Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f577e22c authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'lwt-bpf' 



Thomas Graf says:

====================
bpf: BPF for lightweight tunnel encapsulation

This series implements BPF program invocation from dst entries via the
lightweight tunnels infrastructure. The BPF program can be attached to
lwtunnel_input(), lwtunnel_output() or lwtunnel_xmit() and see an L3
skb as context. Programs attached to input and output are read-only.
Programs attached to lwtunnel_xmit() can modify and redirect, push headers
and redirect packets.

The facility can be used to:
 - Collect statistics and generate sampling data for a subset of traffic
   based on the dst utilized by the packet thus allowing to extend the
   existing realms.
 - Apply additional per route/dst filters to prohibit certain outgoing
   or incoming packets based on BPF filters. In particular, this allows
   to maintain per dst custom state across multiple packets in BPF maps
   and apply filters based on statistics and behaviour observed over time.
 - Attachment of L2 headers at transmit where resolving the L2 address
   is not required.
 - Possibly many more.

v3 -> v4:
 - Bumped LWT_BPF_MAX_HEADROOM from 128 to 256 (Alexei)
 - Renamed bpf_skb_push() helper to bpf_skb_change_head() to relate to
   existing bpf_skb_change_tail() helper (Alexei/Daniel)
 - Added check in __bpf_redirect_common() to verify that program added a
   link header before redirecting to a l2 device. Adding the check to
   lwt-bpf code was considered but dropped due to massive code required
   due to retrieval of net_device via per-cpu redirect buffer. A test
   case was added to cover the scenario when a program directs to an l2
   device without adding an appropriate l2 header.
   (Alexei)
 - Prohibited access to tc_classid (Daniel)
 - Collapsed bpf_verifier_ops instance for lwt in/out as they are
   identical (Daniel)
 - Some cosmetic changes

v2 -> v3:
 - Added real world sample lwt_len_hist_kern.c which demonstrates how to
   collect a histogram on packet sizes for all packets flowing through
   a number of routes.
 - Restricted output to be read-only. Since the header can no longer
   be modified, the rerouting functionality has been removed again.
 - Added test case which cover destructive modification of packet data.

v1 -> v2:
 - Added new BPF_LWT_REROUTE return code for program to indicate
   that new route lookup should be performed. Suggested by Tom.
 - New sample to illustrate rerouting
 - New patch 05: Recursion limit for lwtunnel_output for the case
   when user creates circular dst redirection. Also resolves the
   issue for ILA.
 - Fix to ensure headroom for potential future L2 header is still
   guaranteed
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents ee3d7c6e f74599f7

include/linux/filter.h

+1 −1
Original line number Diff line number Diff line
@@ -438,7 +438,7 @@ struct xdp_buff { 
};



/* compute the linear packet data range [data, data_end) which

 * will be accessed by cls_bpf and act_bpf programs

 * will be accessed by cls_bpf, act_bpf and lwt programs

 */

static inline void bpf_compute_data_end(struct sk_buff *skb)

{

include/uapi/linux/bpf.h

+31 −1
Original line number Diff line number Diff line
@@ -101,6 +101,9 @@ enum bpf_prog_type { 
	BPF_PROG_TYPE_XDP,

	BPF_PROG_TYPE_PERF_EVENT,

	BPF_PROG_TYPE_CGROUP_SKB,

	BPF_PROG_TYPE_LWT_IN,

	BPF_PROG_TYPE_LWT_OUT,

	BPF_PROG_TYPE_LWT_XMIT,

};



enum bpf_attach_type {
@@ -409,6 +412,16 @@ union bpf_attr { 
 *

 * int bpf_get_numa_node_id()

 *     Return: Id of current NUMA node.

 *

 * int bpf_skb_change_head()

 *     Grows headroom of skb and adjusts MAC header offset accordingly.

 *     Will extends/reallocae as required automatically.

 *     May change skb data pointer and will thus invalidate any check

 *     performed for direct packet access.

 *     @skb: pointer to skb

 *     @len: length of header to be pushed in front

 *     @flags: Flags (unused for now)

 *     Return: 0 on success or negative error

 */

#define __BPF_FUNC_MAPPER(FN)		\

	FN(unspec),			\
@@ -453,7 +466,8 @@ union bpf_attr { 
	FN(skb_pull_data),		\

	FN(csum_update),		\

	FN(set_hash_invalid),		\

	FN(get_numa_node_id),

	FN(get_numa_node_id),		\

	FN(skb_change_head),



/* integer value in 'imm' field of BPF_CALL instruction selects which helper

 * function eBPF program intends to call
@@ -537,6 +551,22 @@ struct bpf_tunnel_key { 
	__u32 tunnel_label;

};



/* Generic BPF return codes which all BPF program types may support.

 * The values are binary compatible with their TC_ACT_* counter-part to

 * provide backwards compatibility with existing SCHED_CLS and SCHED_ACT

 * programs.

 *

 * XDP is handled seprately, see XDP_*.

 */

enum bpf_ret_code {

	BPF_OK = 0,

	/* 1 reserved */

	BPF_DROP = 2,

	/* 3-6 reserved */

	BPF_REDIRECT = 7,

	/* >127 are reserved for prog type specific return codes */

};



/* User return codes for XDP prog type.

 * A valid XDP program must return one of these defined values. All other

 * return codes are reserved for future use. Unknown return codes will result

include/uapi/linux/lwtunnel.h

+23 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ enum lwtunnel_encap_types { 
	LWTUNNEL_ENCAP_ILA,

	LWTUNNEL_ENCAP_IP6,

	LWTUNNEL_ENCAP_SEG6,

	LWTUNNEL_ENCAP_BPF,

	__LWTUNNEL_ENCAP_MAX,

};
@@ -43,4 +44,26 @@ enum lwtunnel_ip6_t { 


#define LWTUNNEL_IP6_MAX (__LWTUNNEL_IP6_MAX - 1)



enum {

	LWT_BPF_PROG_UNSPEC,

	LWT_BPF_PROG_FD,

	LWT_BPF_PROG_NAME,

	__LWT_BPF_PROG_MAX,

};



#define LWT_BPF_PROG_MAX (__LWT_BPF_PROG_MAX - 1)



enum {

	LWT_BPF_UNSPEC,

	LWT_BPF_IN,

	LWT_BPF_OUT,

	LWT_BPF_XMIT,

	LWT_BPF_XMIT_HEADROOM,

	__LWT_BPF_MAX,

};



#define LWT_BPF_MAX (__LWT_BPF_MAX - 1)



#define LWT_BPF_MAX_HEADROOM 256



#endif /* _UAPI_LWTUNNEL_H_ */

kernel/bpf/verifier.c

+11 −3
Original line number Diff line number Diff line
@@ -633,12 +633,19 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off, 
#define MAX_PACKET_OFF 0xffff



static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,

				       const struct bpf_call_arg_meta *meta)

				       const struct bpf_call_arg_meta *meta,

				       enum bpf_access_type t)

{

	switch (env->prog->type) {

	case BPF_PROG_TYPE_LWT_IN:

	case BPF_PROG_TYPE_LWT_OUT:

		/* dst_input() and dst_output() can't write for now */

		if (t == BPF_WRITE)

			return false;

	case BPF_PROG_TYPE_SCHED_CLS:

	case BPF_PROG_TYPE_SCHED_ACT:

	case BPF_PROG_TYPE_XDP:

	case BPF_PROG_TYPE_LWT_XMIT:

		if (meta)

			return meta->pkt_access;
@@ -837,7 +844,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off, 
			err = check_stack_read(state, off, size, value_regno);

		}

	} else if (state->regs[regno].type == PTR_TO_PACKET) {

		if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL)) {

		if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {

			verbose("cannot write into packet\n");

			return -EACCES;

		}
@@ -970,7 +977,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno, 
		return 0;

	}



	if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta)) {

	if (type == PTR_TO_PACKET &&

	    !may_access_direct_pkt_data(env, meta, BPF_READ)) {

		verbose("helper access to the packet is not allowed\n");

		return -EACCES;

	}

net/Kconfig

+8 −0
Original line number Diff line number Diff line
@@ -402,6 +402,14 @@ config LWTUNNEL 
	  weight tunnel endpoint. Tunnel encapsulation parameters are stored

	  with light weight tunnel state associated with fib routes.



config LWTUNNEL_BPF

	bool "Execute BPF program as route nexthop action"

	depends on LWTUNNEL

	default y if LWTUNNEL=y

	---help---

	  Allows to run BPF programs as a nexthop action following a route

	  lookup for incoming and outgoing packets.



config DST_CACHE

	bool

	default n