diff mbox series

[bpf-next,2/2] bpf/flow_dissector: Introduce BPF_FLOW_DISSECTOR_CONTINUE retcode for flow-dissector bpf progs

Message ID 20220818062405.947643-3-shmulik.ladkani@gmail.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series flow_dissector: Allow bpf flow-dissector progs to request fallback to normal dissection | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for bpf-next, async
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Series has a cover letter
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1724 this patch: 1724
netdev/cc_maintainers warning 15 maintainers not CCed: john.fastabend@gmail.com song@kernel.org martin.lau@linux.dev davem@davemloft.net daniel@iogearbox.net wojciech.drewek@intel.com netdev@vger.kernel.org edumazet@google.com andrii@kernel.org kpsingh@kernel.org kuba@kernel.org jolsa@kernel.org pabeni@redhat.com haoluo@google.com yhs@fb.com
netdev/build_clang success Errors and warnings before: 177 this patch: 177
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 1718 this patch: 1718
netdev/checkpatch warning WARNING: From:/Signed-off-by: email address mismatch: 'From: Shmulik Ladkani <shmulik@metanetworks.com>' != 'Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>'
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-next-VM_Test-4 success Logs for llvm-toolchain
bpf/vmtest-bpf-next-VM_Test-5 success Logs for set-matrix
bpf/vmtest-bpf-next-VM_Test-1 success Logs for Kernel LATEST on ubuntu-latest with gcc
bpf/vmtest-bpf-next-VM_Test-2 success Logs for Kernel LATEST on ubuntu-latest with llvm-16
bpf/vmtest-bpf-next-PR success PR summary
bpf/vmtest-bpf-next-VM_Test-3 success Logs for Kernel LATEST on z15 with gcc

Commit Message

Shmulik Ladkani Aug. 18, 2022, 6:24 a.m. UTC 
Currently, attaching BPF_PROG_TYPE_FLOW_DISSECTOR programs completely
replaces the flow-dissector logic with custom dissection logic.
This forces implementors to write programs that handle dissection for
any flows expected in the namespace.

It makes sense for flow-dissector bpf programs to just augment the
dissector with custom logic (e.g. dissecting certain flows or custom
protocols), while enjoying the broad capabilities of the standard
dissector for any other traffic.

Introduce BPF_FLOW_DISSECTOR_CONTINUE retcode. Flow-dissector bpf
programs may return this to indicate no dissection was made, and
fallback to the standard dissector is requested.

Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
---
 include/uapi/linux/bpf.h  | 5 +++++
 net/core/flow_dissector.c | 3 +++
 2 files changed, 8 insertions(+)

Comments

Stanislav Fomichev Aug. 18, 2022, 4:12 p.m. UTC | #1 
On Wed, Aug 17, 2022 at 11:24 PM Shmulik Ladkani
<shmulik@metanetworks.com> wrote:
>
> Currently, attaching BPF_PROG_TYPE_FLOW_DISSECTOR programs completely
> replaces the flow-dissector logic with custom dissection logic.
> This forces implementors to write programs that handle dissection for
> any flows expected in the namespace.
>
> It makes sense for flow-dissector bpf programs to just augment the
> dissector with custom logic (e.g. dissecting certain flows or custom
> protocols), while enjoying the broad capabilities of the standard
> dissector for any other traffic.
>
> Introduce BPF_FLOW_DISSECTOR_CONTINUE retcode. Flow-dissector bpf
> programs may return this to indicate no dissection was made, and
> fallback to the standard dissector is requested.

Some historic perspective: the original goal was to explicitly not
fallback to the c code.
It seems like it should be fine with this extra return code.
But let's also extend tools/testing/selftests/bpf/progs/bpf_flow.c
with a case that exercises this new return code?

> Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
> ---
>  include/uapi/linux/bpf.h  | 5 +++++
>  net/core/flow_dissector.c | 3 +++
>  2 files changed, 8 insertions(+)
>
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index 7bf9ba1329be..6d6654da7cef 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -5836,6 +5836,11 @@ enum bpf_ret_code {
>          *    represented by BPF_REDIRECT above).
>          */
>         BPF_LWT_REROUTE = 128,
> +       /* BPF_FLOW_DISSECTOR_CONTINUE: used by BPF_PROG_TYPE_FLOW_DISSECTOR
> +        *   to indicate that no custom dissection was performed, and
> +        *   fallback to standard dissector is requested.
> +        */
> +       BPF_FLOW_DISSECTOR_CONTINUE = 129,
>  };

Is it too late to also amend verifier's check_return_code to allow
only a small subset of return types for flow-disccestor program type?

>  struct bpf_sock {
> diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
> index a01817fb4ef4..990429c69ccd 100644
> --- a/net/core/flow_dissector.c
> +++ b/net/core/flow_dissector.c
> @@ -1022,11 +1022,14 @@ bool __skb_flow_dissect(const struct net *net,
>                         prog = READ_ONCE(run_array->items[0].prog);
>                         result = bpf_flow_dissect(prog, &ctx, n_proto, nhoff,
>                                                   hlen, flags);
> +                       if (result == BPF_FLOW_DISSECTOR_CONTINUE)
> +                               goto dissect_continue;
>                         __skb_flow_bpf_to_target(&flow_keys, flow_dissector,
>                                                  target_container);
>                         rcu_read_unlock();
>                         return result == BPF_OK;
>                 }
> +dissect_continue:
>                 rcu_read_unlock();
>         }
>
> --
> 2.37.1
>
Shmulik Ladkani Aug. 21, 2022, 9:24 a.m. UTC | #2 
On Thu, 18 Aug 2022 09:12:43 -0700
Stanislav Fomichev <sdf@google.com> wrote:

> Some historic perspective: the original goal was to explicitly not
> fallback to the c code.
> It seems like it should be fine with this extra return code.
> But let's also extend tools/testing/selftests/bpf/progs/bpf_flow.c
> with a case that exercises this new return code?

OK, will re-submit with a test.

> Is it too late to also amend verifier's check_return_code to allow
> only a small subset of return types for flow-disccestor program type?

Well, wouldn't that be too late now? there might be progs out there with
different codes. In any case, I don't think adding this is related to this
series.

Best,
Shmulik
diff mbox series

Patch

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 7bf9ba1329be..6d6654da7cef 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -5836,6 +5836,11 @@  enum bpf_ret_code {
 	 *    represented by BPF_REDIRECT above).
 	 */
 	BPF_LWT_REROUTE = 128,
+	/* BPF_FLOW_DISSECTOR_CONTINUE: used by BPF_PROG_TYPE_FLOW_DISSECTOR
+	 *   to indicate that no custom dissection was performed, and
+	 *   fallback to standard dissector is requested.
+	 */
+	BPF_FLOW_DISSECTOR_CONTINUE = 129,
 };
 
 struct bpf_sock {
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index a01817fb4ef4..990429c69ccd 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1022,11 +1022,14 @@  bool __skb_flow_dissect(const struct net *net,
 			prog = READ_ONCE(run_array->items[0].prog);
 			result = bpf_flow_dissect(prog, &ctx, n_proto, nhoff,
 						  hlen, flags);
+			if (result == BPF_FLOW_DISSECTOR_CONTINUE)
+				goto dissect_continue;
 			__skb_flow_bpf_to_target(&flow_keys, flow_dissector,
 						 target_container);
 			rcu_read_unlock();
 			return result == BPF_OK;
 		}
+dissect_continue:
 		rcu_read_unlock();
 	}