| Message ID | 20221224000402.476079-1-qde@naccy.de |
|---|---|
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:6000:1b02:0:0:0:0 with SMTP id f2csp40304wrz;
Fri, 23 Dec 2022 16:05:37 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXvix1wO9+jHrGHdBZ3k9gflb+XiClBdINxBk1IZz17O4xG/IpxnMG2QGProETv0kyHIBbSO
X-Received: by 2002:a05:6a21:3944:b0:a3:754c:2769 with SMTP id
ac4-20020a056a21394400b000a3754c2769mr14419462pzc.40.1671840337569;
Fri, 23 Dec 2022 16:05:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671840337; cv=none;
d=google.com; s=arc-20160816;
b=Ao2Bdvoh+hGQLAoFiJXUT/iVTBqhywrwipi9gkfI6xei8dfXRFBz7zZDWLbv4r5gun
bfaeLlUI0LVTh5IguN8TKWIj2YYW+ji4qmWVYY2gtaceLGAH2od7CLIgS+B1sKpjlt2/
3QyjOTAzJXR3f79geFcuTiSNGTqQXPt4692rt7pse0CCHDTnR9wf+w+WTy630XSEuCK8
5FljzlkQ95EHeG48zrrurkQwH9ivmWDVJ4Qm18F1KbipFSiVCyL55AxqAxJvn9l/g9IZ
4uwUdQtc2+7VacFgkF3ZPlT6Qd1NBUoIbl+topH9Fw9Bf9D7lKPX5Ae9ACwiaZKdhoJ3
IATw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=BwB5we/ouXpBzd2mbWLg4nFn2qfYTrcG0lFZXsS909Q=;
b=sovHlJPlHvkIIpeIG6ecPxIae3KtuJLfYK/H5uGxNiaZ/OM+oXYmxHj2tiQB7xb7pG
MeWRmO534adb6bsybN6CF87+XkZYp3p/bzykMSXXlcmGL3ONH3DLKB+F9tz0qloMS5nU
5ceNCFg7RvG0xAZyyQr+Q15OM0VI8ASMnxXOnqi53Dz6jy9hOOOq2nQDbMswNavqdoe7
1YAXKdCVMxOzDrrH3MeH9zLudzkuwV26iPVF73Pu4H8Z8BGTFr6toSDZPIZwDCMEUJVd
Upxkauj7XYGrUA/MoI6RxHgnTAlEBh7rjLiwT5nuPpLhmhVBmdYwM95h5pRJ+hY7tZ3h
JW7A==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
bm4-20020a656e84000000b004787bc1b47asi5121056pgb.805.2022.12.23.16.05.20;
Fri, 23 Dec 2022 16:05:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233459AbiLXAEi (ORCPT <rfc822;pacteraone@gmail.com> + 99 others);
Fri, 23 Dec 2022 19:04:38 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36710 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230312AbiLXAEa (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 23 Dec 2022 19:04:30 -0500
Received: from smtpout13.r2.mail-out.ovh.net (smtpout13.r2.mail-out.ovh.net
[54.36.141.13])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 000A4165AB
for <linux-kernel@vger.kernel.org>;
Fri, 23 Dec 2022 16:04:28 -0800 (PST)
Received: from ex4.mail.ovh.net (unknown [10.110.103.49])
by mo512.mail-out.ovh.net (Postfix) with ESMTPS id 21A34248A2;
Sat, 24 Dec 2022 00:04:25 +0000 (UTC)
Received: from dev-fedora-x86-64.naccy.de (37.65.8.229) by
DAG10EX1.indiv4.local (172.16.2.91) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.1.2507.16; Sat, 24 Dec 2022 01:04:24 +0100
From: Quentin Deslandes <qde@naccy.de>
To: <qde@naccy.de>
CC: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>, Yonghong Song <yhs@fb.com>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@google.com>,
Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Mykola Lysenko <mykolal@fb.com>, Shuah Khan <shuah@kernel.org>,
Dmitrii Banshchikov <me@ubique.spb.ru>,
<linux-kernel@vger.kernel.org>, <bpf@vger.kernel.org>,
<linux-kselftest@vger.kernel.org>, <netdev@vger.kernel.org>,
Kernel Team <kernel-team@meta.com>
Subject: [PATCH bpf-next v3 00/16] bpfilter
Date: Sat, 24 Dec 2022 01:03:46 +0100
Message-ID: <20221224000402.476079-1-qde@naccy.de>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [37.65.8.229]
X-ClientProxiedBy: CAS6.indiv4.local (172.16.1.6) To DAG10EX1.indiv4.local
(172.16.2.91)
X-Ovh-Tracer-Id: 4758897435487366775
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: -85
X-VR-SPAMCAUSE:
gggruggvucftvghtrhhoucdtuddrgedvhedrheefgddujecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemucehtddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenogetfedtuddqtdduucdludehmdenucfjughrpefhvfevufffkffoggfgtghisehtkeertdertddtnecuhfhrohhmpefsuhgvnhhtihhnucffvghslhgrnhguvghsuceoqhguvgesnhgrtggthidruggvqeenucggtffrrghtthgvrhhnpeejgeehueefjeeihfeugefftdehtdeikeduvdettefgieekffekuefgveekgedvheenucffohhmrghinhepkhgvrhhnvghlrdhorhhgpdhusghunhhtuhdrtghomhenucfkphepuddvjedrtddrtddruddpfeejrdeihedrkedrvddvleenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduvdejrddtrddtrddupdhmrghilhhfrhhomhepoehquggvsehnrggttgihrdguvgeqpdhnsggprhgtphhtthhopedupdhrtghpthhtohepjhholhhsrgeskhgvrhhnvghlrdhorhhgpdhlihhnuhigqdhkshgvlhhfthgvshhtsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdgsphhfsehvghgvrhdrkhgvrhhnvghlrdhorhhgpdhlihhnuhigqdhkvghrnhgvlhesvhhgvghrrdhkvghrnhgvlhdrohhrghdpmhgvsehusghiqhhuvgdrshhpsgdrrhhupdhshhhurghhsehkvghrnhgvlhdrohhrghdpmhihkhholhgrlhesfh
gsrdgtohhmpdhprggsvghnihesrhgvughhrghtrdgtohhmpdhkuhgsrgeskhgvrhhnvghlrdhorhhgpdgvughumhgriigvthesghhoohhglhgvrdgtohhmpdgurghvvghmsegurghvvghmlhhofhhtrdhnvghtpdhkvghrnhgvlhdqthgvrghmsehmvghtrgdrtghomhdphhgrohhluhhosehgohhoghhlvgdrtghomhdpshgufhesghhoohhglhgvrdgtohhmpdhkphhsihhnghhhsehkvghrnhgvlhdrohhrghdpjhhohhhnrdhfrghsthgrsggvnhgusehgmhgrihhlrdgtohhmpdihhhhssehfsgdrtghomhdpshhonhhgsehkvghrnhgvlhdrohhrghdpmhgrrhhtihhnrdhlrghusehlihhnuhigrdguvghvpdgrnhgurhhiiheskhgvrhhnvghlrdhorhhgpdgurghnihgvlhesihhoghgvrghrsghogidrnhgvthdprghstheskhgvrhhnvghlrdhorhhgpdhnvghtuggvvhesvhhgvghrrdhkvghrnhgvlhdrohhrghdpoffvtefjohhsthepmhhoheduvddpmhhouggvpehsmhhtphhouhht
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1753051653774931554?=
X-GMAIL-MSGID: =?utf-8?q?1753051653774931554?=
|
| Series |
bpfilter
|
|
Message
Quentin Deslandes
Dec. 24, 2022, 12:03 a.m. UTC
The patchset is based on the patches from David S. Miller [1],
Daniel Borkmann [2], and Dmitrii Banshchikov [3].
Note: I've partially sent this patchset earlier due to a
mistake on my side, sorry for then noise.
The main goal of the patchset is to prepare bpfilter for
iptables' configuration blob parsing and code generation.
The patchset introduces data structures and code for matches,
targets, rules and tables. Beside that the code generation
is introduced.
The first version of the code generation supports only "inline"
mode - all chains and their rules emit instructions in linear
approach.
Things that are not implemented yet:
1) The process of switching from the previous BPF programs to the
new set isn't atomic.
2) No support of device ifindex - it's hardcoded
3) No helper subprog for counters update
Another problem is using iptables' blobs for tests and filter
table initialization. While it saves lines something more
maintainable should be done here.
The plan for the next iteration:
1) Add a helper program for counters update
2) Handle ifindex
Patches 1/2 adds definitions of the used types.
Patch 3 adds logging to bpfilter.
Patch 4 adds an associative map.
Patch 5 add runtime context structure.
Patches 6/7 add code generation infrastructure and TC code generator.
Patches 8/9/10/11/12 add code for matches, targets, rules and table.
Patch 13 adds code generation for table.
Patch 14 handles hooked setsockopt(2) calls.
Patch 15 adds filter table
Patch 16 uses prepared code in main().
Due to poor hardware availability on my side, I've not been able to
benchmark those changes. I plan to get some numbers for the next iteration.
FORWARD filter chain is now supported, however, it's attached to
TC INGRESS along with INPUT filter chain. This is due to XDP not supporting
multiple programs to be attached. I could generate a single program
out of both INPUT and FORWARD chains, but that would prevent another
BPF program to be attached to the interface anyway. If a solution
exists to attach both those programs to XDP while allowing for other
programs to be attached, it requires more investigation. In the meantime,
INPUT and FORWARD filtering is supported using TC.
Most of the code in this series was written by Dmitrii Banshchikov,
my changes are limited to v3. I've tried to reflect this fact in the
commits by adding 'Co-developed-by:' and 'Signed-off-by:' for Dmitrii,
please tell me this was done the wrong way.
v2 -> v3
Chains:
* Add support for FORWARD filter chain.
* Add generation of BPF bytecode to assess whether a packet should be
forwarded or not, using bpf_fib_lookup().
* Allow for multiple programs to be attached to TC.
* Allow for multiple TC hooks to be used.
Code generation:
* Remove duplicated BPF bytecode generation.
* Fix a bug regarding jump offset during generation.
* Remove support for XDP from the series, as it's not currently
used.
Table:
* Add new filter_table_update_counters() virtual call. It updates
the table's counter stored in the ipt_entry structure. This way,
when iptables tries to fetch the values of the counters, bpfilter only
has to copy the ipt_entry cached in the table structure.
Logging:
* Refactor logging primitives.
Sockopts:
* Add support for userspace counters querying.
Rule:
* Store the rule's index inside struct rule, to each counters'
map usage.
v1 -> v2
Maps:
* Use map_upsert instead of separate map_insert and map_update
Matches:
* Add a new virtual call - gen_inline. The call is used for
* inline generating of a rule's match.
Targets:
* Add a new virtual call - gen_inline. The call is used for inline
generating of a rule's target.
Rules:
* Add code generation for rules
Table:
* Add struct table_ops
* Add map for table_ops
* Add filter table
* Reorganize the way filter table is initialized
Sockopts:
* Install/uninstall BPF programs while handling
IPT_SO_SET_REPLACE
Code generation:
* Add first version of the code generation
Dependencies:
* Add libbpf
v0 -> v1
IO:
* Use ssize_t in pvm_read, pvm_write for total_bytes
* Move IO functions into sockopt.c and main.c
Logging:
* Use LOGLEVEL_EMERG, LOGLEVEL_NOTICE, LOGLEVE_DEBUG
while logging to /dev/kmsg
* Prepend log message with <n> where n is log level
* Conditionally enable BFLOG_DEBUG messages
* Merge bflog.{h,c} into context.h
Matches:
* Reorder fields in struct match_ops for tight packing
* Get rid of struct match_ops_map
* Rename udp_match_ops to xt_udp
* Use XT_ALIGN macro
* Store payload size in match size
* Move udp match routines into a separate file
Targets:
* Reorder fields in struct target_ops for tight packing
* Get rid of struct target_ops_map
* Add comments for convert_verdict function
Rules:
* Add validation
Tables:
* Combine table_map and table_list into table_index
* Add validation
Sockopts:
* Handle IPT_SO_GET_REVISION_TARGET
1. https://lore.kernel.org/patchwork/patch/902785/
2. https://lore.kernel.org/patchwork/patch/902783/
3. https://kernel.ubuntu.com/~cking/stress-ng/stress-ng.pdf
Quentin Deslandes (16):
bpfilter: add types for usermode helper
tools: add bpfilter usermode helper header
bpfilter: add logging facility
bpfilter: add map container
bpfilter: add runtime context
bpfilter: add BPF bytecode generation infrastructure
bpfilter: add support for TC bytecode generation
bpfilter: add match structure
bpfilter: add support for src/dst addr and ports
bpfilter: add target structure
bpfilter: add rule structure
bpfilter: add table structure
bpfilter: add table code generation
bpfilter: add setsockopt() support
bpfilter: add filter table
bpfilter: handle setsockopt() calls
include/uapi/linux/bpfilter.h | 154 +++
net/bpfilter/Makefile | 16 +-
net/bpfilter/codegen.c | 1040 +++++++++++++++++
net/bpfilter/codegen.h | 183 +++
net/bpfilter/context.c | 168 +++
net/bpfilter/context.h | 24 +
net/bpfilter/filter-table.c | 344 ++++++
net/bpfilter/filter-table.h | 18 +
net/bpfilter/logger.c | 52 +
net/bpfilter/logger.h | 80 ++
net/bpfilter/main.c | 132 ++-
net/bpfilter/map-common.c | 51 +
net/bpfilter/map-common.h | 19 +
net/bpfilter/match.c | 55 +
net/bpfilter/match.h | 37 +
net/bpfilter/rule.c | 286 +++++
net/bpfilter/rule.h | 37 +
net/bpfilter/sockopt.c | 533 +++++++++
net/bpfilter/sockopt.h | 15 +
net/bpfilter/table.c | 391 +++++++
net/bpfilter/table.h | 59 +
net/bpfilter/target.c | 203 ++++
net/bpfilter/target.h | 57 +
net/bpfilter/xt_udp.c | 111 ++
tools/include/uapi/linux/bpfilter.h | 175 +++
.../testing/selftests/bpf/bpfilter/.gitignore | 8 +
tools/testing/selftests/bpf/bpfilter/Makefile | 57 +
.../selftests/bpf/bpfilter/bpfilter_util.h | 80 ++
.../selftests/bpf/bpfilter/test_codegen.c | 338 ++++++
.../testing/selftests/bpf/bpfilter/test_map.c | 63 +
.../selftests/bpf/bpfilter/test_match.c | 69 ++
.../selftests/bpf/bpfilter/test_rule.c | 56 +
.../selftests/bpf/bpfilter/test_target.c | 83 ++
.../selftests/bpf/bpfilter/test_xt_udp.c | 48 +
34 files changed, 4999 insertions(+), 43 deletions(-)
create mode 100644 net/bpfilter/codegen.c
create mode 100644 net/bpfilter/codegen.h
create mode 100644 net/bpfilter/context.c
create mode 100644 net/bpfilter/context.h
create mode 100644 net/bpfilter/filter-table.c
create mode 100644 net/bpfilter/filter-table.h
create mode 100644 net/bpfilter/logger.c
create mode 100644 net/bpfilter/logger.h
create mode 100644 net/bpfilter/map-common.c
create mode 100644 net/bpfilter/map-common.h
create mode 100644 net/bpfilter/match.c
create mode 100644 net/bpfilter/match.h
create mode 100644 net/bpfilter/rule.c
create mode 100644 net/bpfilter/rule.h
create mode 100644 net/bpfilter/sockopt.c
create mode 100644 net/bpfilter/sockopt.h
create mode 100644 net/bpfilter/table.c
create mode 100644 net/bpfilter/table.h
create mode 100644 net/bpfilter/target.c
create mode 100644 net/bpfilter/target.h
create mode 100644 net/bpfilter/xt_udp.c
create mode 100644 tools/include/uapi/linux/bpfilter.h
create mode 100644 tools/testing/selftests/bpf/bpfilter/.gitignore
create mode 100644 tools/testing/selftests/bpf/bpfilter/Makefile
create mode 100644 tools/testing/selftests/bpf/bpfilter/bpfilter_util.h
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_codegen.c
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_map.c
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_match.c
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_rule.c
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_target.c
create mode 100644 tools/testing/selftests/bpf/bpfilter/test_xt_udp.c
--
2.38.1
Comments
On Sat, Dec 24, 2022 at 01:03:46AM +0100, Quentin Deslandes wrote: > > Due to poor hardware availability on my side, I've not been able to > benchmark those changes. I plan to get some numbers for the next iteration. Yeah. Performance numbers would be my main question :) > FORWARD filter chain is now supported, however, it's attached to > TC INGRESS along with INPUT filter chain. This is due to XDP not supporting > multiple programs to be attached. I could generate a single program > out of both INPUT and FORWARD chains, but that would prevent another > BPF program to be attached to the interface anyway. If a solution > exists to attach both those programs to XDP while allowing for other > programs to be attached, it requires more investigation. In the meantime, > INPUT and FORWARD filtering is supported using TC. I think we can ignore XDP chaining for now assuming that Daniel's bpf_link-tc work will be applicable to XDP as well, so we'll have a simple chaining for XDP eventually. As far as attaching to TC... I think it would be great to combine bpfilter codegen and attach to Florian's bpf hooks exactly at netfilter. See https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&id=0c1ec06503cb8a142d3ad9f760b72d94ea0091fa With nf_hook_ingress() calling either into classic iptable or into bpf_prog_run_nf which is either generated by Florian's optimizer of nf chains or into bpfilter generated code would be ideal.
Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > codegen and attach to Florian's bpf hooks exactly at netfilter. > See > https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&id=0c1ec06503cb8a142d3ad9f760b72d94ea0091fa FWIW I plan to submit this patchset for 6.2.
Quentin Deslandes <qde@naccy.de> wrote: > The patchset is based on the patches from David S. Miller [1], > Daniel Borkmann [2], and Dmitrii Banshchikov [3]. > > Note: I've partially sent this patchset earlier due to a > mistake on my side, sorry for then noise. > > The main goal of the patchset is to prepare bpfilter for > iptables' configuration blob parsing and code generation. > > The patchset introduces data structures and code for matches, > targets, rules and tables. Beside that the code generation > is introduced. > > The first version of the code generation supports only "inline" > mode - all chains and their rules emit instructions in linear > approach. > > Things that are not implemented yet: > 1) The process of switching from the previous BPF programs to the > new set isn't atomic. You can't make this atomic from userspace perspective, the get/setsockopt API of iptables uses a read-modify-write model. Tentatively I'd try to extend libnftnl and generate bpf code there, since its used by both iptables(-nft) and nftables we'd automatically get support for both. I was planning to look into "attach bpf progs to raw netfilter hooks" in Q1 2023, once the initial nf-bpf-codegen is merged.
Le 27/12/2022 à 19:22, Alexei Starovoitov a écrit : > On Sat, Dec 24, 2022 at 01:03:46AM +0100, Quentin Deslandes wrote: >> >> Due to poor hardware availability on my side, I've not been able to >> benchmark those changes. I plan to get some numbers for the next iteration. > > Yeah. Performance numbers would be my main question :) Hardware is on the way! :) >> FORWARD filter chain is now supported, however, it's attached to >> TC INGRESS along with INPUT filter chain. This is due to XDP not supporting >> multiple programs to be attached. I could generate a single program >> out of both INPUT and FORWARD chains, but that would prevent another >> BPF program to be attached to the interface anyway. If a solution >> exists to attach both those programs to XDP while allowing for other >> programs to be attached, it requires more investigation. In the meantime, >> INPUT and FORWARD filtering is supported using TC. > > I think we can ignore XDP chaining for now assuming that Daniel's bpf_link-tc work > will be applicable to XDP as well, so we'll have a simple chaining > for XDP eventually. > > As far as attaching to TC... I think it would be great to combine bpfilter > codegen and attach to Florian's bpf hooks exactly at netfilter. > See > https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&id=0c1ec06503cb8a142d3ad9f760b72d94ea0091fa > With nf_hook_ingress() calling either into classic iptable or into bpf_prog_run_nf > which is either generated by Florian's optimizer of nf chains or into > bpfilter generated code would be ideal. That sounds interesting. If my understanding is correct, Florian's work doesn't yet allow for userspace-generated programs to be attached, which will be required for bpfilter.
Le 03/01/2023 à 12:45, Florian Westphal a écrit : > Quentin Deslandes <qde@naccy.de> wrote: >> The patchset is based on the patches from David S. Miller [1], >> Daniel Borkmann [2], and Dmitrii Banshchikov [3]. >> >> Note: I've partially sent this patchset earlier due to a >> mistake on my side, sorry for then noise. >> >> The main goal of the patchset is to prepare bpfilter for >> iptables' configuration blob parsing and code generation. >> >> The patchset introduces data structures and code for matches, >> targets, rules and tables. Beside that the code generation >> is introduced. >> >> The first version of the code generation supports only "inline" >> mode - all chains and their rules emit instructions in linear >> approach. >> >> Things that are not implemented yet: >> 1) The process of switching from the previous BPF programs to the >> new set isn't atomic. > > You can't make this atomic from userspace perspective, the > get/setsockopt API of iptables uses a read-modify-write model. This refers to updating the programs from bpfilter's side. It won't be atomic from iptables point of view, but currently bpfilter will remove the program associated to a table, before installing the new one. This means packets received in between those operations are not filtered. I assume a better solution is possible. > Tentatively I'd try to extend libnftnl and generate bpf code there, > since its used by both iptables(-nft) and nftables we'd automatically > get support for both. That's one of the option, this could also remain in the kernel tree or in a dedicated git repository. I don't know which one would be the best, I'm open to suggestions. > I was planning to look into "attach bpf progs to raw netfilter hooks" > in Q1 2023, once the initial nf-bpf-codegen is merged. Is there any plan to support non raw hooks? That's mainly out of curiosity, I don't even know whether that would be a good thing or not.
Quentin Deslandes <qde@naccy.de> wrote: > That sounds interesting. If my understanding is correct, Florian's > work doesn't yet allow for userspace-generated programs to be attached, > which will be required for bpfilter. Yes, but I started working on the attachment side. It doesn't depend on the nf-bpf generator patch set. I think I can share PoC/RFC draft next week.
Quentin Deslandes <qde@naccy.de> wrote: > Le 03/01/2023 à 12:45, Florian Westphal a écrit : > > You can't make this atomic from userspace perspective, the > > get/setsockopt API of iptables uses a read-modify-write model. > > This refers to updating the programs from bpfilter's side. It won't > be atomic from iptables point of view, but currently bpfilter will > remove the program associated to a table, before installing the new > one. This means packets received in between those operations are > not filtered. I assume a better solution is possible. Ah, I see, thanks. > > Tentatively I'd try to extend libnftnl and generate bpf code there, > > since its used by both iptables(-nft) and nftables we'd automatically > > get support for both. > > That's one of the option, this could also remain in the kernel > tree or in a dedicated git repository. I don't know which one would > be the best, I'm open to suggestions. I can imagine that this will see a flurry of activity in the early phase so I think a 'semi test repo' makes sense. Provideded license allows this, useable bits and pieces can then be grafted on to libnftnl (or iptables or whatever). > > I was planning to look into "attach bpf progs to raw netfilter hooks" > > in Q1 2023, once the initial nf-bpf-codegen is merged. > > Is there any plan to support non raw hooks? That's mainly out > of curiosity, I don't even know whether that would be a good thing > or not. Not sure what 'non raw hook' is. Idea was to expose 1. protcocol family 2. hook number (prerouting, input etc) 3. priority to userspace via bpf syscall/bpf link. userspace would then provide the above info to kernel via bpf(... BPF_LINK_CREATE ) which would then end up doing: -------------- h.hook = nf_hook_run_bpf; // wrapper to call BPF_PROG_RUN h.priv = prog; // the bpf program to run h.pf = attr->netfilter.pf; h.priority = attr->netfilter.priority; h.hooknum = attr->netfilter.hooknum; nf_register_net_hook(net, &h); -------------- After that nf_hook_slow() calls the bpf program just like any other of the netfilter hooks. Does that make sense or did you have something else in mind?
On Thu, Jan 12, 2023 at 04:17:28AM +0100, Florian Westphal wrote: > Quentin Deslandes <qde@naccy.de> wrote: > > Le 03/01/2023 à 12:45, Florian Westphal a écrit : > > > You can't make this atomic from userspace perspective, the > > > get/setsockopt API of iptables uses a read-modify-write model. > > > > This refers to updating the programs from bpfilter's side. It won't > > be atomic from iptables point of view, but currently bpfilter will > > remove the program associated to a table, before installing the new > > one. This means packets received in between those operations are > > not filtered. I assume a better solution is possible. > > Ah, I see, thanks. > > > > Tentatively I'd try to extend libnftnl and generate bpf code there, > > > since its used by both iptables(-nft) and nftables we'd automatically > > > get support for both. > > > > That's one of the option, this could also remain in the kernel > > tree or in a dedicated git repository. I don't know which one would > > be the best, I'm open to suggestions. > > I can imagine that this will see a flurry of activity in the early > phase so I think a 'semi test repo' makes sense. > > Provideded license allows this, useable bits and pieces can then > be grafted on to libnftnl (or iptables or whatever). > > > > I was planning to look into "attach bpf progs to raw netfilter hooks" > > > in Q1 2023, once the initial nf-bpf-codegen is merged. > > > > Is there any plan to support non raw hooks? That's mainly out > > of curiosity, I don't even know whether that would be a good thing > > or not. > > Not sure what 'non raw hook' is. Idea was to expose > > 1. protcocol family > 2. hook number (prerouting, input etc) > 3. priority > > to userspace via bpf syscall/bpf link. > > userspace would then provide the above info to kernel via > bpf(... BPF_LINK_CREATE ) > > which would then end up doing: > -------------- > h.hook = nf_hook_run_bpf; // wrapper to call BPF_PROG_RUN > h.priv = prog; // the bpf program to run > h.pf = attr->netfilter.pf; > h.priority = attr->netfilter.priority; > h.hooknum = attr->netfilter.hooknum; > > nf_register_net_hook(net, &h); > -------------- > > After that nf_hook_slow() calls the bpf program just like any > other of the netfilter hooks. > > Does that make sense or did you have something else in mind? Sounds good to me. I thought you were referring to hooks available for the RAW table (as in `iptables --table raw...`). Thanks, Quentin