From patchwork Mon Dec 4 20:56:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Xu X-Patchwork-Id: 173557 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp3033187vqy; Mon, 4 Dec 2023 12:57:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IFapLSjwpRL1dLEp2gjMQIFbKXiVJPdgGFlt1WdYAu/nw1QsOyngku0t7EKHsQYoq+V6rc4 X-Received: by 2002:a05:6a20:5497:b0:18c:3065:8048 with SMTP id i23-20020a056a20549700b0018c30658048mr2598097pzk.42.1701723434829; Mon, 04 Dec 2023 12:57:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701723434; cv=none; d=google.com; s=arc-20160816; b=Xg4QkWiTW2NK47Av83RX9wanz21h3U0MfEVrmvZt44VB3iRqawegIGSVOVh7qAav0U w9JjYLwjMct9fIaoy/yNirtGP6kpSnJABypLqZR5xBGCLBz8B3xHVJsKMAXBy8Ukdkdn XE5vogFMUl2UZo+4YLBBQzK/Rb0Ygb0ijqdsfDXY9RmOCaFLE7TsBSZkQg1OTzHpjEv4 E1mcjZaN/ntitaZaOHQNQNlTJLNSHuI34HKbPF78RRAeRZZjuL1qczfe/FIuRsBPVHAu MvTbwTZQLOSVuOIDeL1ndDa2v/IziwBVF6+HMnIK1r0X05cRitDv1Tk3vP0xvvFAif1z vzUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :feedback-id:dkim-signature:dkim-signature; bh=UcXo1ArXPqQ9bSXiMAigIass8f59dei4sHavEoNqsjQ=; fh=8nn86nDL6CrA1oLZrFYZeLdoRCjg4mIZWo7Zca0gzXU=; b=gHoVeiZsWOS7MH1Yav/F1CnSzLXrBWAp1Lq/yZD79whdd+dhkiO0gHwQDsVl1xw8YU RsP1CkkIaIPaR0MQ5W1vLkRxep0Jc/4A+Hs8OWJX5Z6RiKOOenLYSYeEqvStyw1JuJZ+ rzwc309cPgVE0X7GYVvmr4RpD0VyjSrgEbg4OG1o8kJEjJl9GjtuJHeKC8Hf3rn+m567 lN9heZrX4WHo57KSvChUJ/pvQrCv9EeezColwSKw9Zfz85Wzr1aU0rOUbbtha0fo5Gf3 NoH44PU0j+/fpmDX8PcASgX65Th+UqiWyl8gpS6FaSmqP39Ymqby48W/cFB/3Hiq7MsQ d1eQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm3 header.b=c0OTYxpp; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=2EZLbM7X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id bg2-20020a056a02010200b005c201eb7e85si8790337pgb.541.2023.12.04.12.57.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 12:57:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@dxuuu.xyz header.s=fm3 header.b=c0OTYxpp; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=2EZLbM7X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id A051F80ADF26; Mon, 4 Dec 2023 12:57:13 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234197AbjLDU5C (ORCPT + 99 others); Mon, 4 Dec 2023 15:57:02 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36458 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233865AbjLDU45 (ORCPT ); Mon, 4 Dec 2023 15:56:57 -0500 Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7E80D138; Mon, 4 Dec 2023 12:56:57 -0800 (PST) Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 9504C5C0238; Mon, 4 Dec 2023 15:56:56 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Mon, 04 Dec 2023 15:56:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dxuuu.xyz; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm3; t=1701723416; x= 1701809816; bh=UcXo1ArXPqQ9bSXiMAigIass8f59dei4sHavEoNqsjQ=; b=c 0OTYxpp26YKzc32ZOiRJF//hyv+3DhxRi7QfGrwB0zs0s5UFfcPRBJLf1vQ5Sq+o WfqSka+3EKQx7EgLlHJ2sJPMnYKWLts0ITDv2ZuFKh6zXjSkOLd+AyTw8kw5iZij Tte6OTJPANmkM+9g03vuD+m2DhN0ViNQX230e9j4vGWXmJDcZ+gt46b+0Ls/5hGy 192j6YeoavpycENV2pEK4A2CVQx+1eZWvQleIlSL804SqVj0uByArBQKnOBa7AQs Y91e7a+hAiNqGIJTgIeBuaKnDRXfgi9kCo+ypYj6ngukz21dsJdVHKggDPjxwfYZ 1LzUKz1/e4c7Yju6UzK8A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1701723416; x= 1701809816; bh=UcXo1ArXPqQ9bSXiMAigIass8f59dei4sHavEoNqsjQ=; b=2 EZLbM7XdJ77A2rIAaZN0pdUhDtynCbJCX3TwVdaGivcTey1LwXKQZQXkwfqaWbDF WMuXbku35SVwOTxTNwQ2OiBSZBoPPQa63W48hzIBdE102n6bvm/ai5y1mwFQiCRk TVQGBxUILiR+qb8Y/qb9CIpYuTNNW5vS0pkzkgApfNxQRDXA3dcrEW0BpuUfCTSA K2/m8pk98r98akzxzrMs3LzFpMJqkvKjKeyTXk+ghmlc0wxnoTY0yl9jN/QR6uOi pWwls3cAatqcL5uG3QHuy6//xDfIRdxxdEB8Yyv/QNpMr6W141ifg7ufTLmAWlRr q4rvXX2izNAfDuZIuQmiw== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrudejiedgudeggecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enfghrlhcuvffnffculdefhedmnecujfgurhephffvvefufffkofgjfhgggfestdekredt redttdenucfhrhhomhepffgrnhhivghlucgiuhcuoegugihusegugihuuhhurdighiiiqe enucggtffrrghtthgvrhhnpefgfefggeejhfduieekvdeuteffleeifeeuvdfhheejleej jeekgfffgefhtddtteenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegugihusegugihuuhhurdighiii X-ME-Proxy: Feedback-ID: i6a694271:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 4 Dec 2023 15:56:54 -0500 (EST) From: Daniel Xu To: ast@kernel.org, daniel@iogearbox.net, davem@davemloft.net, Herbert Xu , steffen.klassert@secunet.com, pabeni@redhat.com, hawk@kernel.org, john.fastabend@gmail.com, kuba@kernel.org, edumazet@google.com, antony.antony@secunet.com, alexei.starovoitov@gmail.com, yonghong.song@linux.dev, eddyz87@gmail.com Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, devel@linux-ipsec.org Subject: [PATCH bpf-next v4 02/10] bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc Date: Mon, 4 Dec 2023 13:56:22 -0700 Message-ID: X-Mailer: git-send-email 2.42.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Mon, 04 Dec 2023 12:57:13 -0800 (PST) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1784386352341107602 X-GMAIL-MSGID: 1784386352341107602 This commit adds an unstable kfunc helper to access internal xfrm_state associated with an SA. This is intended to be used for the upcoming IPsec pcpu work to assign special pcpu SAs to a particular CPU. In other words: for custom software RSS. That being said, the function that this kfunc wraps is fairly generic and used for a lot of xfrm tasks. I'm sure people will find uses elsewhere over time. Co-developed-by: Antony Antony Signed-off-by: Antony Antony Signed-off-by: Daniel Xu Acked-by: Steffen Klassert --- include/net/xfrm.h | 9 ++++ net/xfrm/xfrm_bpf.c | 102 +++++++++++++++++++++++++++++++++++++++++ net/xfrm/xfrm_policy.c | 2 + 3 files changed, 113 insertions(+) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index c9bb0f892f55..1d107241b901 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -2190,4 +2190,13 @@ static inline int register_xfrm_interface_bpf(void) #endif +#if IS_ENABLED(CONFIG_DEBUG_INFO_BTF) +int register_xfrm_state_bpf(void); +#else +static inline int register_xfrm_state_bpf(void) +{ + return 0; +} +#endif + #endif /* _NET_XFRM_H */ diff --git a/net/xfrm/xfrm_bpf.c b/net/xfrm/xfrm_bpf.c index 3d3018b87f96..3d6cac7345ca 100644 --- a/net/xfrm/xfrm_bpf.c +++ b/net/xfrm/xfrm_bpf.c @@ -6,9 +6,11 @@ */ #include +#include #include #include +#include #include #if IS_BUILTIN(CONFIG_XFRM_INTERFACE) || \ @@ -112,3 +114,103 @@ int __init register_xfrm_interface_bpf(void) } #endif /* xfrm interface */ + +/* bpf_xfrm_state_opts - Options for XFRM state lookup helpers + * + * Members: + * @error - Out parameter, set for any errors encountered + * Values: + * -EINVAL - netns_id is less than -1 + * -EINVAL - opts__sz isn't BPF_XFRM_STATE_OPTS_SZ + * -ENONET - No network namespace found for netns_id + * @netns_id - Specify the network namespace for lookup + * Values: + * BPF_F_CURRENT_NETNS (-1) + * Use namespace associated with ctx + * [0, S32_MAX] + * Network Namespace ID + * @mark - XFRM mark to match on + * @daddr - Destination address to match on + * @spi - Security parameter index to match on + * @proto - L3 protocol to match on + * @family - L3 protocol family to match on + */ +struct bpf_xfrm_state_opts { + s32 error; + s32 netns_id; + u32 mark; + xfrm_address_t daddr; + __be32 spi; + u8 proto; + u16 family; +}; + +enum { + BPF_XFRM_STATE_OPTS_SZ = sizeof(struct bpf_xfrm_state_opts), +}; + +__bpf_kfunc_start_defs(); + +/* bpf_xdp_get_xfrm_state - Get XFRM state + * + * Parameters: + * @ctx - Pointer to ctx (xdp_md) in XDP program + * Cannot be NULL + * @opts - Options for lookup (documented above) + * Cannot be NULL + * @opts__sz - Length of the bpf_xfrm_state_opts structure + * Must be BPF_XFRM_STATE_OPTS_SZ + */ +__bpf_kfunc struct xfrm_state * +bpf_xdp_get_xfrm_state(struct xdp_md *ctx, struct bpf_xfrm_state_opts *opts, u32 opts__sz) +{ + struct xdp_buff *xdp = (struct xdp_buff *)ctx; + struct net *net = dev_net(xdp->rxq->dev); + struct xfrm_state *x; + + if (!opts || opts__sz < sizeof(opts->error)) + return NULL; + + if (opts__sz != BPF_XFRM_STATE_OPTS_SZ) { + opts->error = -EINVAL; + return NULL; + } + + if (unlikely(opts->netns_id < BPF_F_CURRENT_NETNS)) { + opts->error = -EINVAL; + return NULL; + } + + if (opts->netns_id >= 0) { + net = get_net_ns_by_id(net, opts->netns_id); + if (unlikely(!net)) { + opts->error = -ENONET; + return NULL; + } + } + + x = xfrm_state_lookup(net, opts->mark, &opts->daddr, opts->spi, + opts->proto, opts->family); + + if (opts->netns_id >= 0) + put_net(net); + + return x; +} + +__bpf_kfunc_end_defs(); + +BTF_SET8_START(xfrm_state_kfunc_set) +BTF_ID_FLAGS(func, bpf_xdp_get_xfrm_state, KF_RET_NULL | KF_ACQUIRE) +BTF_SET8_END(xfrm_state_kfunc_set) + +static const struct btf_kfunc_id_set xfrm_state_xdp_kfunc_set = { + .owner = THIS_MODULE, + .set = &xfrm_state_kfunc_set, +}; + +int __init register_xfrm_state_bpf(void) +{ + return register_btf_kfunc_id_set(BPF_PROG_TYPE_XDP, + &xfrm_state_xdp_kfunc_set); +} diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index c13dc3ef7910..1b7e75159727 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -4218,6 +4218,8 @@ void __init xfrm_init(void) #ifdef CONFIG_XFRM_ESPINTCP espintcp_init(); #endif + + register_xfrm_state_bpf(); } #ifdef CONFIG_AUDITSYSCALL