| Message ID | 20220721134245.2450-1-memxor@gmail.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | New nf_conntrack kfuncs for insertion, changing timeout, status | expand |
On Thu, Jul 21, 2022 at 6:43 AM Kumar Kartikeya Dwivedi <memxor@gmail.com> wrote: > > Introduce the following new kfuncs: > - bpf_{xdp,skb}_ct_alloc > - bpf_ct_insert_entry > - bpf_ct_{set,change}_timeout > - bpf_ct_{set,change}_status > > The setting of timeout and status on allocated or inserted/looked up CT > is same as the ctnetlink interface, hence code is refactored and shared > with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs > that expected inserted CT, and vice versa. Please see individual patches > for details. > Is it expected that using these helpers and the kernel's conntrack to manage connection state from XDP will outperform using maps and eBPF timers (for XDP use cases that don't have a userspace component that also needs the information in conntrack)? Have you done any benchmarking on the performance of using conntrack from XDP? Thanks! --Zvi > Changelog: > ---------- > v6 -> v7: > v6: https://lore.kernel.org/bpf/20220719132430.19993-1-memxor@gmail.com > > * Use .long to encode flags (Alexei) > * Fix description of KF_RET_NULL in documentation (Toke) > > v5 -> v6: > v5: https://lore.kernel.org/bpf/20220623192637.3866852-1-memxor@gmail.com > > * Introduce kfunc flags, rework verifier to work with them > * Add documentation for kfuncs > * Add comment explaining TRUSTED_ARGS kfunc flag (Alexei) > * Fix missing offset check for trusted arguments (Alexei) > * Change nf_conntrack test minimum delta value to 8 > > v4 -> v5: > v4: https://lore.kernel.org/bpf/cover.1653600577.git.lorenzo@kernel.org > > * Drop read-only PTR_TO_BTF_ID approach, use struct nf_conn___init (Alexei) > * Drop acquire release pair code that is no longer required (Alexei) > * Disable writes into nf_conn, use dedicated helpers (Florian, Alexei) > * Refactor and share ctnetlink code for setting timeout and status > * Do strict type matching on finding __ref suffix on argument to > prevent passing nf_conn___init as nf_conn (offset = 0, match on walk) > * Remove bpf_ct_opts parameter from bpf_ct_insert_entry > * Update selftests for new additions, add more negative tests > > v3 -> v4: > v3: https://lore.kernel.org/bpf/cover.1652870182.git.lorenzo@kernel.org > > * split bpf_xdp_ct_add in bpf_xdp_ct_alloc/bpf_skb_ct_alloc and > bpf_ct_insert_entry > * add verifier code to properly populate/configure ct entry > * improve selftests > > v2 -> v3: > v2: https://lore.kernel.org/bpf/cover.1652372970.git.lorenzo@kernel.org > > * add bpf_xdp_ct_add and bpf_ct_refresh_timeout kfunc helpers > * remove conntrack dependency from selftests > * add support for forcing kfunc args to be referenced and related selftests > > v1 -> v2: > v1: https://lore.kernel.org/bpf/1327f8f5696ff2bc60400e8f3b79047914ccc837.1651595019.git.lorenzo@kernel.org > > * add bpf_ct_refresh_timeout kfunc selftest > > Kumar Kartikeya Dwivedi (10): > bpf: Introduce 8-byte BTF set > tools/resolve_btfids: Add support for 8-byte BTF sets > bpf: Switch to new kfunc flags infrastructure > bpf: Add support for forcing kfunc args to be trusted > bpf: Add documentation for kfuncs > net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup > net: netfilter: Add kfuncs to set and change CT timeout > selftests/bpf: Add verifier tests for trusted kfunc args > selftests/bpf: Add negative tests for new nf_conntrack kfuncs > selftests/bpf: Fix test_verifier failed test in unprivileged mode > > Lorenzo Bianconi (3): > net: netfilter: Add kfuncs to allocate and insert CT > net: netfilter: Add kfuncs to set and change CT status > selftests/bpf: Add tests for new nf_conntrack kfuncs > > Documentation/bpf/index.rst | 1 + > Documentation/bpf/kfuncs.rst | 170 ++++++++ > include/linux/bpf.h | 3 +- > include/linux/btf.h | 65 ++-- > include/linux/btf_ids.h | 68 +++- > include/net/netfilter/nf_conntrack_core.h | 19 + > kernel/bpf/btf.c | 123 +++--- > kernel/bpf/verifier.c | 14 +- > net/bpf/test_run.c | 75 ++-- > net/ipv4/bpf_tcp_ca.c | 18 +- > net/ipv4/tcp_bbr.c | 24 +- > net/ipv4/tcp_cubic.c | 20 +- > net/ipv4/tcp_dctcp.c | 20 +- > net/netfilter/nf_conntrack_bpf.c | 365 +++++++++++++----- > net/netfilter/nf_conntrack_core.c | 62 +++ > net/netfilter/nf_conntrack_netlink.c | 54 +-- > tools/bpf/resolve_btfids/main.c | 40 +- > .../selftests/bpf/bpf_testmod/bpf_testmod.c | 10 +- > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 64 ++- > .../testing/selftests/bpf/progs/test_bpf_nf.c | 85 +++- > .../selftests/bpf/progs/test_bpf_nf_fail.c | 134 +++++++ > .../selftests/bpf/verifier/bpf_loop_inline.c | 1 + > tools/testing/selftests/bpf/verifier/calls.c | 53 +++ > 23 files changed, 1139 insertions(+), 349 deletions(-) > create mode 100644 Documentation/bpf/kfuncs.rst > create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c > > -- > 2.34.1 >
On Thu, 21 Jul 2022 at 19:29, Zvi Effron <zeffron@riotgames.com> wrote: > > On Thu, Jul 21, 2022 at 6:43 AM Kumar Kartikeya Dwivedi > <memxor@gmail.com> wrote: > > > > Introduce the following new kfuncs: > > - bpf_{xdp,skb}_ct_alloc > > - bpf_ct_insert_entry > > - bpf_ct_{set,change}_timeout > > - bpf_ct_{set,change}_status > > > > The setting of timeout and status on allocated or inserted/looked up CT > > is same as the ctnetlink interface, hence code is refactored and shared > > with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs > > that expected inserted CT, and vice versa. Please see individual patches > > for details. > > > > Is it expected that using these helpers and the kernel's conntrack to manage > connection state from XDP will outperform using maps and eBPF timers (for XDP > use cases that don't have a userspace component that also needs the information > in conntrack)? Have you done any benchmarking on the performance of using > conntrack from XDP? > No, I haven't done any benchmarking against a BPF based conntrack. The goal here is to give XDP and TC programs access to kernel's existing conntrack, so that in cases where implementing one in BPF is not desired/needed, the user can leverage the existing implementation in the kernel. > Thanks! > --Zvi > > > Changelog: > > ---------- > > v6 -> v7: > > v6: https://lore.kernel.org/bpf/20220719132430.19993-1-memxor@gmail.com > > > > * Use .long to encode flags (Alexei) > > * Fix description of KF_RET_NULL in documentation (Toke) > > > > v5 -> v6: > > v5: https://lore.kernel.org/bpf/20220623192637.3866852-1-memxor@gmail.com > > > > * Introduce kfunc flags, rework verifier to work with them > > * Add documentation for kfuncs > > * Add comment explaining TRUSTED_ARGS kfunc flag (Alexei) > > * Fix missing offset check for trusted arguments (Alexei) > > * Change nf_conntrack test minimum delta value to 8 > > > > v4 -> v5: > > v4: https://lore.kernel.org/bpf/cover.1653600577.git.lorenzo@kernel.org > > > > * Drop read-only PTR_TO_BTF_ID approach, use struct nf_conn___init (Alexei) > > * Drop acquire release pair code that is no longer required (Alexei) > > * Disable writes into nf_conn, use dedicated helpers (Florian, Alexei) > > * Refactor and share ctnetlink code for setting timeout and status > > * Do strict type matching on finding __ref suffix on argument to > > prevent passing nf_conn___init as nf_conn (offset = 0, match on walk) > > * Remove bpf_ct_opts parameter from bpf_ct_insert_entry > > * Update selftests for new additions, add more negative tests > > > > v3 -> v4: > > v3: https://lore.kernel.org/bpf/cover.1652870182.git.lorenzo@kernel.org > > > > * split bpf_xdp_ct_add in bpf_xdp_ct_alloc/bpf_skb_ct_alloc and > > bpf_ct_insert_entry > > * add verifier code to properly populate/configure ct entry > > * improve selftests > > > > v2 -> v3: > > v2: https://lore.kernel.org/bpf/cover.1652372970.git.lorenzo@kernel.org > > > > * add bpf_xdp_ct_add and bpf_ct_refresh_timeout kfunc helpers > > * remove conntrack dependency from selftests > > * add support for forcing kfunc args to be referenced and related selftests > > > > v1 -> v2: > > v1: https://lore.kernel.org/bpf/1327f8f5696ff2bc60400e8f3b79047914ccc837.1651595019.git.lorenzo@kernel.org > > > > * add bpf_ct_refresh_timeout kfunc selftest > > > > Kumar Kartikeya Dwivedi (10): > > bpf: Introduce 8-byte BTF set > > tools/resolve_btfids: Add support for 8-byte BTF sets > > bpf: Switch to new kfunc flags infrastructure > > bpf: Add support for forcing kfunc args to be trusted > > bpf: Add documentation for kfuncs > > net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup > > net: netfilter: Add kfuncs to set and change CT timeout > > selftests/bpf: Add verifier tests for trusted kfunc args > > selftests/bpf: Add negative tests for new nf_conntrack kfuncs > > selftests/bpf: Fix test_verifier failed test in unprivileged mode > > > > Lorenzo Bianconi (3): > > net: netfilter: Add kfuncs to allocate and insert CT > > net: netfilter: Add kfuncs to set and change CT status > > selftests/bpf: Add tests for new nf_conntrack kfuncs > > > > Documentation/bpf/index.rst | 1 + > > Documentation/bpf/kfuncs.rst | 170 ++++++++ > > include/linux/bpf.h | 3 +- > > include/linux/btf.h | 65 ++-- > > include/linux/btf_ids.h | 68 +++- > > include/net/netfilter/nf_conntrack_core.h | 19 + > > kernel/bpf/btf.c | 123 +++--- > > kernel/bpf/verifier.c | 14 +- > > net/bpf/test_run.c | 75 ++-- > > net/ipv4/bpf_tcp_ca.c | 18 +- > > net/ipv4/tcp_bbr.c | 24 +- > > net/ipv4/tcp_cubic.c | 20 +- > > net/ipv4/tcp_dctcp.c | 20 +- > > net/netfilter/nf_conntrack_bpf.c | 365 +++++++++++++----- > > net/netfilter/nf_conntrack_core.c | 62 +++ > > net/netfilter/nf_conntrack_netlink.c | 54 +-- > > tools/bpf/resolve_btfids/main.c | 40 +- > > .../selftests/bpf/bpf_testmod/bpf_testmod.c | 10 +- > > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 64 ++- > > .../testing/selftests/bpf/progs/test_bpf_nf.c | 85 +++- > > .../selftests/bpf/progs/test_bpf_nf_fail.c | 134 +++++++ > > .../selftests/bpf/verifier/bpf_loop_inline.c | 1 + > > tools/testing/selftests/bpf/verifier/calls.c | 53 +++ > > 23 files changed, 1139 insertions(+), 349 deletions(-) > > create mode 100644 Documentation/bpf/kfuncs.rst > > create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c > > > > -- > > 2.34.1 > >
Hello: This series was applied to bpf/bpf-next.git (master) by Alexei Starovoitov <ast@kernel.org>: On Thu, 21 Jul 2022 15:42:32 +0200 you wrote: > Introduce the following new kfuncs: > - bpf_{xdp,skb}_ct_alloc > - bpf_ct_insert_entry > - bpf_ct_{set,change}_timeout > - bpf_ct_{set,change}_status > > The setting of timeout and status on allocated or inserted/looked up CT > is same as the ctnetlink interface, hence code is refactored and shared > with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs > that expected inserted CT, and vice versa. Please see individual patches > for details. > > [...] Here is the summary with links: - [bpf-next,v7,01/13] bpf: Introduce 8-byte BTF set https://git.kernel.org/bpf/bpf-next/c/ab21d6063c01 - [bpf-next,v7,02/13] tools/resolve_btfids: Add support for 8-byte BTF sets https://git.kernel.org/bpf/bpf-next/c/ef2c6f370a63 - [bpf-next,v7,03/13] bpf: Switch to new kfunc flags infrastructure https://git.kernel.org/bpf/bpf-next/c/a4703e318432 - [bpf-next,v7,04/13] bpf: Add support for forcing kfunc args to be trusted https://git.kernel.org/bpf/bpf-next/c/56e948ffc098 - [bpf-next,v7,05/13] bpf: Add documentation for kfuncs https://git.kernel.org/bpf/bpf-next/c/63e564ebd1fd - [bpf-next,v7,06/13] net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup https://git.kernel.org/bpf/bpf-next/c/aed8ee7feb44 - [bpf-next,v7,07/13] net: netfilter: Add kfuncs to allocate and insert CT https://git.kernel.org/bpf/bpf-next/c/d7e79c97c00c - [bpf-next,v7,08/13] net: netfilter: Add kfuncs to set and change CT timeout https://git.kernel.org/bpf/bpf-next/c/0b3892364431 - [bpf-next,v7,09/13] net: netfilter: Add kfuncs to set and change CT status https://git.kernel.org/bpf/bpf-next/c/ef69aa3a986e - [bpf-next,v7,10/13] selftests/bpf: Add verifier tests for trusted kfunc args https://git.kernel.org/bpf/bpf-next/c/8dd5e75683f7 - [bpf-next,v7,11/13] selftests/bpf: Add tests for new nf_conntrack kfuncs https://git.kernel.org/bpf/bpf-next/c/6eb7fba007a7 - [bpf-next,v7,12/13] selftests/bpf: Add negative tests for new nf_conntrack kfuncs https://git.kernel.org/bpf/bpf-next/c/c6f420ac9d25 - [bpf-next,v7,13/13] selftests/bpf: Fix test_verifier failed test in unprivileged mode https://git.kernel.org/bpf/bpf-next/c/e3fa4735f04d You are awesome, thank you!
Introduce the following new kfuncs: - bpf_{xdp,skb}_ct_alloc - bpf_ct_insert_entry - bpf_ct_{set,change}_timeout - bpf_ct_{set,change}_status The setting of timeout and status on allocated or inserted/looked up CT is same as the ctnetlink interface, hence code is refactored and shared with the kfuncs. It is ensured allocated CT cannot be passed to kfuncs that expected inserted CT, and vice versa. Please see individual patches for details. Changelog: ---------- v6 -> v7: v6: https://lore.kernel.org/bpf/20220719132430.19993-1-memxor@gmail.com * Use .long to encode flags (Alexei) * Fix description of KF_RET_NULL in documentation (Toke) v5 -> v6: v5: https://lore.kernel.org/bpf/20220623192637.3866852-1-memxor@gmail.com * Introduce kfunc flags, rework verifier to work with them * Add documentation for kfuncs * Add comment explaining TRUSTED_ARGS kfunc flag (Alexei) * Fix missing offset check for trusted arguments (Alexei) * Change nf_conntrack test minimum delta value to 8 v4 -> v5: v4: https://lore.kernel.org/bpf/cover.1653600577.git.lorenzo@kernel.org * Drop read-only PTR_TO_BTF_ID approach, use struct nf_conn___init (Alexei) * Drop acquire release pair code that is no longer required (Alexei) * Disable writes into nf_conn, use dedicated helpers (Florian, Alexei) * Refactor and share ctnetlink code for setting timeout and status * Do strict type matching on finding __ref suffix on argument to prevent passing nf_conn___init as nf_conn (offset = 0, match on walk) * Remove bpf_ct_opts parameter from bpf_ct_insert_entry * Update selftests for new additions, add more negative tests v3 -> v4: v3: https://lore.kernel.org/bpf/cover.1652870182.git.lorenzo@kernel.org * split bpf_xdp_ct_add in bpf_xdp_ct_alloc/bpf_skb_ct_alloc and bpf_ct_insert_entry * add verifier code to properly populate/configure ct entry * improve selftests v2 -> v3: v2: https://lore.kernel.org/bpf/cover.1652372970.git.lorenzo@kernel.org * add bpf_xdp_ct_add and bpf_ct_refresh_timeout kfunc helpers * remove conntrack dependency from selftests * add support for forcing kfunc args to be referenced and related selftests v1 -> v2: v1: https://lore.kernel.org/bpf/1327f8f5696ff2bc60400e8f3b79047914ccc837.1651595019.git.lorenzo@kernel.org * add bpf_ct_refresh_timeout kfunc selftest Kumar Kartikeya Dwivedi (10): bpf: Introduce 8-byte BTF set tools/resolve_btfids: Add support for 8-byte BTF sets bpf: Switch to new kfunc flags infrastructure bpf: Add support for forcing kfunc args to be trusted bpf: Add documentation for kfuncs net: netfilter: Deduplicate code in bpf_{xdp,skb}_ct_lookup net: netfilter: Add kfuncs to set and change CT timeout selftests/bpf: Add verifier tests for trusted kfunc args selftests/bpf: Add negative tests for new nf_conntrack kfuncs selftests/bpf: Fix test_verifier failed test in unprivileged mode Lorenzo Bianconi (3): net: netfilter: Add kfuncs to allocate and insert CT net: netfilter: Add kfuncs to set and change CT status selftests/bpf: Add tests for new nf_conntrack kfuncs Documentation/bpf/index.rst | 1 + Documentation/bpf/kfuncs.rst | 170 ++++++++ include/linux/bpf.h | 3 +- include/linux/btf.h | 65 ++-- include/linux/btf_ids.h | 68 +++- include/net/netfilter/nf_conntrack_core.h | 19 + kernel/bpf/btf.c | 123 +++--- kernel/bpf/verifier.c | 14 +- net/bpf/test_run.c | 75 ++-- net/ipv4/bpf_tcp_ca.c | 18 +- net/ipv4/tcp_bbr.c | 24 +- net/ipv4/tcp_cubic.c | 20 +- net/ipv4/tcp_dctcp.c | 20 +- net/netfilter/nf_conntrack_bpf.c | 365 +++++++++++++----- net/netfilter/nf_conntrack_core.c | 62 +++ net/netfilter/nf_conntrack_netlink.c | 54 +-- tools/bpf/resolve_btfids/main.c | 40 +- .../selftests/bpf/bpf_testmod/bpf_testmod.c | 10 +- .../testing/selftests/bpf/prog_tests/bpf_nf.c | 64 ++- .../testing/selftests/bpf/progs/test_bpf_nf.c | 85 +++- .../selftests/bpf/progs/test_bpf_nf_fail.c | 134 +++++++ .../selftests/bpf/verifier/bpf_loop_inline.c | 1 + tools/testing/selftests/bpf/verifier/calls.c | 53 +++ 23 files changed, 1139 insertions(+), 349 deletions(-) create mode 100644 Documentation/bpf/kfuncs.rst create mode 100644 tools/testing/selftests/bpf/progs/test_bpf_nf_fail.c