[v2,bpf-next,1/3] bpf: Add sock ops get netns helpers

Message ID	20200218091541.107371-2-forrest0579@gmail.com
State	Changes Requested
Delegated to:	BPF Maintainers
Headers	show Return-Path: <bpf-owner@vger.kernel.org> From: Lingpeng Chen <forrest0579@gmail.com> To: bpf <bpf@vger.kernel.org> Cc: Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, John Fastabend <john.fastabend@gmail.com>, "David S . Miller" <davem@davemloft.net>, netdev@vger.kernel.org, Petar Penkov <ppenkov.kernel@gmail.com>, Lingpeng Chen <forrest0579@gmail.com> Subject: [PATCH v2 bpf-next 1/3] bpf: Add sock ops get netns helpers Date: Tue, 18 Feb 2020 09:15:39 +0000 Message-Id: <20200218091541.107371-2-forrest0579@gmail.com> In-Reply-To: <20200218091541.107371-1-forrest0579@gmail.com> References: <20200206083515.10334-1-forrest0579@gmail.com> <20200218091541.107371-1-forrest0579@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: bpf-owner@vger.kernel.org Precedence: bulk
Series	bpf: Add sock_ops_get_netns helpers \| expand [v2,bpf-next,0/3] bpf: Add sock_ops_get_netns helpers [v2,bpf-next,1/3] bpf: Add sock ops get netns helpers [v2,bpf-next,2/3] bpf: Sync uapi bpf.h to tools/ [v2,bpf-next,3/3] selftests/bpf: add selftest for sock_ops_get_netns helper

Message ID

20200218091541.107371-2-forrest0579@gmail.com

State

Changes Requested

Delegated to:

BPF Maintainers

Headers

From: Lingpeng Chen <forrest0579@gmail.com>
To: bpf <bpf@vger.kernel.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	"David S . Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	Petar Penkov <ppenkov.kernel@gmail.com>,
	Lingpeng Chen <forrest0579@gmail.com>
Subject: [PATCH v2 bpf-next 1/3] bpf: Add sock ops get netns helpers
Date: Tue, 18 Feb 2020 09:15:39 +0000
Message-Id: <20200218091541.107371-2-forrest0579@gmail.com>
In-Reply-To: <20200218091541.107371-1-forrest0579@gmail.com>
References: <20200206083515.10334-1-forrest0579@gmail.com>
	<20200218091541.107371-1-forrest0579@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: bpf-owner@vger.kernel.org
Precedence: bulk

Series

bpf: Add sock_ops_get_netns helpers | expand

Commit Message

Forrest Chen Feb. 18, 2020, 9:15 a.m. UTC

Currently 5-tuple(sip+dip+sport+dport+proto) can't identify a
uniq connection because there may be multi net namespace.
For example, there may be a chance that netns a and netns b all
listen on 127.0.0.1:8080 and the client with same port 40782
connect to them. Without netns number, sock ops program
can't distinguish them.
Using bpf_sock_ops_get_netns helpers to get current connection
netns number to distinguish connections.

Signed-off-by: Lingpeng Chen <forrest0579@gmail.com>
---
 include/uapi/linux/bpf.h |  8 +++++++-
 net/core/filter.c        | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

Comments

Daniel Borkmann Feb. 20, 2020, 12:04 a.m. UTC | #1

On 2/18/20 10:15 AM, Lingpeng Chen wrote:
> Currently 5-tuple(sip+dip+sport+dport+proto) can't identify a
> uniq connection because there may be multi net namespace.
> For example, there may be a chance that netns a and netns b all
> listen on 127.0.0.1:8080 and the client with same port 40782
> connect to them. Without netns number, sock ops program
> can't distinguish them.
> Using bpf_sock_ops_get_netns helpers to get current connection
> netns number to distinguish connections.
> 
> Signed-off-by: Lingpeng Chen <forrest0579@gmail.com>
> ---
>   include/uapi/linux/bpf.h |  8 +++++++-
>   net/core/filter.c        | 19 +++++++++++++++++++
>   2 files changed, 26 insertions(+), 1 deletion(-)
> 
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index f1d74a2bd234..3573907d15e0 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -2892,6 +2892,11 @@ union bpf_attr {
>    *		Obtain the 64bit jiffies
>    *	Return
>    *		The 64 bit jiffies
> + * u64 bpf_sock_ops_get_netns(struct bpf_sock_ops *bpf_socket)

Nit: newline before the new helper signature starts above.

> + *  Description
> + *      Obtain netns id of sock
> + * Return
> + *      The current netns inum
>    */
>   #define __BPF_FUNC_MAPPER(FN)		\
>   	FN(unspec),			\
> @@ -3012,7 +3017,8 @@ union bpf_attr {
>   	FN(probe_read_kernel_str),	\
>   	FN(tcp_send_ack),		\
>   	FN(send_signal_thread),		\
> -	FN(jiffies64),
> +	FN(jiffies64),			\
> +	FN(sock_ops_get_netns),

Please name this something more generic like FN(get_netns_id) or such. Definitely
without the 'sock_ops' part so this can be remapped to various other prog types
for the *_func_proto().

>   
>   /* integer value in 'imm' field of BPF_CALL instruction selects which helper
>    * function eBPF program intends to call
> diff --git a/net/core/filter.c b/net/core/filter.c
> index c180871e606d..f8e946aa46fc 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4421,6 +4421,23 @@ static const struct bpf_func_proto bpf_sock_ops_cb_flags_set_proto = {
>   	.arg2_type	= ARG_ANYTHING,
>   };
>   
> +BPF_CALL_1(bpf_sock_ops_get_netns, struct bpf_sock_ops_kern *, bpf_sock)
> +{
> +#ifdef CONFIG_NET_NS
> +	struct sock *sk = bpf_sock->sk;
> +
> +	return (u64)sk->sk_net.net->ns.inum;
> +#endif
> +	return 0;
> +}
> +
> +static const struct bpf_func_proto bpf_sock_ops_get_netns_proto = {
> +	.func		= bpf_sock_ops_get_netns,
> +	.gpl_only	= false,
> +	.ret_type	= RET_INTEGER,
> +	.arg1_type	= ARG_PTR_TO_CTX,
> +};
> +
>   const struct ipv6_bpf_stub *ipv6_bpf_stub __read_mostly;
>   EXPORT_SYMBOL_GPL(ipv6_bpf_stub);
>   
> @@ -6218,6 +6235,8 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
>   	case BPF_FUNC_tcp_sock:
>   		return &bpf_tcp_sock_proto;
>   #endif /* CONFIG_INET */
> +	case BPF_FUNC_sock_ops_get_netns:
> +		return &bpf_sock_ops_get_netns_proto;
>   	default:
>   		return bpf_base_func_proto(func_id);
>   	}
>

Forrest Chen Feb. 20, 2020, 7:10 a.m. UTC | #2

Currently 5-tuple(sip+dip+sport+dport+proto) can't identify a
uniq connection because there may be multi net namespace.
For example, there may be a chance that netns a and netns b all
listen on 127.0.0.1:8080 and the client with same port 40782
connect to them. Without netns number, sock ops program
can't distinguish them.
Using bpf_get_netns_id helpers to get current connection
netns number to distinguish connections.

Changes in v3:
- rename sock_ops_get_netns to get_netns_id

Changes in v2:
- Return u64 instead of u32 for sock_ops_get_netns
- Fix build bug when CONFIG_NET_NS not set
- Add selftest for sock_ops_get_netns

Lingpeng Chen (3):
  bpf: Add get_netns_id helper function for sock_ops
  bpf: Sync uapi bpf.h to tools/
  selftests/bpf: add selftest for get_netns_id helper

 include/uapi/linux/bpf.h                      |  9 +++-
 net/core/filter.c                             | 20 ++++++++
 tools/include/uapi/linux/bpf.h                |  9 +++-
 .../selftests/bpf/progs/test_tcpbpf_kern.c    | 11 +++++
 .../testing/selftests/bpf/test_tcpbpf_user.c  | 46 ++++++++++++++++++-
 5 files changed, 92 insertions(+), 3 deletions(-)


base-commit bb6d3fb354c5 ("Linux 5.6-rc1")

diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index f1d74a2bd234..3573907d15e0 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2892,6 +2892,11 @@  union bpf_attr {
  *		Obtain the 64bit jiffies
  *	Return
  *		The 64 bit jiffies
+ * u64 bpf_sock_ops_get_netns(struct bpf_sock_ops *bpf_socket)
+ *  Description
+ *      Obtain netns id of sock
+ * Return
+ *      The current netns inum
  */
 #define __BPF_FUNC_MAPPER(FN)		\
 	FN(unspec),			\
@@ -3012,7 +3017,8 @@  union bpf_attr {
 	FN(probe_read_kernel_str),	\
 	FN(tcp_send_ack),		\
 	FN(send_signal_thread),		\
-	FN(jiffies64),
+	FN(jiffies64),			\
+	FN(sock_ops_get_netns),
 
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
  * function eBPF program intends to call
diff --git a/net/core/filter.c b/net/core/filter.c
index c180871e606d..f8e946aa46fc 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4421,6 +4421,23 @@  static const struct bpf_func_proto bpf_sock_ops_cb_flags_set_proto = {
 	.arg2_type	= ARG_ANYTHING,
 };
 
+BPF_CALL_1(bpf_sock_ops_get_netns, struct bpf_sock_ops_kern *, bpf_sock)
+{
+#ifdef CONFIG_NET_NS
+	struct sock *sk = bpf_sock->sk;
+
+	return (u64)sk->sk_net.net->ns.inum;
+#endif
+	return 0;
+}
+
+static const struct bpf_func_proto bpf_sock_ops_get_netns_proto = {
+	.func		= bpf_sock_ops_get_netns,
+	.gpl_only	= false,
+	.ret_type	= RET_INTEGER,
+	.arg1_type	= ARG_PTR_TO_CTX,
+};
+
 const struct ipv6_bpf_stub *ipv6_bpf_stub __read_mostly;
 EXPORT_SYMBOL_GPL(ipv6_bpf_stub);
 
@@ -6218,6 +6235,8 @@  sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
 	case BPF_FUNC_tcp_sock:
 		return &bpf_tcp_sock_proto;
 #endif /* CONFIG_INET */
+	case BPF_FUNC_sock_ops_get_netns:
+		return &bpf_sock_ops_get_netns_proto;
 	default:
 		return bpf_base_func_proto(func_id);
 	}

[v2,bpf-next,1/3] bpf: Add sock ops get netns helpers

Commit Message

Comments

Patch