From patchwork Thu May 12 16:34:10 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 12847907 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5300EC433EF for ; Thu, 12 May 2022 16:34:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356523AbiELQew (ORCPT ); Thu, 12 May 2022 12:34:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42788 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356520AbiELQet (ORCPT ); Thu, 12 May 2022 12:34:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1463220AE6F; Thu, 12 May 2022 09:34:49 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id A6D1161FF5; Thu, 12 May 2022 16:34:48 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0C045C385B8; Thu, 12 May 2022 16:34:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1652373288; bh=Dk3UjQ+Ua/LqhSJZTLHE/fCFSPqqkDMye0Hl82XZuZE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Jxjc7LrLQMmQDhzpSSvad1mr2Ksl5OPjxpdHShwOORhgG1RKx/bloTsvM7FeAckRj 5tNpLUdV8mH65ywHE6ecPA1RiBTR1VU0YFvK1Woazxu1TtdUqtkeP/u4fIZEca4M9x CeKcjR/I076kg4d2s2eOAAr05aU/Is4p4AGUbBvF8Ya3SdWFBt2dvBdAA+jLVYfb2v iFBTeHPnJvwMNq3U9fGEXS1jyfwcpyOoXds23p+4R6WjZThken1IiHrj/CHDxZcX3O /27SRbcVXjL7Z6AH3K1xc9vWhr7cq/wSAkHmLvpYhW0NqXVGNv507TLpZ+NUeBozoU XMknh3R1lMlOA== From: Lorenzo Bianconi To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, pablo@netfilter.org, fw@strlen.de, netfilter-devel@vger.kernel.org, lorenzo.bianconi@redhat.com, brouer@redhat.com, toke@redhat.com, memxor@gmail.com Subject: [PATCH v2 bpf-next 1/2] net: netfilter: add kfunc helper to update ct timeout Date: Thu, 12 May 2022 18:34:10 +0200 Message-Id: <98cb7b20eb889fc096354a0d791cf2b47fb42f1c.1652372970.git.lorenzo@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Introduce bpf_ct_refresh_timeout kfunc helper in order to update time nf_conn lifetime. Move timeout update logic in nf_ct_refresh_timeout utility routine. Acked-by: Kumar Kartikeya Dwivedi Signed-off-by: Lorenzo Bianconi --- include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_bpf.c | 20 ++++++++++++++++++++ net/netfilter/nf_conntrack_core.c | 21 +++++++++++++-------- 3 files changed, 34 insertions(+), 8 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 69e6c6a218be..02b7115b92d0 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -205,6 +205,7 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, u_int16_t l3num, struct net *net, struct nf_conntrack_tuple *tuple); +void nf_ct_refresh_timeout(struct nf_conn *ct, u32 extra_jiffies); void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo, const struct sk_buff *skb, u32 extra_jiffies, bool do_acct); diff --git a/net/netfilter/nf_conntrack_bpf.c b/net/netfilter/nf_conntrack_bpf.c index bc4d5cd63a94..d6dcadf0e016 100644 --- a/net/netfilter/nf_conntrack_bpf.c +++ b/net/netfilter/nf_conntrack_bpf.c @@ -217,16 +217,36 @@ void bpf_ct_release(struct nf_conn *nfct) nf_ct_put(nfct); } +/* bpf_ct_refresh_timeout - Refresh nf_conn object + * + * Refresh timeout associated to the provided connection tracking entry. + * This must be invoked for referenced PTR_TO_BTF_ID. + * + * Parameters: + * @nf_conn - Pointer to referenced nf_conn object, obtained using + * bpf_xdp_ct_lookup or bpf_skb_ct_lookup. + * @timeout - delta time in msecs used to increase the ct entry lifetime. + */ +void bpf_ct_refresh_timeout(struct nf_conn *nfct, u32 timeout) +{ + if (!nfct) + return; + + nf_ct_refresh_timeout(nfct, msecs_to_jiffies(timeout)); +} + __diag_pop() BTF_SET_START(nf_ct_xdp_check_kfunc_ids) BTF_ID(func, bpf_xdp_ct_lookup) BTF_ID(func, bpf_ct_release) +BTF_ID(func, bpf_ct_refresh_timeout); BTF_SET_END(nf_ct_xdp_check_kfunc_ids) BTF_SET_START(nf_ct_tc_check_kfunc_ids) BTF_ID(func, bpf_skb_ct_lookup) BTF_ID(func, bpf_ct_release) +BTF_ID(func, bpf_ct_refresh_timeout); BTF_SET_END(nf_ct_tc_check_kfunc_ids) BTF_SET_START(nf_ct_acquire_kfunc_ids) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 0164e5f522e8..f43e743728bd 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -2030,16 +2030,11 @@ void nf_conntrack_alter_reply(struct nf_conn *ct, } EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply); -/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */ -void __nf_ct_refresh_acct(struct nf_conn *ct, - enum ip_conntrack_info ctinfo, - const struct sk_buff *skb, - u32 extra_jiffies, - bool do_acct) +void nf_ct_refresh_timeout(struct nf_conn *ct, u32 extra_jiffies) { /* Only update if this is not a fixed timeout */ if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) - goto acct; + return; /* If not in hash table, timer will not be active yet */ if (nf_ct_is_confirmed(ct)) @@ -2047,7 +2042,17 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, if (READ_ONCE(ct->timeout) != extra_jiffies) WRITE_ONCE(ct->timeout, extra_jiffies); -acct: +} + +/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */ +void __nf_ct_refresh_acct(struct nf_conn *ct, + enum ip_conntrack_info ctinfo, + const struct sk_buff *skb, + u32 extra_jiffies, + bool do_acct) +{ + nf_ct_refresh_timeout(ct, extra_jiffies); + if (do_acct) nf_ct_acct_update(ct, CTINFO2DIR(ctinfo), skb->len); } From patchwork Thu May 12 16:34:11 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 12847908 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9BECCC433FE for ; Thu, 12 May 2022 16:35:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356527AbiELQe7 (ORCPT ); Thu, 12 May 2022 12:34:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43252 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356522AbiELQez (ORCPT ); Thu, 12 May 2022 12:34:55 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4A5F267C20; Thu, 12 May 2022 09:34:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 71959B829F0; Thu, 12 May 2022 16:34:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2E9ACC385B8; Thu, 12 May 2022 16:34:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1652373292; bh=rKK4g1rn/Rdh5TkC2xdx5a2+qdGbLS4V/bDKfwdxafk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MhTn2KTmFLaw6BEaUPz2uAkBHPJDSIK0JWo/GBOXSzhXfrtt+BOZhwvsB37J/qpjL n9l2JgiWwHU143CMm7CiyUm1WalWn8wzHFOc0ZzGjmTL/UTFrOKxi4o8Jdd6sKZ+Px wb3Lc/1qk3zCEddVEl4dh2cj9RHlWCSjFuTjSon9iExw1bOk2OxHyb2TvtwrL4f58K ZTXINuzdyJZlsdjabqEXcSXsxCGD949h3qwPUTi963eGDBvHJ9nztcz9y1Zvw3pHKv hNJ4kJ/VXd3sqVAftonfK16r+63znDz0IMsOAYnxHyeax6Gl4iWAhhGtqL98DoTNvW F6twU+r+md39g== From: Lorenzo Bianconi To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com, pablo@netfilter.org, fw@strlen.de, netfilter-devel@vger.kernel.org, lorenzo.bianconi@redhat.com, brouer@redhat.com, toke@redhat.com, memxor@gmail.com Subject: [PATCH v2 bpf-next 2/2] selftests/bpf: add selftest for bpf_ct_refresh_timeout kfunc Date: Thu, 12 May 2022 18:34:11 +0200 Message-Id: <4841edea5de2ce5898092c057f61d45dec3d9a34.1652372970.git.lorenzo@kernel.org> X-Mailer: git-send-email 2.35.3 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Install a new ct entry in order to perform a successful lookup and test bpf_ct_refresh_timeout kfunc helper. Signed-off-by: Lorenzo Bianconi --- .../testing/selftests/bpf/prog_tests/bpf_nf.c | 10 +++++++++ .../testing/selftests/bpf/progs/test_bpf_nf.c | 22 +++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c index dd30b1e3a67c..285687d2f7b3 100644 --- a/tools/testing/selftests/bpf/prog_tests/bpf_nf.c +++ b/tools/testing/selftests/bpf/prog_tests/bpf_nf.c @@ -18,6 +18,13 @@ void test_bpf_nf_ct(int mode) .repeat = 1, ); + /* Flush previous nft ct entries */ + ASSERT_OK(system("conntrack -F"), "flush ct entries"); + /* Let's create a nft ct entry to perform lookup */ + ASSERT_OK(system("conntrack -I -s 1.1.1.1 -d 2.2.2.2 --protonum 6 \ + --state ESTABLISHED --timeout 3600 --sport 12345 \ + --dport 1000 --zone 0"), "create ct entry"); + skel = test_bpf_nf__open_and_load(); if (!ASSERT_OK_PTR(skel, "test_bpf_nf__open_and_load")) return; @@ -39,6 +46,9 @@ void test_bpf_nf_ct(int mode) ASSERT_EQ(skel->bss->test_enonet_netns_id, -ENONET, "Test ENONET for bad but valid netns_id"); ASSERT_EQ(skel->bss->test_enoent_lookup, -ENOENT, "Test ENOENT for failed lookup"); ASSERT_EQ(skel->bss->test_eafnosupport, -EAFNOSUPPORT, "Test EAFNOSUPPORT for invalid len__tuple"); + ASSERT_EQ(skel->bss->test_succ_lookup, 0, "Test for successful lookup"); + ASSERT_EQ(skel->bss->test_delta_timeout, 10, "Test for ct timeout update"); + end: test_bpf_nf__destroy(skel); } diff --git a/tools/testing/selftests/bpf/progs/test_bpf_nf.c b/tools/testing/selftests/bpf/progs/test_bpf_nf.c index f00a9731930e..3eb36679a0b5 100644 --- a/tools/testing/selftests/bpf/progs/test_bpf_nf.c +++ b/tools/testing/selftests/bpf/progs/test_bpf_nf.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0 #include #include +#include #define EAFNOSUPPORT 97 #define EPROTO 71 @@ -8,6 +9,8 @@ #define EINVAL 22 #define ENOENT 2 +extern unsigned long CONFIG_HZ __kconfig; + int test_einval_bpf_tuple = 0; int test_einval_reserved = 0; int test_einval_netns_id = 0; @@ -16,6 +19,8 @@ int test_eproto_l4proto = 0; int test_enonet_netns_id = 0; int test_enoent_lookup = 0; int test_eafnosupport = 0; +int test_succ_lookup = 0; +u32 test_delta_timeout = 0; struct nf_conn; @@ -31,6 +36,7 @@ struct nf_conn *bpf_xdp_ct_lookup(struct xdp_md *, struct bpf_sock_tuple *, u32, struct nf_conn *bpf_skb_ct_lookup(struct __sk_buff *, struct bpf_sock_tuple *, u32, struct bpf_ct_opts___local *, u32) __ksym; void bpf_ct_release(struct nf_conn *) __ksym; +void bpf_ct_refresh_timeout(struct nf_conn *, u32) __ksym; static __always_inline void nf_ct_test(struct nf_conn *(*func)(void *, struct bpf_sock_tuple *, u32, @@ -99,6 +105,22 @@ nf_ct_test(struct nf_conn *(*func)(void *, struct bpf_sock_tuple *, u32, bpf_ct_release(ct); else test_eafnosupport = opts_def.error; + + bpf_tuple.ipv4.saddr = 0x01010101; /* src IP 1.1.1.1 */ + bpf_tuple.ipv4.daddr = 0x02020202; /* dst IP 2.2.2.2 */ + bpf_tuple.ipv4.sport = bpf_htons(12345); /* src port */ + bpf_tuple.ipv4.dport = bpf_htons(1000); /* dst port */ + ct = func(ctx, &bpf_tuple, sizeof(bpf_tuple.ipv4), &opts_def, + sizeof(opts_def)); + if (ct) { + /* update ct entry timeout */ + bpf_ct_refresh_timeout(ct, 10000); + test_delta_timeout = ct->timeout - bpf_jiffies64(); + test_delta_timeout /= CONFIG_HZ; + bpf_ct_release(ct); + } else { + test_succ_lookup = opts_def.error; + } } SEC("xdp")