Message ID | cover.1662050126.git.lorenzo@kernel.org |
---|---|
Headers | show |
Series | Introduce bpf_ct_set_nat_info kfunc helper | expand |
On 9/1/22 6:43 PM, Lorenzo Bianconi wrote: > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and > destination nat addresses/ports in a new allocated ct entry not inserted > in the connection tracking table yet. > Introduce support for per-parameter trusted args. > > Kumar Kartikeya Dwivedi (2): > bpf: Add support for per-parameter trusted args > selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation > > Lorenzo Bianconi (2): > net: netfilter: add bpf_ct_set_nat_info kfunc helper > selftests/bpf: add tests for bpf_ct_set_nat_info kfunc > > Documentation/bpf/kfuncs.rst | 18 +++++++ > kernel/bpf/btf.c | 39 ++++++++++----- > net/bpf/test_run.c | 9 +++- > net/netfilter/nf_conntrack_bpf.c | 49 ++++++++++++++++++- > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 2 + > .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++- > tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++--- > 7 files changed, 156 insertions(+), 25 deletions(-) > Looks like this fails BPF CI, ptal: https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true [...] All error logs: test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec test_bpf_nf_ct:PASS:iptables 0 nsec test_bpf_nf_ct:PASS:start_server 0 nsec connect_to_server:PASS:socket 0 nsec connect_to_server:PASS:connect_fd_to_fd 0 nsec test_bpf_nf_ct:PASS:connect_to_server 0 nsec test_bpf_nf_ct:PASS:accept 0 nsec test_bpf_nf_ct:PASS:sockaddr len 0 nsec test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec test_bpf_nf_ct:PASS:Test for ct status update 0 nsec test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 #16/1 bpf_nf/xdp-ct:FAIL test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec test_bpf_nf_ct:PASS:iptables 0 nsec test_bpf_nf_ct:PASS:start_server 0 nsec connect_to_server:PASS:socket 0 nsec connect_to_server:PASS:connect_fd_to_fd 0 nsec test_bpf_nf_ct:PASS:connect_to_server 0 nsec test_bpf_nf_ct:PASS:accept 0 nsec test_bpf_nf_ct:PASS:sockaddr len 0 nsec test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec test_bpf_nf_ct:PASS:Test for ct status update 0 nsec test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 #16/2 bpf_nf/tc-bpf-ct:FAIL #16 bpf_nf:FAIL [...]
On Sep 02, Daniel Borkmann wrote: > On 9/1/22 6:43 PM, Lorenzo Bianconi wrote: > > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and > > destination nat addresses/ports in a new allocated ct entry not inserted > > in the connection tracking table yet. > > Introduce support for per-parameter trusted args. > > > > Kumar Kartikeya Dwivedi (2): > > bpf: Add support for per-parameter trusted args > > selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation > > > > Lorenzo Bianconi (2): > > net: netfilter: add bpf_ct_set_nat_info kfunc helper > > selftests/bpf: add tests for bpf_ct_set_nat_info kfunc > > > > Documentation/bpf/kfuncs.rst | 18 +++++++ > > kernel/bpf/btf.c | 39 ++++++++++----- > > net/bpf/test_run.c | 9 +++- > > net/netfilter/nf_conntrack_bpf.c | 49 ++++++++++++++++++- > > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 2 + > > .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++- > > tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++--- > > 7 files changed, 156 insertions(+), 25 deletions(-) > > > > Looks like this fails BPF CI, ptal: > > https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true Hi Daniel, it seems CONFIG_NF_NAT is not set in the kernel config file. Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config? Regards, Lorenzo > > [...] > All error logs: > test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec > test_bpf_nf_ct:PASS:iptables 0 nsec > test_bpf_nf_ct:PASS:start_server 0 nsec > connect_to_server:PASS:socket 0 nsec > connect_to_server:PASS:connect_fd_to_fd 0 nsec > test_bpf_nf_ct:PASS:connect_to_server 0 nsec > test_bpf_nf_ct:PASS:accept 0 nsec > test_bpf_nf_ct:PASS:sockaddr len 0 nsec > test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec > test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec > test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec > test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec > test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec > test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec > test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec > test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec > test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec > test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec > test_bpf_nf_ct:PASS:Test for ct status update 0 nsec > test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec > test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec > test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 > test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 > #16/1 bpf_nf/xdp-ct:FAIL > test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec > test_bpf_nf_ct:PASS:iptables 0 nsec > test_bpf_nf_ct:PASS:start_server 0 nsec > connect_to_server:PASS:socket 0 nsec > connect_to_server:PASS:connect_fd_to_fd 0 nsec > test_bpf_nf_ct:PASS:connect_to_server 0 nsec > test_bpf_nf_ct:PASS:accept 0 nsec > test_bpf_nf_ct:PASS:sockaddr len 0 nsec > test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec > test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec > test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec > test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec > test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec > test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec > test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec > test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec > test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec > test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec > test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec > test_bpf_nf_ct:PASS:Test for ct status update 0 nsec > test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec > test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec > test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 > test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 > #16/2 bpf_nf/tc-bpf-ct:FAIL > #16 bpf_nf:FAIL > [...] >
On 9/2/22 4:35 PM, Lorenzo Bianconi wrote: > On Sep 02, Daniel Borkmann wrote: >> On 9/1/22 6:43 PM, Lorenzo Bianconi wrote: >>> Introduce bpf_ct_set_nat_info kfunc helper in order to set source and >>> destination nat addresses/ports in a new allocated ct entry not inserted >>> in the connection tracking table yet. >>> Introduce support for per-parameter trusted args. >>> >>> Kumar Kartikeya Dwivedi (2): >>> bpf: Add support for per-parameter trusted args >>> selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation >>> >>> Lorenzo Bianconi (2): >>> net: netfilter: add bpf_ct_set_nat_info kfunc helper >>> selftests/bpf: add tests for bpf_ct_set_nat_info kfunc >>> >>> Documentation/bpf/kfuncs.rst | 18 +++++++ >>> kernel/bpf/btf.c | 39 ++++++++++----- >>> net/bpf/test_run.c | 9 +++- >>> net/netfilter/nf_conntrack_bpf.c | 49 ++++++++++++++++++- >>> .../testing/selftests/bpf/prog_tests/bpf_nf.c | 2 + >>> .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++- >>> tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++--- >>> 7 files changed, 156 insertions(+), 25 deletions(-) >>> >> >> Looks like this fails BPF CI, ptal: >> >> https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true > > Hi Daniel, > > it seems CONFIG_NF_NAT is not set in the kernel config file. > Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config? This would have to be set there and added to the patches, yes. @Andrii/DanielM, is this enough or are other steps needed on top of that? >> [...] >> All error logs: >> test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec >> test_bpf_nf_ct:PASS:iptables 0 nsec >> test_bpf_nf_ct:PASS:start_server 0 nsec >> connect_to_server:PASS:socket 0 nsec >> connect_to_server:PASS:connect_fd_to_fd 0 nsec >> test_bpf_nf_ct:PASS:connect_to_server 0 nsec >> test_bpf_nf_ct:PASS:accept 0 nsec >> test_bpf_nf_ct:PASS:sockaddr len 0 nsec >> test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec >> test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec >> test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec >> test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec >> test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec >> test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec >> test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec >> test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec >> test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec >> test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec >> test_bpf_nf_ct:PASS:Test for ct status update 0 nsec >> test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec >> test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec >> test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 >> test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 >> #16/1 bpf_nf/xdp-ct:FAIL >> test_bpf_nf_ct:PASS:test_bpf_nf__open_and_load 0 nsec >> test_bpf_nf_ct:PASS:iptables 0 nsec >> test_bpf_nf_ct:PASS:start_server 0 nsec >> connect_to_server:PASS:socket 0 nsec >> connect_to_server:PASS:connect_fd_to_fd 0 nsec >> test_bpf_nf_ct:PASS:connect_to_server 0 nsec >> test_bpf_nf_ct:PASS:accept 0 nsec >> test_bpf_nf_ct:PASS:sockaddr len 0 nsec >> test_bpf_nf_ct:PASS:bpf_prog_test_run 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for NULL bpf_tuple 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for reserved not set to 0 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for netns_id < -1 0 nsec >> test_bpf_nf_ct:PASS:Test EINVAL for len__opts != NF_BPF_CT_OPTS_SZ 0 nsec >> test_bpf_nf_ct:PASS:Test EPROTO for l4proto != TCP or UDP 0 nsec >> test_bpf_nf_ct:PASS:Test ENONET for bad but valid netns_id 0 nsec >> test_bpf_nf_ct:PASS:Test ENOENT for failed lookup 0 nsec >> test_bpf_nf_ct:PASS:Test EAFNOSUPPORT for invalid len__tuple 0 nsec >> test_bpf_nf_ct:PASS:Test for alloc new entry 0 nsec >> test_bpf_nf_ct:PASS:Test for insert new entry 0 nsec >> test_bpf_nf_ct:PASS:Test for successful lookup 0 nsec >> test_bpf_nf_ct:PASS:Test for min ct timeout update 0 nsec >> test_bpf_nf_ct:PASS:Test for max ct timeout update 0 nsec >> test_bpf_nf_ct:PASS:Test for ct status update 0 nsec >> test_bpf_nf_ct:PASS:Test existing connection lookup 0 nsec >> test_bpf_nf_ct:PASS:Test existing connection lookup ctmark 0 nsec >> test_bpf_nf_ct:FAIL:Test for source natting unexpected Test for source natting: actual -22 != expected 0 >> test_bpf_nf_ct:FAIL:Test for destination natting unexpected Test for destination natting: actual -22 != expected 0 >> #16/2 bpf_nf/tc-bpf-ct:FAIL >> #16 bpf_nf:FAIL >> [...] >>
On Fri, Sep 02, 2022 at 04:41:28PM +0200, Daniel Borkmann wrote: > On 9/2/22 4:35 PM, Lorenzo Bianconi wrote: > > On Sep 02, Daniel Borkmann wrote: > > > On 9/1/22 6:43 PM, Lorenzo Bianconi wrote: > > > > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and > > > > destination nat addresses/ports in a new allocated ct entry not inserted > > > > in the connection tracking table yet. > > > > Introduce support for per-parameter trusted args. > > > > > > > > Kumar Kartikeya Dwivedi (2): > > > > bpf: Add support for per-parameter trusted args > > > > selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation > > > > > > > > Lorenzo Bianconi (2): > > > > net: netfilter: add bpf_ct_set_nat_info kfunc helper > > > > selftests/bpf: add tests for bpf_ct_set_nat_info kfunc > > > > > > > > Documentation/bpf/kfuncs.rst | 18 +++++++ > > > > kernel/bpf/btf.c | 39 ++++++++++----- > > > > net/bpf/test_run.c | 9 +++- > > > > net/netfilter/nf_conntrack_bpf.c | 49 ++++++++++++++++++- > > > > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 2 + > > > > .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++- > > > > tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++--- > > > > 7 files changed, 156 insertions(+), 25 deletions(-) > > > > > > > > > > Looks like this fails BPF CI, ptal: > > > > > > https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true > > > > Hi Daniel, > > > > it seems CONFIG_NF_NAT is not set in the kernel config file. > > Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config? > > This would have to be set there and added to the patches, yes. @Andrii/DanielM, is > this enough or are other steps needed on top of that? Yes, I think it should be set at said location. Nothing else should be needed in addition that I can think of. Thanks, Daniel [...]
> On Fri, Sep 02, 2022 at 04:41:28PM +0200, Daniel Borkmann wrote: > > On 9/2/22 4:35 PM, Lorenzo Bianconi wrote: > > > On Sep 02, Daniel Borkmann wrote: > > > > On 9/1/22 6:43 PM, Lorenzo Bianconi wrote: > > > > > Introduce bpf_ct_set_nat_info kfunc helper in order to set source and > > > > > destination nat addresses/ports in a new allocated ct entry not inserted > > > > > in the connection tracking table yet. > > > > > Introduce support for per-parameter trusted args. > > > > > > > > > > Kumar Kartikeya Dwivedi (2): > > > > > bpf: Add support for per-parameter trusted args > > > > > selftests/bpf: Extend KF_TRUSTED_ARGS test for __ref annotation > > > > > > > > > > Lorenzo Bianconi (2): > > > > > net: netfilter: add bpf_ct_set_nat_info kfunc helper > > > > > selftests/bpf: add tests for bpf_ct_set_nat_info kfunc > > > > > > > > > > Documentation/bpf/kfuncs.rst | 18 +++++++ > > > > > kernel/bpf/btf.c | 39 ++++++++++----- > > > > > net/bpf/test_run.c | 9 +++- > > > > > net/netfilter/nf_conntrack_bpf.c | 49 ++++++++++++++++++- > > > > > .../testing/selftests/bpf/prog_tests/bpf_nf.c | 2 + > > > > > .../testing/selftests/bpf/progs/test_bpf_nf.c | 26 +++++++++- > > > > > tools/testing/selftests/bpf/verifier/calls.c | 38 +++++++++++--- > > > > > 7 files changed, 156 insertions(+), 25 deletions(-) > > > > > > > > > > > > > Looks like this fails BPF CI, ptal: > > > > > > > > https://github.com/kernel-patches/bpf/runs/8147936670?check_suite_focus=true > > > > > > Hi Daniel, > > > > > > it seems CONFIG_NF_NAT is not set in the kernel config file. > > > Am I supposed to enable it in bpf-next/tools/testing/selftests/bpf/config? > > > > This would have to be set there and added to the patches, yes. @Andrii/DanielM, is > > this enough or are other steps needed on top of that? > > Yes, I think it should be set at said location. Nothing else should be > needed in addition that I can think of. ack, I will wait a bit for some more feedbacks and then I will post v2. Regards, Lorenzo > > Thanks, > Daniel > > [...] >