| Message ID | 160571337537.2801246.15228178384451037535.stgit@firesoul (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | BPF |
| Headers | show |
| Series | bpf: New approach for BPF MTU handling | expand |
| Context | Check | Description |
|---|---|---|
| netdev/apply | fail | Patch does not apply to bpf-next |
| netdev/tree_selection | success | Clearly marked for bpf-next |
On Wed, 18 Nov 2020 16:29:35 +0100 Jesper Dangaard Brouer <brouer@redhat.com> wrote: > BPF end-user on Cilium slack-channel (Carlo Carraro) wants to use > bpf_fib_lookup for doing MTU-check, but *prior* to extending packet size, > by adjusting fib_params 'tot_len' with the packet length plus the > expected encap size. (Just like the bpf_check_mtu helper supports). He > discovered that for SKB ctx the param->tot_len was not used, instead > skb->len was used (via MTU check in is_skb_forwardable()). > > Fix this by using fib_params 'tot_len' for MTU check. If not provided > (e.g. zero) then keep existing behaviour intact. Carlo pointed out (in slack) that the logic is not correctly implemented in this patch. I will send a V7. > Fixes: 4c79579b44b1 ("bpf: Change bpf_fib_lookup to return lookup status") > Reported-by: Carlo Carraro <colrack@gmail.com> > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> > --- > net/core/filter.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/net/core/filter.c b/net/core/filter.c > index 1ee97fdeea64..ae1fe8e6069a 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -5567,10 +5567,20 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb, > > if (!rc) { > struct net_device *dev; > + u32 mtu; > > dev = dev_get_by_index_rcu(net, params->ifindex); > - if (!is_skb_forwardable(dev, skb)) > + mtu = dev->mtu; > + > + /* Using tot_len for L3 MTU check if provided by user. Notice at > + * this TC cls_bpf level skb->len contains L2 size, but > + * is_skb_forwardable takes that into account. > + */ > + if (params->tot_len > mtu) { > rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; > + } else if (!is_skb_forwardable(dev, skb)) { > + rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; > + } > } > > return rc;
Hi
I report here the issue with the previous patch.
The code is now checking against params->tot_len but then it is still
using is_skb_forwardable.
Consider this case where I shrink the packet:
skb->len == 1520
dev->mtu == 1500
params->tot_len == 1480
So the incoming pkt has len 1520, and the out interface has mtu 1500.
In this case fragmentation is not needed because params->tot_len < dev->mtu.
However the code calls is_skb_forwardable and may return false because
skb->len > dev->mtu, resulting in BPF_FIB_LKUP_RET_FRAG_NEEDED.
What I propose is using params->tot_len only if provided, without
falling back to use is_skb_forwardable when provided.
Something like this:
if (params->tot_len > 0) {
if (params->tot_len > mtu)
rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;
} else if (!is_skb_forwardable(dev, skb)) {
rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;
}
However, doing so we are skipping more relaxed MTU checks inside
is_skb_forwardable, so I'm not sure about this.
Please comment
Il giorno ven 20 nov 2020 alle ore 09:26 Jesper Dangaard Brouer
<brouer@redhat.com> ha scritto:
>
> On Wed, 18 Nov 2020 16:29:35 +0100
> Jesper Dangaard Brouer <brouer@redhat.com> wrote:
>
> > BPF end-user on Cilium slack-channel (Carlo Carraro) wants to use
> > bpf_fib_lookup for doing MTU-check, but *prior* to extending packet size,
> > by adjusting fib_params 'tot_len' with the packet length plus the
> > expected encap size. (Just like the bpf_check_mtu helper supports). He
> > discovered that for SKB ctx the param->tot_len was not used, instead
> > skb->len was used (via MTU check in is_skb_forwardable()).
> >
> > Fix this by using fib_params 'tot_len' for MTU check. If not provided
> > (e.g. zero) then keep existing behaviour intact.
>
> Carlo pointed out (in slack) that the logic is not correctly
> implemented in this patch.
>
> I will send a V7.
>
>
> > Fixes: 4c79579b44b1 ("bpf: Change bpf_fib_lookup to return lookup status")
> > Reported-by: Carlo Carraro <colrack@gmail.com>
> > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
> > ---
> > net/core/filter.c | 12 +++++++++++-
> > 1 file changed, 11 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 1ee97fdeea64..ae1fe8e6069a 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -5567,10 +5567,20 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb,
> >
> > if (!rc) {
> > struct net_device *dev;
> > + u32 mtu;
> >
> > dev = dev_get_by_index_rcu(net, params->ifindex);
> > - if (!is_skb_forwardable(dev, skb))
> > + mtu = dev->mtu;
> > +
> > + /* Using tot_len for L3 MTU check if provided by user. Notice at
> > + * this TC cls_bpf level skb->len contains L2 size, but
> > + * is_skb_forwardable takes that into account.
> > + */
> > + if (params->tot_len > mtu) {
> > rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;
> > + } else if (!is_skb_forwardable(dev, skb)) {
> > + rc = BPF_FIB_LKUP_RET_FRAG_NEEDED;
> > + }
> > }
> >
> > return rc;
>
> --
> Best regards,
> Jesper Dangaard Brouer
> MSc.CS, Principal Kernel Engineer at Red Hat
> LinkedIn: http://www.linkedin.com/in/brouer
>
On 11/20/20 6:15 AM, Carlo Carraro wrote: > I report here the issue with the previous patch. > The code is now checking against params->tot_len but then it is still > using is_skb_forwardable. > Consider this case where I shrink the packet: > skb->len == 1520 > dev->mtu == 1500 > params->tot_len == 1480 > So the incoming pkt has len 1520, and the out interface has mtu 1500. > In this case fragmentation is not needed because params->tot_len < dev->mtu. > However the code calls is_skb_forwardable and may return false because > skb->len > dev->mtu, resulting in BPF_FIB_LKUP_RET_FRAG_NEEDED. > What I propose is using params->tot_len only if provided, without > falling back to use is_skb_forwardable when provided. > Something like this: > > if (params->tot_len > 0) { > if (params->tot_len > mtu) > rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; > } else if (!is_skb_forwardable(dev, skb)) { > rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; > } > > However, doing so we are skipping more relaxed MTU checks inside > is_skb_forwardable, so I'm not sure about this. > Please comment Daniel's just proposed patch changes this again (removes the is_skb_forwardable check). Jesper: you might want to hold off until that happens.
diff --git a/net/core/filter.c b/net/core/filter.c index 1ee97fdeea64..ae1fe8e6069a 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5567,10 +5567,20 @@ BPF_CALL_4(bpf_skb_fib_lookup, struct sk_buff *, skb, if (!rc) { struct net_device *dev; + u32 mtu; dev = dev_get_by_index_rcu(net, params->ifindex); - if (!is_skb_forwardable(dev, skb)) + mtu = dev->mtu; + + /* Using tot_len for L3 MTU check if provided by user. Notice at + * this TC cls_bpf level skb->len contains L2 size, but + * is_skb_forwardable takes that into account. + */ + if (params->tot_len > mtu) { rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; + } else if (!is_skb_forwardable(dev, skb)) { + rc = BPF_FIB_LKUP_RET_FRAG_NEEDED; + } } return rc;
BPF end-user on Cilium slack-channel (Carlo Carraro) wants to use bpf_fib_lookup for doing MTU-check, but *prior* to extending packet size, by adjusting fib_params 'tot_len' with the packet length plus the expected encap size. (Just like the bpf_check_mtu helper supports). He discovered that for SKB ctx the param->tot_len was not used, instead skb->len was used (via MTU check in is_skb_forwardable()). Fix this by using fib_params 'tot_len' for MTU check. If not provided (e.g. zero) then keep existing behaviour intact. Fixes: 4c79579b44b1 ("bpf: Change bpf_fib_lookup to return lookup status") Reported-by: Carlo Carraro <colrack@gmail.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> --- net/core/filter.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)