Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 004d4b27 authored by Mathieu Xhonneux's avatar Mathieu Xhonneux Committed by Daniel Borkmann
Browse files

ipv6: sr: Add seg6local action End.BPF 



This patch adds the End.BPF action to the LWT seg6local infrastructure.
This action works like any other seg6local End action, meaning that an IPv6
header with SRH is needed, whose DA has to be equal to the SID of the
action. It will also advance the SRH to the next segment, the BPF program
does not have to take care of this.

Since the BPF program may not be a source of instability in the kernel, it
is important to ensure that the integrity of the packet is maintained
before yielding it back to the IPv6 layer. The hook hence keeps track if
the SRH has been altered through the helpers, and re-validates its
content if needed with seg6_validate_srh. The state kept for validation is
stored in a per-CPU buffer. The BPF program is not allowed to directly
write into the packet, and only some fields of the SRH can be altered
through the helper bpf_lwt_seg6_store_bytes.

Performances profiling has shown that the SRH re-validation does not induce
a significant overhead. If the altered SRH is deemed as invalid, the packet
is dropped.

This validation is also done before executing any action through
bpf_lwt_seg6_action, and will not be performed again if the SRH is not
modified after calling the action.

The BPF program may return 3 types of return codes:
    - BPF_OK: the End.BPF action will look up the next destination through
             seg6_lookup_nexthop.
    - BPF_REDIRECT: if an action has been executed through the
          bpf_lwt_seg6_action helper, the BPF program should return this
          value, as the skb's destination is already set and the default
          lookup should not be performed.
    - BPF_DROP : the packet will be dropped.

Signed-off-by: default avatarMathieu Xhonneux <m.xhonneux@gmail.com>
Acked-by: default avatarDavid Lebrun <dlebrun@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent cd3092c7

include/linux/bpf_types.h

+1 −0
Original line number Diff line number Diff line
@@ -12,6 +12,7 @@ BPF_PROG_TYPE(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, cg_sock_addr) 
BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_IN, lwt_in)

BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_OUT, lwt_out)

BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_XMIT, lwt_xmit)

BPF_PROG_TYPE(BPF_PROG_TYPE_LWT_SEG6LOCAL, lwt_seg6local)

BPF_PROG_TYPE(BPF_PROG_TYPE_SOCK_OPS, sock_ops)

BPF_PROG_TYPE(BPF_PROG_TYPE_SK_SKB, sk_skb)

BPF_PROG_TYPE(BPF_PROG_TYPE_SK_MSG, sk_msg)

include/uapi/linux/bpf.h

+1 −0
Original line number Diff line number Diff line
@@ -141,6 +141,7 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_SK_MSG,

	BPF_PROG_TYPE_RAW_TRACEPOINT,

	BPF_PROG_TYPE_CGROUP_SOCK_ADDR,

	BPF_PROG_TYPE_LWT_SEG6LOCAL,

};



enum bpf_attach_type {

include/uapi/linux/seg6_local.h

+12 −0
Original line number Diff line number Diff line
@@ -25,6 +25,7 @@ enum { 
	SEG6_LOCAL_NH6,

	SEG6_LOCAL_IIF,

	SEG6_LOCAL_OIF,

	SEG6_LOCAL_BPF,

	__SEG6_LOCAL_MAX,

};

#define SEG6_LOCAL_MAX (__SEG6_LOCAL_MAX - 1)
@@ -59,10 +60,21 @@ enum { 
	SEG6_LOCAL_ACTION_END_AS	= 13,

	/* forward to SR-unaware VNF with masquerading */

	SEG6_LOCAL_ACTION_END_AM	= 14,

	/* custom BPF action */

	SEG6_LOCAL_ACTION_END_BPF	= 15,



	__SEG6_LOCAL_ACTION_MAX,

};



#define SEG6_LOCAL_ACTION_MAX (__SEG6_LOCAL_ACTION_MAX - 1)



enum {

	SEG6_LOCAL_BPF_PROG_UNSPEC,

	SEG6_LOCAL_BPF_PROG,

	SEG6_LOCAL_BPF_PROG_NAME,

	__SEG6_LOCAL_BPF_PROG_MAX,

};



#define SEG6_LOCAL_BPF_PROG_MAX (__SEG6_LOCAL_BPF_PROG_MAX - 1)



#endif

kernel/bpf/verifier.c

+1 −0
Original line number Diff line number Diff line
@@ -1262,6 +1262,7 @@ static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, 
	switch (env->prog->type) {

	case BPF_PROG_TYPE_LWT_IN:

	case BPF_PROG_TYPE_LWT_OUT:

	case BPF_PROG_TYPE_LWT_SEG6LOCAL:

		/* dst_input() and dst_output() can't write for now */

		if (t == BPF_WRITE)

			return false;

net/core/filter.c

+25 −0
Original line number Diff line number Diff line
@@ -4921,6 +4921,21 @@ lwt_xmit_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) 
	}

}



static const struct bpf_func_proto *

lwt_seg6local_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)

{

	switch (func_id) {

	case BPF_FUNC_lwt_seg6_store_bytes:

		return &bpf_lwt_seg6_store_bytes_proto;

	case BPF_FUNC_lwt_seg6_action:

		return &bpf_lwt_seg6_action_proto;

	case BPF_FUNC_lwt_seg6_adjust_srh:

		return &bpf_lwt_seg6_adjust_srh_proto;

	default:

		return lwt_out_func_proto(func_id, prog);

	}

}



static bool bpf_skb_is_valid_access(int off, int size, enum bpf_access_type type,

				    const struct bpf_prog *prog,

				    struct bpf_insn_access_aux *info)
@@ -6629,6 +6644,16 @@ const struct bpf_prog_ops lwt_xmit_prog_ops = { 
	.test_run		= bpf_prog_test_run_skb,

};



const struct bpf_verifier_ops lwt_seg6local_verifier_ops = {

	.get_func_proto		= lwt_seg6local_func_proto,

	.is_valid_access	= lwt_is_valid_access,

	.convert_ctx_access	= bpf_convert_ctx_access,

};



const struct bpf_prog_ops lwt_seg6local_prog_ops = {

	.test_run		= bpf_prog_test_run_skb,

};



const struct bpf_verifier_ops cg_sock_verifier_ops = {

	.get_func_proto		= sock_filter_func_proto,

	.is_valid_access	= sock_filter_is_valid_access,