diff mbox series

net: core: set skb useful vars in __bpf_tx_skb

Message ID 20211029015431.32516-1-xiangxia.m.yue@gmail.com (mailing list archive)
State Changes Requested
Delegated to: BPF
Headers show
Series net: core: set skb useful vars in __bpf_tx_skb | expand

Checks

Context Check Description
netdev/cover_letter success Single patches do not need cover letters
netdev/fixes_present success Fixes tag not required for -next series
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers warning 9 maintainers not CCed: john.fastabend@gmail.com yhs@fb.com songliubraving@fb.com bpf@vger.kernel.org kafai@fb.com kpsingh@kernel.org davem@davemloft.net ast@kernel.org andrii@kernel.org
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 26 this patch: 26
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Fixes tag looks correct
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 20 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 26 this patch: 26
netdev/header_inline success No static functions without inline keyword in header files
bpf/vmtest-bpf-next-PR fail PR summary
bpf/vmtest-bpf fail VM_Test
bpf/vmtest-bpf-PR fail PR summary
bpf/vmtest-bpf-next fail VM_Test

Commit Message

Tonghao Zhang Oct. 29, 2021, 1:54 a.m. UTC 
From: Tonghao Zhang <xiangxia.m.yue@gmail.com>

We may use bpf_redirect to redirect the packets to other
netdevice (e.g. ifb) in ingress and egress path.

The target netdevice may check the *skb_iif, *redirected
and *from_ingress, for example, if skb_iif or redirected
is 0, ifb will drop the packets.

Fixes: a70b506efe89 ("bpf: enforce recursion limit on redirects")
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
---
 net/core/filter.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

Comments

Daniel Borkmann Nov. 1, 2021, 9:46 p.m. UTC | #1 
On 10/29/21 3:54 AM, xiangxia.m.yue@gmail.com wrote:
[...]
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 4bace37a6a44..2dbff0944768 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2107,9 +2107,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
>   		return -ENETDOWN;
>   	}
>   
> -	skb->dev = dev;
> +	/* The target netdevice (e.g. ifb) may use the:
> +	 * - skb_iif
> +	 * - redirected
> +	 * - from_ingress
> +	 */
> +	skb->skb_iif = skb->dev->ifindex;

This doesn't look right to me to set it unconditionally in tx path, isn't ifb_ri_tasklet()
setting skb->skb_iif in this case (or __netif_receive_skb_core() in main rx path)?

Also, I would suggest to add a proper BPF selftest which outlines the issue you're solving
in here.

> +#ifdef CONFIG_NET_CLS_ACT
> +	skb_set_redirected(skb, skb->tc_at_ingress);
> +#else
>   	skb->tstamp = 0;
> +#endif
>   
> +	skb->dev = dev;
>   	dev_xmit_recursion_inc();
>   	ret = dev_queue_xmit(skb);
>   	dev_xmit_recursion_dec();
>
Tonghao Zhang Nov. 2, 2021, 1:58 a.m. UTC | #2 
On Tue, Nov 2, 2021 at 5:46 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
>
> On 10/29/21 3:54 AM, xiangxia.m.yue@gmail.com wrote:
> [...]
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 4bace37a6a44..2dbff0944768 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -2107,9 +2107,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
> >               return -ENETDOWN;
> >       }
> >
> > -     skb->dev = dev;
> > +     /* The target netdevice (e.g. ifb) may use the:
> > +      * - skb_iif
> > +      * - redirected
> > +      * - from_ingress
> > +      */
> > +     skb->skb_iif = skb->dev->ifindex;
>
> This doesn't look right to me to set it unconditionally in tx path, isn't ifb_ri_tasklet()
> setting skb->skb_iif in this case (or __netif_receive_skb_core() in main rx path)?
Hi
the act_mirred set the skb->skb_iif, redirected and from_ingress. and
__netif_receive_skb_core also set skb->skb_iif.
so we can use the act_mirred to ifb in ingress or egress path.
For ingress, when we use the bpf_redirct to ifb, we should set
redirected, and from_ingress.
For egress, when we use the bpf_redirct to ifb, we should skb_iif ,
set redirected, and from_ingress.

> Also, I would suggest to add a proper BPF selftest which outlines the issue you're solving
> in here.
Ok, thanks.
> > +#ifdef CONFIG_NET_CLS_ACT
> > +     skb_set_redirected(skb, skb->tc_at_ingress);
> > +#else
> >       skb->tstamp = 0;
> > +#endif
> >
> > +     skb->dev = dev;
> >       dev_xmit_recursion_inc();
> >       ret = dev_queue_xmit(skb);
> >       dev_xmit_recursion_dec();
> >
>
Tonghao Zhang Nov. 4, 2021, 1:31 a.m. UTC | #3 
On Tue, Nov 2, 2021 at 9:58 AM Tonghao Zhang <xiangxia.m.yue@gmail.com> wrote:
>
> On Tue, Nov 2, 2021 at 5:46 AM Daniel Borkmann <daniel@iogearbox.net> wrote:
> >
> > On 10/29/21 3:54 AM, xiangxia.m.yue@gmail.com wrote:
> > [...]
> > > diff --git a/net/core/filter.c b/net/core/filter.c
> > > index 4bace37a6a44..2dbff0944768 100644
> > > --- a/net/core/filter.c
> > > +++ b/net/core/filter.c
> > > @@ -2107,9 +2107,19 @@ static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
> > >               return -ENETDOWN;
> > >       }
> > >
> > > -     skb->dev = dev;
> > > +     /* The target netdevice (e.g. ifb) may use the:
> > > +      * - skb_iif
> > > +      * - redirected
> > > +      * - from_ingress
> > > +      */
> > > +     skb->skb_iif = skb->dev->ifindex;
> >
> > This doesn't look right to me to set it unconditionally in tx path, isn't ifb_ri_tasklet()
> > setting skb->skb_iif in this case (or __netif_receive_skb_core() in main rx path)?
> Hi
> the act_mirred set the skb->skb_iif, redirected and from_ingress. and
> __netif_receive_skb_core also set skb->skb_iif.
> so we can use the act_mirred to ifb in ingress or egress path.
> For ingress, when we use the bpf_redirct to ifb, we should set
> redirected, and from_ingress.
> For egress, when we use the bpf_redirct to ifb, we should skb_iif ,
> set redirected, and from_ingress.
Hi Daniel,
because we don't know bpf_redirct invoked in tx path, or rx path.
can we set the  skb->skb_iif unconditionally in bpf_redirct? any thoughts?

> > Also, I would suggest to add a proper BPF selftest which outlines the issue you're solving
> > in here.
> Ok, thanks.
> > > +#ifdef CONFIG_NET_CLS_ACT
> > > +     skb_set_redirected(skb, skb->tc_at_ingress);
> > > +#else
> > >       skb->tstamp = 0;
> > > +#endif
> > >
> > > +     skb->dev = dev;
> > >       dev_xmit_recursion_inc();
> > >       ret = dev_queue_xmit(skb);
> > >       dev_xmit_recursion_dec();
> > >
> >
>
>
> --
> Best regards, Tonghao
diff mbox series

Patch

diff --git a/net/core/filter.c b/net/core/filter.c
index 4bace37a6a44..2dbff0944768 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2107,9 +2107,19 @@  static inline int __bpf_tx_skb(struct net_device *dev, struct sk_buff *skb)
 		return -ENETDOWN;
 	}
 
-	skb->dev = dev;
+	/* The target netdevice (e.g. ifb) may use the:
+	 * - skb_iif
+	 * - redirected
+	 * - from_ingress
+	 */
+	skb->skb_iif = skb->dev->ifindex;
+#ifdef CONFIG_NET_CLS_ACT
+	skb_set_redirected(skb, skb->tc_at_ingress);
+#else
 	skb->tstamp = 0;
+#endif
 
+	skb->dev = dev;
 	dev_xmit_recursion_inc();
 	ret = dev_queue_xmit(skb);
 	dev_xmit_recursion_dec();