bpf: add icmp_send kfunc#7858
Open
kernel-patches-daemon-bpf-rc[bot] wants to merge 8 commits into
Open
Conversation
Author
|
Upstream branch: 8496d90 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
fa837ea to
100962e
Compare
Author
|
Upstream branch: e42e53a |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
feaf9c0 to
6d3e856
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
100962e to
acd58e2
Compare
Author
|
Upstream branch: be4c6c7 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
6d3e856 to
81c2249
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
acd58e2 to
5da2a4f
Compare
Author
|
Upstream branch: b23705e |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
81c2249 to
8aa9870
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
5da2a4f to
56542d2
Compare
Author
|
Upstream branch: a4a5d4e |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
8aa9870 to
bd87475
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
56542d2 to
b2dc64a
Compare
Author
|
Upstream branch: 7f9ce28 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
bd87475 to
ef40e7c
Compare
Author
|
Upstream branch: 7f9ce28 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
ef40e7c to
d36d722
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
b2dc64a to
d480387
Compare
Author
|
Upstream branch: 9b435d2 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
d36d722 to
1984198
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
d480387 to
99f1abe
Compare
Author
|
Upstream branch: 9a720e0 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
1984198 to
2766f3a
Compare
Author
|
Upstream branch: 9a720e0 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
2766f3a to
b416224
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
99f1abe to
36a70b7
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
8cf039e to
37d815f
Compare
Author
|
Upstream branch: 8ddce41 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
775c7ba to
aa66971
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
37d815f to
5e6c2f8
Compare
Author
|
Upstream branch: f6cd665 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
aa66971 to
6b11760
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
5e6c2f8 to
825a38a
Compare
Author
|
Upstream branch: 5b03831 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
6b11760 to
cbd8188
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
825a38a to
1ffcf8b
Compare
Author
|
Upstream branch: c49f336 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
cbd8188 to
39aaf09
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
1ffcf8b to
864522b
Compare
Author
|
Upstream branch: 1444ee8 |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
39aaf09 to
b386b4d
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
864522b to
4c7a1d5
Compare
Author
|
Upstream branch: 63a6f3b |
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
series/1101097=>bpf-next
branch
from
b386b4d to
3ac69a9
Compare
kernel-patches-daemon-bpf-rc
Bot
force-pushed
the
bpf-next_base
branch
from
4c7a1d5 to
bc5dc71
Compare
Author
|
Upstream branch: 50dff00 |
Author
|
Upstream branch: b9452b5 |
Move and rename nf_reject_fill_skb_dst from ipv4/netfilter/nf_reject_ipv4 to ip_route_reply_fill_dst in ipv4/route.c so that it can be reused in the following patches by BPF kfuncs. Netfilter uses nf_ip_route that is almost a transparent wrapper around ip_route_output_key so this patch inlines it. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com> Reviewed-by: Jordan Rife <jordan@jrife.io>
Move and rename nf_reject6_fill_skb_dst from ipv6/netfilter/nf_reject_ipv6 to ip6_route_reply_fill_dst in ipv6/route.c so that it can be reused in the following patches by BPF kfuncs. Netfilter uses nf_ip6_route that is almost a transparent wrapper around ip6_route_output so this patch inlines it. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com> Reviewed-by: Jordan Rife <jordan@jrife.io>
This is needed in the context of Tetragon to provide improved feedback (in contrast to just dropping packets) to east-west traffic when blocked by policies using cgroup_skb programs. We also extend this kfunc to tc program as a convenience. This reuses concepts from netfilter reject target codepath with the differences that: * Packets are cloned since the BPF user can still let the packet pass (SK_PASS from the cgroup_skb progs for example) and the current skb need to stay untouched (cgroup_skb hooks only allow read-only skb payload). * We protect against recursion since the kfunc, by generating an ICMP error message, could retrigger the BPF prog that invoked it. For now, we support cgroup_skb and tc program types. For cgroup_skb and tc egress, almost everything should be good. However for tc ingress: - packet will not be routed yet: need to set the net device for icmp_send, thus the call to ip[6]_route_reply_fill_dst. - fragments could trigger hook: icmp_send will only reply to fragment 0. - ensure the ip headers is linearized before processing, and zero out the SKB control block after cloning to prevent icmp_send()/icmpv6_send() from misinterpreting garbage data as IP options. Only ICMP_DEST_UNREACH and ICMPV6_DEST_UNREACH are currently supported. The interface accepts a type parameter to facilitate future extension to other ICMP control message types. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com> Reviewed-by: Jordan Rife <jordan@jrife.io>
This test opens a server and client, enters a new cgroup, attach a cgroup_skb program on egress and calls the bpf_icmp_send function from the client egress so that an ICMP unreach control message is sent back to the client. It then fetches the message from the error queue to confirm the correct ICMP unreach code has been sent. Note that, for the client, we have to connect in non-blocking mode to let the test execute faster. Otherwise, we need to wait for the TCP three-way handshake to timeout in the kernel before reading the errno. Also note that we don't set IP_RECVERR on the socket in connect_to_fd_nonblock since the error will be transferred anyway in our test because the connection is rejected at the beginning of the TCP handshake. See in net/ipv4/tcp_ipv4.c:tcp_v4_err for more details. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com> Reviewed-by: Jordan Rife <jordan@jrife.io>
This test extends the existing cgroup_skb tests with IPv6 support. Note that we need to set IPV6_RECVERR on the socket for IPv6 in connect_to_fd_nonblock otherwise the error will be ignored even if we are in the middle of the TCP handshake. See in net/ipv6/datagram.c:ipv6_icmp_error for more details. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Author
|
Upstream branch: dd0f968 |
This test is similar to the one with cgroup_skb programs but uses tc egress instead. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This test is similar to test_icmp_send_unreach_cgroup but checks that, in case of recursion, meaning that the BPF program calling the kfunc was re-triggered by the icmp_send done by the kfunc, the kfunc will stop early and return -EBUSY. The test attaches to the root cgroup to ensure the ICMP packet generated by the kfunc re-triggers the BPF program. Since it's attached only for this recursion test, it should not disrupt the whole network. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: add icmp_send kfunc
version: 7
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1101097