lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <48b18dc0-19bd-441e-5054-4bd545cd1561@iogearbox.net>
Date: Fri, 28 Jun 2024 23:21:01 +0200
From: Daniel Borkmann <daniel@...earbox.net>
To: Lorenzo Bianconi <lorenzo@...nel.org>, bpf@...r.kernel.org
Cc: pablo@...filter.org, kadlec@...filter.org, davem@...emloft.net,
 edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
 netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, ast@...nel.org,
 andrii@...nel.org, martin.lau@...ux.dev, eddyz87@...il.com,
 lorenzo.bianconi@...hat.com, toke@...hat.com, fw@...len.de, hawk@...nel.org,
 horms@...nel.org, donhunte@...hat.com, memxor@...il.com
Subject: Re: [PATCH v5 bpf-next 2/3] netfilter: add bpf_xdp_flow_lookup kfunc

On 6/14/24 5:40 PM, Lorenzo Bianconi wrote:
[...]
> +enum {
> +	NF_BPF_FLOWTABLE_OPTS_SZ = 4,
> +};
> +
> +__diag_push();
> +__diag_ignore_all("-Wmissing-prototypes",
> +		  "Global functions as their definitions will be in nf_flow_table BTF");

nit: __bpf_kfunc_start_defs();

> +static struct flow_offload_tuple_rhash *
> +bpf_xdp_flow_tuple_lookup(struct net_device *dev,
> +			  struct flow_offload_tuple *tuple, __be16 proto)
> +{
> +	struct flow_offload_tuple_rhash *tuplehash;
> +	struct nf_flowtable *nf_flow_table;
> +	struct flow_offload *nf_flow;
> +
> +	nf_flow_table = nf_flowtable_by_dev(dev);
> +	if (!nf_flow_table)
> +		return ERR_PTR(-ENOENT);
> +
> +	tuplehash = flow_offload_lookup(nf_flow_table, tuple);
> +	if (!tuplehash)
> +		return ERR_PTR(-ENOENT);
> +
> +	nf_flow = container_of(tuplehash, struct flow_offload,
> +			       tuplehash[tuplehash->tuple.dir]);
> +	flow_offload_refresh(nf_flow_table, nf_flow, false);
> +
> +	return tuplehash;
> +}
> +
> +__bpf_kfunc struct flow_offload_tuple_rhash *
> +bpf_xdp_flow_lookup(struct xdp_md *ctx, struct bpf_fib_lookup *fib_tuple,
> +		    struct bpf_flowtable_opts *opts, u32 opts_len)
> +{
> +	struct xdp_buff *xdp = (struct xdp_buff *)ctx;
> +	struct flow_offload_tuple tuple = {
> +		.iifidx = fib_tuple->ifindex,
> +		.l3proto = fib_tuple->family,
> +		.l4proto = fib_tuple->l4_protocol,
> +		.src_port = fib_tuple->sport,
> +		.dst_port = fib_tuple->dport,
> +	};
> +	struct flow_offload_tuple_rhash *tuplehash;
> +	__be16 proto;
> +
> +	if (opts_len != NF_BPF_FLOWTABLE_OPTS_SZ) {
> +		opts->error = -EINVAL;
> +		return NULL;
> +	}
> +
> +	switch (fib_tuple->family) {
> +	case AF_INET:
> +		tuple.src_v4.s_addr = fib_tuple->ipv4_src;
> +		tuple.dst_v4.s_addr = fib_tuple->ipv4_dst;
> +		proto = htons(ETH_P_IP);
> +		break;
> +	case AF_INET6:
> +		tuple.src_v6 = *(struct in6_addr *)&fib_tuple->ipv6_src;
> +		tuple.dst_v6 = *(struct in6_addr *)&fib_tuple->ipv6_dst;
> +		proto = htons(ETH_P_IPV6);
> +		break;
> +	default:
> +		opts->error = -EAFNOSUPPORT;
> +		return NULL;
> +	}
> +
> +	tuplehash = bpf_xdp_flow_tuple_lookup(xdp->rxq->dev, &tuple, proto);
> +	if (IS_ERR(tuplehash)) {
> +		opts->error = PTR_ERR(tuplehash);
> +		return NULL;
> +	}
> +
> +	return tuplehash;
> +}
> +
> +__diag_pop()

__bpf_kfunc_end_defs();

Otherwise LGTM!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ