nkl, &link_primer, attr, dev, prog);
> +	if (ret) {
> +		kfree(nkl);
> +		goto out;
> +	}

The series looks great! FWIW:
Acked-by: Stanislav Fomichev <sdf@...gle.com>

One small question I have is:
We now (and after introduction of tcx) seem to store non-refcounted
dev pointers in the bpf_link(s). Is it guaranteed that the dev will
outlive the link?

> +	ret = netkit_link_prog_attach(&nkl->link,
> +				      attr->link_create.flags,
> +				      attr->link_create.netkit.relative_fd,
> +				      attr->link_create.netkit.expected_revision);
> +	if (ret) {
> +		nkl->dev = NULL;
> +		bpf_link_cleanup(&link_primer);
> +		goto out;

What happens to nkl here? Do we leak it?

> +	}
> +	ret = bpf_link_settle(&link_primer);
> +out:
> +	rtnl_unlock();
> +	return ret;
> +}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ