From patchwork Tue May 15 23:20:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Ahern X-Patchwork-Id: 914015 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MMx/T9yJ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40ltq42S0tz9s0y for ; Wed, 16 May 2018 09:21:04 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751859AbeEOXVB (ORCPT ); Tue, 15 May 2018 19:21:01 -0400 Received: from mail-pl0-f67.google.com ([209.85.160.67]:39382 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751099AbeEOXVA (ORCPT ); Tue, 15 May 2018 19:21:00 -0400 Received: by mail-pl0-f67.google.com with SMTP id c19-v6so934315pls.6 for ; Tue, 15 May 2018 16:21:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Z5VqMMHzyqB/Z1IOIO+9OrpxCyFS+E95cEvAtzA8GcM=; b=MMx/T9yJ0RPj4HY4rC94U81qH+3XpOidcU9kbxFo9lJOTkIk8PZqeX2SwSub62M9Yz unKFr7IyYN/VqOO/Ud9w8+RTb8hLeSJovRQrecpISZp9MqJTvoPNmOJXAgI9de9yoawr E6qtR/CJM1Iqq/mK+UM26CU0Dt8dnlGQUgD86MxOa3lnGK/A3G+7g1cbbUWPXNW355Yt y8LcgRfDZEJTh6igLfDuerFjhsRKs9mVAjxz92D36pxdNxi5v6zh/909wQyGvZUcr5ce FGz7LB913C2TL1HyzxXW1YsIHETOravqBbMun7LW64Lc2BXJYuuIRqpb14eKedETm92w HVHA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Z5VqMMHzyqB/Z1IOIO+9OrpxCyFS+E95cEvAtzA8GcM=; b=Brspe9bu2HAhD35ywPov5key26TCZisgPMipjpNZb2A4PUJtdfnuXxu4Iy9KPnMWFq igby1txpXRAFfZiRxYheY0E9fFP7K5ix1TgImivvJAmbWXQ0Pjb7eOeMbZbMXQQUHP0R zBWSLVMsSMtDsf1b1Rdpzj7G5uRO/aGJhLTtCfWplLbGqzrLjGx9G3ZnqxtvEjzO0/aZ Rridwxs03j8X0DGww4U9ncCfgg+9m4vEGu4Ro4vEg1xRT0/pix4lRU1jA7ffhiXWHofM ZPY1MkVUwfrZYQsQZkdH/cn0OgTf3CXGJP8vkG5xBioVDtscuNuPLJ1lyGfW4xFMO6e8 r3cg== X-Gm-Message-State: ALKqPwfKLz1z4FZ5jrkA7ZOWDZ3vb2kljAZ9DNDL6C0WPvcM6O0SwwXi u9gFOi9o3EjfCOxn/BbXxwuNXw== X-Google-Smtp-Source: AB8JxZrqKWJLAYBVOu1gWYuJx5wvNFhrPyC8cvPC407ygm70VHPuiJ8F8X4KVAq065fvf9FWJRacXA== X-Received: by 2002:a17:902:aa03:: with SMTP id be3-v6mr16470218plb.61.1526426459336; Tue, 15 May 2018 16:20:59 -0700 (PDT) Received: from kenny.it.cumulusnetworks.com. (fw.cumulusnetworks.com. [216.129.126.126]) by smtp.googlemail.com with ESMTPSA id e6-v6sm1564976pff.185.2018.05.15.16.20.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 May 2018 16:20:58 -0700 (PDT) From: David Ahern To: netdev@vger.kernel.org, borkmann@iogearbox.net, ast@kernel.org Cc: David Ahern Subject: [PATCH bpf-next] samples/bpf: Decrement ttl in fib forwarding example Date: Tue, 15 May 2018 16:20:52 -0700 Message-Id: <20180515232052.28004-1-dsahern@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Only consider forwarding packets if ttl in received packet is > 1 and decrement ttl before handing off to bpf_redirect_map. Signed-off-by: David Ahern Acked-by: Yonghong Song --- samples/bpf/xdp_fwd_kern.c | 39 +++++++++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/samples/bpf/xdp_fwd_kern.c b/samples/bpf/xdp_fwd_kern.c index cdf4fc383cc9..4a6be0f87505 100644 --- a/samples/bpf/xdp_fwd_kern.c +++ b/samples/bpf/xdp_fwd_kern.c @@ -30,12 +30,24 @@ struct bpf_map_def SEC("maps") tx_port = { .max_entries = 64, }; +/* from include/net/ip.h */ +static __always_inline int ip_decrease_ttl(struct iphdr *iph) +{ + u32 check = (__force u32)iph->check; + + check += (__force u32)htons(0x0100); + iph->check = (__force __sum16)(check + (check >= 0xFFFF)); + return --iph->ttl; +} + static __always_inline int xdp_fwd_flags(struct xdp_md *ctx, u32 flags) { void *data_end = (void *)(long)ctx->data_end; void *data = (void *)(long)ctx->data; struct bpf_fib_lookup fib_params; struct ethhdr *eth = data; + struct ipv6hdr *ip6h; + struct iphdr *iph; int out_index; u16 h_proto; u64 nh_off; @@ -48,11 +60,14 @@ static __always_inline int xdp_fwd_flags(struct xdp_md *ctx, u32 flags) h_proto = eth->h_proto; if (h_proto == htons(ETH_P_IP)) { - struct iphdr *iph = data + nh_off; + iph = data + nh_off; if (iph + 1 > data_end) return XDP_DROP; + if (iph->ttl <= 1) + return XDP_PASS; + fib_params.family = AF_INET; fib_params.tos = iph->tos; fib_params.l4_protocol = iph->protocol; @@ -64,19 +79,22 @@ static __always_inline int xdp_fwd_flags(struct xdp_md *ctx, u32 flags) } else if (h_proto == htons(ETH_P_IPV6)) { struct in6_addr *src = (struct in6_addr *) fib_params.ipv6_src; struct in6_addr *dst = (struct in6_addr *) fib_params.ipv6_dst; - struct ipv6hdr *iph = data + nh_off; - if (iph + 1 > data_end) + ip6h = data + nh_off; + if (ip6h + 1 > data_end) return XDP_DROP; + if (ip6h->hop_limit <= 1) + return XDP_PASS; + fib_params.family = AF_INET6; - fib_params.flowlabel = *(__be32 *)iph & IPV6_FLOWINFO_MASK; - fib_params.l4_protocol = iph->nexthdr; + fib_params.flowlabel = *(__be32 *)ip6h & IPV6_FLOWINFO_MASK; + fib_params.l4_protocol = ip6h->nexthdr; fib_params.sport = 0; fib_params.dport = 0; - fib_params.tot_len = ntohs(iph->payload_len); - *src = iph->saddr; - *dst = iph->daddr; + fib_params.tot_len = ntohs(ip6h->payload_len); + *src = ip6h->saddr; + *dst = ip6h->daddr; } else { return XDP_PASS; } @@ -92,6 +110,11 @@ static __always_inline int xdp_fwd_flags(struct xdp_md *ctx, u32 flags) * forwarding packets are dropped. */ if (out_index > 0) { + if (h_proto == htons(ETH_P_IP)) + ip_decrease_ttl(iph); + else if (h_proto == htons(ETH_P_IPV6)) + ip6h->hop_limit--; + memcpy(eth->h_dest, fib_params.dmac, ETH_ALEN); memcpy(eth->h_source, fib_params.smac, ETH_ALEN); return bpf_redirect_map(&tx_port, out_index, 0);