[bpf-next,v3,0/6] Support defragmenting IPv(4|6) packets in BPF

Message ID	cover.1688748455.git.dxu@dxuuu.xyz
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Feedback-ID: i6a694271:Fastmail From: Daniel Xu <dxu@dxuuu.xyz> To: linux-kselftest@vger.kernel.org, netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org, coreteam@netfilter.org, bpf@vger.kernel.org, netdev@vger.kernel.org, fw@strlen.de, daniel@iogearbox.net Cc: dsahern@kernel.org Subject: [PATCH bpf-next v3 0/6] Support defragmenting IPv(4\|6) packets in BPF Date: Fri, 7 Jul 2023 10:50:15 -0600 Message-ID: <cover.1688748455.git.dxu@dxuuu.xyz> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Support defragmenting IPv(4\|6) packets in BPF \| [bpf-next,v3,0/6] Support defragmenting IPv(4\|6) packets in BPF [bpf-next,v3,1/6] netfilter: defrag: Add glue hooks for enabling/disabling defrag [bpf-next,v3,2/6] netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link [bpf-next,v3,3/6] netfilter: bpf: Prevent defrag module unload while link active [bpf-next,v3,4/6] bpf: selftests: Support not connecting client socket [bpf-next,v3,5/6] bpf: selftests: Support custom type and proto for client sockets [bpf-next,v3,6/6] bpf: selftests: Add defrag selftests

Message ID

cover.1688748455.git.dxu@dxuuu.xyz

Headers

Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Feedback-ID: i6a694271:Fastmail
From: Daniel Xu <dxu@dxuuu.xyz>
To: linux-kselftest@vger.kernel.org, netfilter-devel@vger.kernel.org,
        linux-kernel@vger.kernel.org, coreteam@netfilter.org,
        bpf@vger.kernel.org, netdev@vger.kernel.org, fw@strlen.de,
        daniel@iogearbox.net
Cc: dsahern@kernel.org
Subject: [PATCH bpf-next v3 0/6] Support defragmenting IPv(4|6) packets in BPF
Date: Fri,  7 Jul 2023 10:50:15 -0600
Message-ID: <cover.1688748455.git.dxu@dxuuu.xyz>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Support defragmenting IPv(4|6) packets in BPF |

Message

Daniel Xu July 7, 2023, 4:50 p.m. UTC

  === Context ===

In the context of a middlebox, fragmented packets are tricky to handle.
The full 5-tuple of a packet is often only available in the first
fragment which makes enforcing consistent policy difficult. There are
really only two stateless options, neither of which are very nice:

1. Enforce policy on first fragment and accept all subsequent fragments.
   This works but may let in certain attacks or allow data exfiltration.

2. Enforce policy on first fragment and drop all subsequent fragments.
   This does not really work b/c some protocols may rely on
   fragmentation. For example, DNS may rely on oversized UDP packets for
   large responses.

So stateful tracking is the only sane option. RFC 8900 [0] calls this
out as well in section 6.3:

    Middleboxes [...] should process IP fragments in a manner that is
    consistent with [RFC0791] and [RFC8200]. In many cases, middleboxes
    must maintain state in order to achieve this goal.

=== BPF related bits ===

Policy has traditionally been enforced from XDP/TC hooks. Both hooks
run before kernel reassembly facilities. However, with the new
BPF_PROG_TYPE_NETFILTER, we can rather easily hook into existing
netfilter reassembly infra.

The basic idea is we bump a refcnt on the netfilter defrag module and
then run the bpf prog after the defrag module runs. This allows bpf
progs to transparently see full, reassembled packets. The nice thing
about this is that progs don't have to carry around logic to detect
fragments.

=== Changelog ===

Changes from v2:

* module_put() if ->enable() fails
* Fix CI build errors

Changes from v1:

* Drop bpf_program__attach_netfilter() patches
* static -> static const where appropriate
* Fix callback assignment order during registration
* Only request_module() if callbacks are missing
* Fix retval when modprobe fails in userspace
* Fix v6 defrag module name (nf_defrag_ipv6_hooks -> nf_defrag_ipv6)
* Simplify priority checking code
* Add warning if module doesn't assign callbacks in the future
* Take refcnt on module while defrag link is active


[0]: https://datatracker.ietf.org/doc/html/rfc8900


Daniel Xu (6):
  netfilter: defrag: Add glue hooks for enabling/disabling defrag
  netfilter: bpf: Support BPF_F_NETFILTER_IP_DEFRAG in netfilter link
  netfilter: bpf: Prevent defrag module unload while link active
  bpf: selftests: Support not connecting client socket
  bpf: selftests: Support custom type and proto for client sockets
  bpf: selftests: Add defrag selftests

 include/linux/netfilter.h                     |  15 +
 include/uapi/linux/bpf.h                      |   5 +
 net/ipv4/netfilter/nf_defrag_ipv4.c           |  17 +-
 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c     |  11 +
 net/netfilter/core.c                          |   6 +
 net/netfilter/nf_bpf_link.c                   | 150 +++++++++-
 tools/include/uapi/linux/bpf.h                |   5 +
 tools/testing/selftests/bpf/Makefile          |   4 +-
 .../selftests/bpf/generate_udp_fragments.py   |  90 ++++++
 .../selftests/bpf/ip_check_defrag_frags.h     |  57 ++++
 tools/testing/selftests/bpf/network_helpers.c |  26 +-
 tools/testing/selftests/bpf/network_helpers.h |   3 +
 .../bpf/prog_tests/ip_check_defrag.c          | 282 ++++++++++++++++++
 .../selftests/bpf/progs/ip_check_defrag.c     | 104 +++++++
 14 files changed, 753 insertions(+), 22 deletions(-)
 create mode 100755 tools/testing/selftests/bpf/generate_udp_fragments.py
 create mode 100644 tools/testing/selftests/bpf/ip_check_defrag_frags.h
 create mode 100644 tools/testing/selftests/bpf/prog_tests/ip_check_defrag.c
 create mode 100644 tools/testing/selftests/bpf/progs/ip_check_defrag.c