Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3a0af8fd authored by Thomas Graf's avatar Thomas Graf Committed by David S. Miller
Browse files

bpf: BPF for lightweight tunnel infrastructure 



Registers new BPF program types which correspond to the LWT hooks:
  - BPF_PROG_TYPE_LWT_IN   => dst_input()
  - BPF_PROG_TYPE_LWT_OUT  => dst_output()
  - BPF_PROG_TYPE_LWT_XMIT => lwtunnel_xmit()

The separate program types are required to differentiate between the
capabilities each LWT hook allows:

 * Programs attached to dst_input() or dst_output() are restricted and
   may only read the data of an skb. This prevent modification and
   possible invalidation of already validated packet headers on receive
   and the construction of illegal headers while the IP headers are
   still being assembled.

 * Programs attached to lwtunnel_xmit() are allowed to modify packet
   content as well as prepending an L2 header via a newly introduced
   helper bpf_skb_change_head(). This is safe as lwtunnel_xmit() is
   invoked after the IP header has been assembled completely.

All BPF programs receive an skb with L3 headers attached and may return
one of the following error codes:

 BPF_OK - Continue routing as per nexthop
 BPF_DROP - Drop skb and return EPERM
 BPF_REDIRECT - Redirect skb to device as per redirect() helper.
                (Only valid in lwtunnel_xmit() context)

The return codes are binary compatible with their TC_ACT_
relatives to ease compatibility.

Signed-off-by: default avatarThomas Graf <tgraf@suug.ch>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent efd85700

include/linux/filter.h

+1 −1
Original line number Diff line number Diff line
@@ -438,7 +438,7 @@ struct xdp_buff { 
};



/* compute the linear packet data range [data, data_end) which

 * will be accessed by cls_bpf and act_bpf programs

 * will be accessed by cls_bpf, act_bpf and lwt programs

 */

static inline void bpf_compute_data_end(struct sk_buff *skb)

{

include/uapi/linux/bpf.h

+31 −1
Original line number Diff line number Diff line
@@ -101,6 +101,9 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_XDP,

	BPF_PROG_TYPE_PERF_EVENT,

	BPF_PROG_TYPE_CGROUP_SKB,

	BPF_PROG_TYPE_LWT_IN,

	BPF_PROG_TYPE_LWT_OUT,

	BPF_PROG_TYPE_LWT_XMIT,

};



enum bpf_attach_type {
@@ -409,6 +412,16 @@ union bpf_attr { 
 *

 * int bpf_get_numa_node_id()

 *     Return: Id of current NUMA node.

 *

 * int bpf_skb_change_head()

 *     Grows headroom of skb and adjusts MAC header offset accordingly.

 *     Will extends/reallocae as required automatically.

 *     May change skb data pointer and will thus invalidate any check

 *     performed for direct packet access.

 *     @skb: pointer to skb

 *     @len: length of header to be pushed in front

 *     @flags: Flags (unused for now)

 *     Return: 0 on success or negative error

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\
@@ -453,7 +466,8 @@ union bpf_attr { 
	FN(skb_pull_data),		\

	FN(csum_update),		\

	FN(set_hash_invalid),		\

	FN(get_numa_node_id),

	FN(get_numa_node_id),		\

	FN(skb_change_head),



/* integer value in 'imm' field of BPF_CALL instruction selects which helper

 * function eBPF program intends to call
@@ -537,6 +551,22 @@ struct bpf_tunnel_key { 
	__u32 tunnel_label;

};



/* Generic BPF return codes which all BPF program types may support.

 * The values are binary compatible with their TC_ACT_* counter-part to

 * provide backwards compatibility with existing SCHED_CLS and SCHED_ACT

 * programs.

 *

 * XDP is handled seprately, see XDP_*.

 */

enum bpf_ret_code {

	BPF_OK = 0,

	/* 1 reserved */

	BPF_DROP = 2,

	/* 3-6 reserved */

	BPF_REDIRECT = 7,

	/* >127 are reserved for prog type specific return codes */

};



/* User return codes for XDP prog type.

 * A valid XDP program must return one of these defined values. All other

 * return codes are reserved for future use. Unknown return codes will result

include/uapi/linux/lwtunnel.h

+23 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ enum lwtunnel_encap_types { 
	LWTUNNEL_ENCAP_ILA,

	LWTUNNEL_ENCAP_IP6,

	LWTUNNEL_ENCAP_SEG6,

	LWTUNNEL_ENCAP_BPF,

	__LWTUNNEL_ENCAP_MAX,

};
@@ -43,4 +44,26 @@ enum lwtunnel_ip6_t { 


#define LWTUNNEL_IP6_MAX (__LWTUNNEL_IP6_MAX - 1)



enum {

	LWT_BPF_PROG_UNSPEC,

	LWT_BPF_PROG_FD,

	LWT_BPF_PROG_NAME,

	__LWT_BPF_PROG_MAX,

};



#define LWT_BPF_PROG_MAX (__LWT_BPF_PROG_MAX - 1)



enum {

	LWT_BPF_UNSPEC,

	LWT_BPF_IN,

	LWT_BPF_OUT,

	LWT_BPF_XMIT,

	LWT_BPF_XMIT_HEADROOM,

	__LWT_BPF_MAX,

};



#define LWT_BPF_MAX (__LWT_BPF_MAX - 1)



#define LWT_BPF_MAX_HEADROOM 256



#endif /* _UAPI_LWTUNNEL_H_ */

kernel/bpf/verifier.c

+11 −3
Original line number Diff line number Diff line
@@ -633,12 +633,19 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off, 
#define MAX_PACKET_OFF 0xffff



static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,

				       const struct bpf_call_arg_meta *meta)

				       const struct bpf_call_arg_meta *meta,

				       enum bpf_access_type t)

{

	switch (env->prog->type) {

	case BPF_PROG_TYPE_LWT_IN:

	case BPF_PROG_TYPE_LWT_OUT:

		/* dst_input() and dst_output() can't write for now */

		if (t == BPF_WRITE)

			return false;

	case BPF_PROG_TYPE_SCHED_CLS:

	case BPF_PROG_TYPE_SCHED_ACT:

	case BPF_PROG_TYPE_XDP:

	case BPF_PROG_TYPE_LWT_XMIT:

		if (meta)

			return meta->pkt_access;
@@ -837,7 +844,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off, 
			err = check_stack_read(state, off, size, value_regno);

		}

	} else if (state->regs[regno].type == PTR_TO_PACKET) {

		if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL)) {

		if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {

			verbose("cannot write into packet\n");

			return -EACCES;

		}
@@ -970,7 +977,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, 
		return 0;

	}



	if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta)) {

	if (type == PTR_TO_PACKET &&

	    !may_access_direct_pkt_data(env, meta, BPF_READ)) {

		verbose("helper access to the packet is not allowed\n");

		return -EACCES;

	}

net/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -402,6 +402,14 @@ config LWTUNNEL 
	  weight tunnel endpoint. Tunnel encapsulation parameters are stored

	  with light weight tunnel state associated with fib routes.



config LWTUNNEL_BPF

	bool "Execute BPF program as route nexthop action"

	depends on LWTUNNEL

	default y if LWTUNNEL=y

	---help---

	  Allows to run BPF programs as a nexthop action following a route

	  lookup for incoming and outgoing packets.



config DST_CACHE

	bool

	default n