lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <8e5e26e8-52c7-40a8-bf49-98ac2c330db9@gmail.com> Date: Wed, 25 Oct 2023 18:18:27 -0700 From: Kui-Feng Lee <sinquersw@...il.com> To: Martin KaFai Lau <martin.lau@...ux.dev> Cc: netdev@...r.kernel.org, razor@...ckwall.org, ast@...nel.org, andrii@...nel.org, john.fastabend@...il.com, sdf@...gle.com, toke@...nel.org, kuba@...nel.org, andrew@...n.ch, Toke Høiland-Jørgensen <toke@...hat.com>, Daniel Borkmann <daniel@...earbox.net>, bpf@...r.kernel.org Subject: Re: [PATCH bpf-next v4 1/7] netkit, bpf: Add bpf programmable net device On 10/25/23 18:15, Kui-Feng Lee wrote: > > > On 10/25/23 15:09, Martin KaFai Lau wrote: >> On 10/25/23 2:24 PM, Kui-Feng Lee wrote: >>> >>> >>> On 10/24/23 14:48, Daniel Borkmann wrote: >>>> This work adds a new, minimal BPF-programmable device called "netkit" >>>> (former PoC code-name "meta") we recently presented at LSF/MM/BPF. The >>>> core idea is that BPF programs are executed within the drivers xmit >>>> routine >>>> and therefore e.g. in case of containers/Pods moving BPF processing >>>> closer >>>> to the source. >>>> >>> >>> Sorry for intruding into this discussion! Although it is too late to >>> mentioned this since this patchset have been v4 already. >>> >>> I notice netkit has introduced a new attach type. I wonder if it >>> possible to implement it as a new struct_ops type. >> >> Could your elaborate more about what does this struct_ops type do and >> how is it different from the SCHED_CLS bpf prog that the netkit is >> running? > > I found the code has been landed. > Basing on the landed code and > the patchset of registering bpf struct_ops from modules that I > am working on, it will looks like what is done in following patch. > No changes on syscall, uapi and libbpf are required. > > > diff --git a/drivers/net/netkit.c b/drivers/net/netkit.c > index 7e484f9fd3ae..e4eafaf397bf 100644 > --- a/drivers/net/netkit.c > +++ b/drivers/net/netkit.c > @@ -20,6 +20,7 @@ struct netkit { > struct bpf_mprog_entry __rcu *active; > enum netkit_action policy; > struct bpf_mprog_bundle bundle; > + struct hlist_head ops_list; > > /* Needed in slow-path */ > enum netkit_mode mode; > @@ -27,6 +28,13 @@ struct netkit { > u32 headroom; > }; > > +struct netkit_ops { > + struct hlist_node node; > + int ifindex; > + > + int (*xmit)(struct sk_buff *skb); > +}; > + > struct netkit_link { > struct bpf_link link; > struct net_device *dev; > @@ -46,6 +54,22 @@ netkit_run(const struct bpf_mprog_entry *entry, > struct sk_buff *skb, > if (ret != NETKIT_NEXT) > break; > } > + > + return ret; > +} > + > +static __always_inline int > +netkit_run_st_ops(const struct netkit *nk, struct sk_buff *skb, > + enum netkit_action ret) > +{ > + struct netkit_ops *ops; > + > + hlist_for_each_entry_rcu(ops, &nk->ops_list, node) { > + ret = ops->xmit(skb); > + if (ret != NETKIT_NEXT) > + break; > + } > + > return ret; > } > > @@ -80,6 +104,8 @@ static netdev_tx_t netkit_xmit(struct sk_buff *skb, > struct net_device *dev) > entry = rcu_dereference(nk->active); > if (entry) > ret = netkit_run(entry, skb, ret); > + if (ret == NETKIT_NEXT) > + ret = netkit_run_st_ops(nk, skb, ret); > switch (ret) { > case NETKIT_NEXT: > case NETKIT_PASS: > @@ -900,6 +926,78 @@ static const struct nla_policy > netkit_policy[IFLA_NETKIT_MAX + 1] = { > .reject_message = "Primary attribute is > read-only" }, > }; > > +#ifdef CONFIG_DEBUG_INFO_BTF_MODULES > + > +static bool bpf_netkit_ops_is_valid_access(int off, int size, > + enum bpf_access_type type, > + const struct bpf_prog *prog, > + struct bpf_insn_access_aux *info) > +{ > + return bpf_tracing_btf_ctx_access(off, size, type, prog, info); > +} > + > +static const struct bpf_verifier_ops bpf_netkit_verifier_ops = { > + .is_valid_access = bpf_netkit_ops_is_valid_access, > +}; > + > +static int bpf_netkit_ops_reg(void *kdata) > +{ > + struct netkit_ops *ops = kdata; > + struct netkit_link *nkl; > + struct net_device *dev; > + > + BTF_STRUCT_OPS_TYPE_EMIT(netkit_ops); > + dev = netkit_dev_fetch(current->nsproxy->net_ns, > + ops->ifindex, > + BPF_NETKIT_PRIMARY); > + nkl = netkit_link(dev); > + hlist_add_tail_rcu(&ops->node, &nkl->ops_list); > + > + return 0; > +} > + > +static int bpf_netkit_ops_init(struct btf *btf) > +{ > + return 0; > +} > + > +static int bpf_netkit_ops_init_member(const struct btf_type *t, > + const struct btf_member *member, > + void *kdata, const void *udata) > +{ > + struct netkit_ops *kops = kdata; > + struct netkit_ops *uops = kdata; > + > + u32 moff = __btf_member_bit_offset(t, member) / 8; > + if (moff == offsetof(struct netkit_ops, ifindex)) { > + kops->ifindex = uops->ifindex; > + return 1; > + } > + if (mod < offsetof(struct netkit_ops, ifindex)) > + return 1; > + > + return 0; > +} > + > +static void bpf_netkit_ops_unreg(void *kdata) > +{ > + struct netkit_ops *ops = kdata; > + > + hlist_del_rcu(&ops->node); > +} > + > +struct bpf_struct_ops bpf_netkit_ops = { > + .verifier_ops = &bpf_netkit_verifier_ops, > + .init = bpf_netkit_ops_init, > + .init_member = bpf_netkit_ops_init_member, > + .reg = bpf_netkit_ops_reg, > + .unreg = bpf_netki_ops_unreg, > + .name = "netkit_ops", > + .owner = THIS_MODULE, > +}; > + > +#endif /* CONFIG_DEBUG_INFO_BTF_MODULES */ > + > static struct rtnl_link_ops netkit_link_ops = { > .kind = DRV_NAME, > .priv_size = sizeof(struct netkit), > @@ -917,17 +1015,22 @@ static struct rtnl_link_ops netkit_link_ops = { > > static __init int netkit_init(void) > { > + int ret; > + > BUILD_BUG_ON((int)NETKIT_NEXT != (int)TCX_NEXT || > (int)NETKIT_PASS != (int)TCX_PASS || > (int)NETKIT_DROP != (int)TCX_DROP || > (int)NETKIT_REDIRECT != (int)TCX_REDIRECT); > > - return rtnl_link_register(&netkit_link_ops); > + ret = rtnl_link_register(&netkit_link_ops); > +#ifdef CONFIG_DEBUG_INFO_BTF_MODULES > + ret = ret ?: register_bpf_struct_ops(&bpf_netkit_ops); > +#endif > } > > static __exit void netkit_exit(void) > { > - rtnl_link_unregister(&netkit_link_ops); > + rtnl_link_unregister(&bpf_netkit_ops); This change should be removed. > } > > module_init(netkit_init);
Powered by blists - more mailing lists