From patchwork Fri Apr 26 15:48:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 1091572 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="TANMI2VK"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44rJQT2yvJz9s00 for ; Sat, 27 Apr 2019 01:49:36 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726228AbfDZPtg (ORCPT ); Fri, 26 Apr 2019 11:49:36 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:33543 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726176AbfDZPtf (ORCPT ); Fri, 26 Apr 2019 11:49:35 -0400 Received: by mail-ed1-f67.google.com with SMTP id d55so1721810ede.0; Fri, 26 Apr 2019 08:49:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=YBGtbPc4Hjybxt7HzjkrxpcfTTZAyVllCtxWEE6p+sM=; b=TANMI2VKwIWd1nqs0losES/j4XERwdlHVa9rgnbpdDHY4tGiP9RU+v3VK6jHnKTwlX klZxgBLoOp+hIPPRg+V7B+NxaxvPPEEcsrEvFBWVtJ2pZ7a1+ezIxs6YrFswFZxtp29P iM5FcayCUbX0IWrG/GqiOODZpbgyxfAD/jJO/dk9mUuT6JBRYVabLUX9PtMIe4QmmQNr VLoXhWvbPR08D4ZJx71pvGeduWAcSIKHbr/Na+DVVezkUOTBg9Utc2gnEpqmGsKCo2Sn O6IzxmU3EoPq3a3P+QYB06iBt2oD07KK+6tFdnAexQ5a+kq5V+5b9O64xUFPeiHHgORG wFVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :mime-version:content-transfer-encoding; bh=YBGtbPc4Hjybxt7HzjkrxpcfTTZAyVllCtxWEE6p+sM=; b=MRiEGWpam/g/5/J4pO78orTpGhKM57JJnS3e2PfcM3uLhExjsmxZLYJOR267VDXLFt 32mZXnLvhtCKpYY+EB6gUopDueIzjd9ebixADsSKYYsY3XmPA/+yfsHl4mwJeQvpXpKN HFbdzl3/aPY1NOThgMtC5irCHzH+QCx8crRGNhFcIgYiIXWE9Nxemh+dflOaL4AtM3Mq L+zIKxQG4+Ogo2rZoJDh7gbWLFPXkexZoIptQHkIVnAfWPSomXwSLmVJ3cq0/w+pN1lg BccaFedUjzEJuzOI1Oua76OcSUasl7hyHPleJx7DBi/EqVvGnneMqojQrAEAj8ZvcprU kcTg== X-Gm-Message-State: APjAAAUNv9QmZ3gtkVaw237h+dELupuA00x8wYXslh2t32od9Nzv8Gnh HORzV8s95yD38BHD8T6jYSg= X-Google-Smtp-Source: APXvYqwWoZFaQzSSbrhzuGjJKCWN9YO1zAVk7CmAZb/FlIcIezpjHfmqvTRmQAx/UKu+AfUySONUiQ== X-Received: by 2002:a50:a704:: with SMTP id h4mr12336151edc.7.1556293773101; Fri, 26 Apr 2019 08:49:33 -0700 (PDT) Received: from neptune.fritz.box ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id f15sm4603002eja.39.2019.04.26.08.49.30 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 08:49:31 -0700 (PDT) From: Alban Crequy X-Google-Original-From: Alban Crequy To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io Subject: [PATCH bpf-next v3 1/4] bpf: sock ops: add netns ino and dev in bpf context Date: Fri, 26 Apr 2019 17:48:45 +0200 Message-Id: <20190426154848.23490-1-alban@kinvolk.io> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-Id: netdev.vger.kernel.org From: Alban Crequy sockops programs can now access the network namespace inode and device via (struct bpf_sock_ops)->netns_ino and ->netns_dev. This can be useful to apply different policies on different network namespaces. In the unlikely case where network namespaces are not compiled in (CONFIG_NET_NS=n), the verifier will not allow access to ->netns_*. The generated BPF bytecode for netns_ino is loading the correct inode number at the time of execution. However, the generated BPF bytecode for netns_dev is loading an immediate value determined at BPF-load-time by looking at the initial network namespace. In practice, this works because all netns currently use the same virtual device. If this was to change, this code would need to be updated too. Signed-off-by: Alban Crequy --- Changes since v1: - add netns_dev (review from Alexei) Changes since v2: - replace __u64 by u64 in kernel code (review from Y Song) - remove unneeded #else branch: program would be rejected in is_valid_access (review from Y Song) - allow partial reads ( #include #include +#include +#include /** * sk_filter_trim_cap - run a packet through a socket filter @@ -6810,6 +6812,24 @@ static bool sock_ops_is_valid_access(int off, int size, } } else { switch (off) { + case offsetof(struct bpf_sock_ops, netns_dev) ... + offsetof(struct bpf_sock_ops, netns_dev) + sizeof(u64) - 1: +#ifdef CONFIG_NET_NS + if (off - offsetof(struct bpf_sock_ops, netns_dev) + + size > sizeof(u64)) + return false; +#else + return false; +#endif + break; + case offsetof(struct bpf_sock_ops, netns_ino): +#ifdef CONFIG_NET_NS + if (size != sizeof(u64)) + return false; +#else + return false; +#endif + break; case bpf_ctx_range_till(struct bpf_sock_ops, bytes_received, bytes_acked): if (size != sizeof(__u64)) @@ -7727,6 +7747,11 @@ static u32 sock_addr_convert_ctx_access(enum bpf_access_type type, return insn - insn_buf; } +static struct ns_common *sockops_netns_cb(void *private_data) +{ + return &init_net.ns; +} + static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, const struct bpf_insn *si, struct bpf_insn *insn_buf, @@ -7735,6 +7760,10 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, { struct bpf_insn *insn = insn_buf; int off; + struct inode *ns_inode; + struct path ns_path; + u64 netns_dev; + void *res; /* Helper macro for adding read access to tcp_sock or sock fields. */ #define SOCK_OPS_GET_FIELD(BPF_FIELD, OBJ_FIELD, OBJ) \ @@ -7981,6 +8010,71 @@ static u32 sock_ops_convert_ctx_access(enum bpf_access_type type, SOCK_OPS_GET_OR_SET_FIELD(sk_txhash, sk_txhash, struct sock, type); break; + + case offsetof(struct bpf_sock_ops, netns_dev) ... + offsetof(struct bpf_sock_ops, netns_dev) + sizeof(u64) - 1: +#ifdef CONFIG_NET_NS + /* We get the netns_dev at BPF-load-time and not at + * BPF-exec-time. We assume that netns_dev is a constant. + */ + res = ns_get_path_cb(&ns_path, sockops_netns_cb, NULL); + if (IS_ERR(res)) { + netns_dev = 0; + } else { + ns_inode = ns_path.dentry->d_inode; + netns_dev = new_encode_dev(ns_inode->i_sb->s_dev); + } + off = si->off; + off -= offsetof(struct bpf_sock_ops, netns_dev); + switch (BPF_LDST_BYTES(si)) { + case sizeof(u64): + *insn++ = BPF_MOV64_IMM(si->dst_reg, netns_dev); + break; + case sizeof(u32): + netns_dev = *(u32 *)(((char *)&netns_dev) + off); + *insn++ = BPF_MOV32_IMM(si->dst_reg, netns_dev); + break; + case sizeof(u16): + netns_dev = *(u16 *)(((char *)&netns_dev) + off); + *insn++ = BPF_MOV32_IMM(si->dst_reg, netns_dev); + break; + case sizeof(u8): + netns_dev = *(u8 *)(((char *)&netns_dev) + off); + *insn++ = BPF_MOV32_IMM(si->dst_reg, netns_dev); + break; + } +#endif + break; + + case offsetof(struct bpf_sock_ops, netns_ino): +#ifdef CONFIG_NET_NS + /* Loading: sk_ops->sk->__sk_common.skc_net.net->ns.inum + * Type: (struct bpf_sock_ops_kern *) + * ->(struct sock *) + * ->(struct sock_common) + * .possible_net_t + * .(struct net *) + * ->(struct ns_common) + * .(unsigned int) + */ + BUILD_BUG_ON(offsetof(struct sock, __sk_common) != 0); + BUILD_BUG_ON(offsetof(possible_net_t, net) != 0); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + struct bpf_sock_ops_kern, sk), + si->dst_reg, si->src_reg, + offsetof(struct bpf_sock_ops_kern, sk)); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + possible_net_t, net), + si->dst_reg, si->dst_reg, + offsetof(struct sock_common, skc_net)); + *insn++ = BPF_LDX_MEM(BPF_FIELD_SIZEOF( + struct ns_common, inum), + si->dst_reg, si->dst_reg, + offsetof(struct net, ns) + + offsetof(struct ns_common, inum)); +#endif + break; + } return insn - insn_buf; } From patchwork Fri Apr 26 15:48:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 1091574 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="aAZ5IYVJ"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44rJQb50xRz9s00 for ; Sat, 27 Apr 2019 01:49:43 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726462AbfDZPtn (ORCPT ); Fri, 26 Apr 2019 11:49:43 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:42170 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726176AbfDZPtm (ORCPT ); Fri, 26 Apr 2019 11:49:42 -0400 Received: by mail-ed1-f65.google.com with SMTP id l25so3544664eda.9; Fri, 26 Apr 2019 08:49:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=bAwdcNNwsHxSmWuLiJIrpPJgHydtjnCp4Y4NYOp8uI0=; b=aAZ5IYVJgBU0TKKoWVJAg4Ei1qp/FRc4xK7iHDR4Go7I7HBVLSX+zba/za4OFq8WCg qZPUU4lG+/l2u+OqBpla28f3jMHDcMHqrQZz7OGkPhQmu1BP+OL/c7cJ42bLLDU/W9yC JnaM+vV8SmbPcAZawX5qI8aW2nleYthwi/khjV/A0VO53BdL8qnDqo9aTM+A+flLOmFw M7/sOvuua5eZ8EkAiv+WzLJSYT6744qsiDM4/SgV/K1S8wRXo69hcLXctHnslXzB9m2k YkqSHpWWM/LCc+mYPTowxnEA9tHLluP8OlqCwgLvMz7CTMeY0HJ69fgcXtBs59qgBaZT /IaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=bAwdcNNwsHxSmWuLiJIrpPJgHydtjnCp4Y4NYOp8uI0=; b=QkOdd8ux4SeblAqeoEwllJkYzxjTn1NEAoXiJW7YV+n0SJbm5d/vsliHEgVPeYMBvc uYHaBHLxokQ77GJrfCRuJfTKhACvXAFR0aq7prSQzKdCBmLK+f6Qcjt9ggHs9+uCdsnb j8HwkqCDY+Aly6/1/Zr4ZymqPN7bDQRO8ceH+sLAtbhBsxuwZvtk9P3/3loj3rJHHzbN UHZrxQs7nMG83QBfY/9Cb/Ci5hlA3ZCY+Z6otch+Fk+nKCxWWafRTCVlNCD1iMkRjohS Wvct8+eutTm6mCWuqU/X+QociWw3hU0zGWjCbyWd3+LCVmOmMRJsIZqHOdhdHiDaiR9W hxIw== X-Gm-Message-State: APjAAAX3aPX700YzMZceoBluGPmjKDTpDBtkaGSEWIHXGY1GZSqbIdWe dbNPGRAgujqCPG/9p8V/8UU= X-Google-Smtp-Source: APXvYqywg+0xQ8gLQ3eQ/ykppuePdK4Kklh+JLKFcHzHb60NM5u/XTVSsnWYI87pS8HEdnd5UqOf0A== X-Received: by 2002:a05:6402:13d4:: with SMTP id a20mr28735831edx.279.1556293780571; Fri, 26 Apr 2019 08:49:40 -0700 (PDT) Received: from neptune.fritz.box ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id f15sm4603002eja.39.2019.04.26.08.49.38 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 08:49:39 -0700 (PDT) From: Alban Crequy X-Google-Original-From: Alban Crequy To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io Subject: [PATCH bpf-next v3 2/4] bpf: sync bpf.h to tools/ for bpf_sock_ops->netns* Date: Fri, 26 Apr 2019 17:48:46 +0200 Message-Id: <20190426154848.23490-2-alban@kinvolk.io> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190426154848.23490-1-alban@kinvolk.io> References: <20190426154848.23490-1-alban@kinvolk.io> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-Id: netdev.vger.kernel.org From: Alban Crequy The change in struct bpf_sock_ops is synchronised from: include/uapi/linux/bpf.h to: tools/include/uapi/linux/bpf.h Signed-off-by: Alban Crequy --- Changes since v2: - standalone patch for the sync (requested by Y Song) --- tools/include/uapi/linux/bpf.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 704bb69514a2..eb56620a9d7a 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -3206,6 +3206,8 @@ struct bpf_sock_ops { __u32 sk_txhash; __u64 bytes_received; __u64 bytes_acked; + __u64 netns_dev; + __u64 netns_ino; }; /* Definitions for bpf_sock_ops_cb_flags */ From patchwork Fri Apr 26 15:48:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 1091576 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: incoming-bpf@patchwork.ozlabs.org Delivered-To: patchwork-incoming-bpf@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=bpf-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="UaYhPaGp"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44rJQz6nyTz9s00 for ; Sat, 27 Apr 2019 01:50:03 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726715AbfDZPuC (ORCPT ); Fri, 26 Apr 2019 11:50:02 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:44108 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726679AbfDZPuB (ORCPT ); Fri, 26 Apr 2019 11:50:01 -0400 Received: by mail-ed1-f67.google.com with SMTP id i13so3529274edf.11; Fri, 26 Apr 2019 08:50:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=VDi+Ii45tj5MJsWUs6fBBvRocxOPLoEwq5/Nz9KCYSU=; b=UaYhPaGpclNXHVyB9uTsD8YuErnkiDq4LJIyv32A1JVJ/yeAjJoEqeW5zqPf4z+oVV 3/UK4PqIAVObPOJzvBHJv3GAfLkOuBdfWOmBsqb4+1lK8B4CIPDYmuMsIdHzPQR41iUv sALrbZUmrqcjVF69cET6lQ9qrmMamlrIADyF2Nzpgihkj/BDzKERHxBXFaUVYkmIagSs Mw9Zc9iPPez7Ieh9RoAnqyr/4Pkc/to1lzTKZ3cli5mCRI89vLP6xXD+zG3GaH/LaZNV 3bhBJYD2DYNphgKdVjTpq+e3PVOhL8Y6aO41lPWJZA3txKHcA0hXZg+g9QaQetvCLGSJ kcfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=VDi+Ii45tj5MJsWUs6fBBvRocxOPLoEwq5/Nz9KCYSU=; b=e8LYAfsGZEnLz3qxXVtMwSoYO9i/G85HlXOaKzi/urywnIx76Gg1DSbkqyUwSH9unz s3QWFUMesLhDfFsc8JRsQ1XnVH7JL/q0AyioVsAmAz9PUo9D05hDYyrgwJY8SCHTDMSY FsgwVnZF4r3GtjxZAT79J9JqbadJWUZErqO7EHxBP7K6lO5ChOzzuCbLN0Kx9rs6MfZD 1NBiP9ANy3WFy2884pwG1VYY/D4vCezBUEgVQjvuX/7Rx/bwAOdfS4gRG2VGxzEiwSsh Lv7LbIdXZ9voPRivA6/ziWBIQC07nh9FfvZoItMjVqL14B1gi2m9jG5mbIP80s2Cwoe/ 4Hyw== X-Gm-Message-State: APjAAAX6BevF1pNKAETv7RVl1beiF66QItiLlLoKBpuim2Brc6NYevkG BxJKPrMAy172SbH35QQJcT0= X-Google-Smtp-Source: APXvYqw2mTFx9JW9FUyqMK3Rs27PJMfhUZ0V6c95Z/xhSErAboqQ8CQBVdC5aWEQcmyIbajFIhoVCg== X-Received: by 2002:a17:906:7043:: with SMTP id r3mr2044364ejj.152.1556293799934; Fri, 26 Apr 2019 08:49:59 -0700 (PDT) Received: from neptune.fritz.box ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id f15sm4603002eja.39.2019.04.26.08.49.58 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 08:49:58 -0700 (PDT) From: Alban Crequy X-Google-Original-From: Alban Crequy To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io Subject: [PATCH bpf-next v3 3/4] selftests: bpf: read netns_ino from struct bpf_sock_ops Date: Fri, 26 Apr 2019 17:48:47 +0200 Message-Id: <20190426154848.23490-3-alban@kinvolk.io> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190426154848.23490-1-alban@kinvolk.io> References: <20190426154848.23490-1-alban@kinvolk.io> MIME-Version: 1.0 Sender: bpf-owner@vger.kernel.org Precedence: bulk List-Id: netdev.vger.kernel.org From: Alban Crequy This shows how a sockops program could be restricted to a specific network namespace. The sockops program looks at the current netns via (struct bpf_sock_ops)->netns_ino and checks if the value matches the configuration in the new BPF map "sock_netns". The test program ./test_sockmap accepts a new parameter "--netns"; the default value is the current netns found by stat() on /proc/self/ns/net, so the previous tests still pass: sudo ./test_sockmap ... Summary: 412 PASSED 0 FAILED ... Summary: 824 PASSED 0 FAILED I run my additional test in the following way: NETNS=$(readlink /proc/self/ns/net | sed 's/^net:\[\(.*\)\]$/\1/') CGR=/sys/fs/cgroup/unified/user.slice/user-1000.slice/session-5.scope/ sudo ./test_sockmap --cgroup $CGR --netns $NETNS & cat /sys/kernel/debug/tracing/trace_pipe echo foo | nc -l 127.0.0.1 8080 & echo bar | nc 127.0.0.1 8080 => the connection goes through the sockmap When testing with a wrong $NETNS, I get the trace_pipe log: > not binding connection on netns 4026531992 Signed-off-by: Alban Crequy --- Changes since v1: - tools/include/uapi/linux/bpf.h: update with netns_dev - tools/testing/selftests/bpf/test_sockmap_kern.h: print debugs with both netns_dev and netns_ino Changes since v2: - update commitmsg to refer to netns_ino --- tools/testing/selftests/bpf/test_sockmap.c | 38 +++++++++++++++++-- .../testing/selftests/bpf/test_sockmap_kern.h | 22 +++++++++++ 2 files changed, 57 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/bpf/test_sockmap.c b/tools/testing/selftests/bpf/test_sockmap.c index 3845144e2c91..5a1b9c96fca1 100644 --- a/tools/testing/selftests/bpf/test_sockmap.c +++ b/tools/testing/selftests/bpf/test_sockmap.c @@ -2,6 +2,7 @@ // Copyright (c) 2017-2018 Covalent IO, Inc. http://covalent.io #include #include +#include #include #include #include @@ -21,6 +22,7 @@ #include #include #include +#include #include #include @@ -63,8 +65,8 @@ int s1, s2, c1, c2, p1, p2; int test_cnt; int passed; int failed; -int map_fd[8]; -struct bpf_map *maps[8]; +int map_fd[9]; +struct bpf_map *maps[9]; int prog_fd[11]; int txmsg_pass; @@ -84,6 +86,7 @@ int txmsg_ingress; int txmsg_skb; int ktls; int peek_flag; +uint64_t netns_opt; static const struct option long_options[] = { {"help", no_argument, NULL, 'h' }, @@ -111,6 +114,7 @@ static const struct option long_options[] = { {"txmsg_skb", no_argument, &txmsg_skb, 1 }, {"ktls", no_argument, &ktls, 1 }, {"peek", no_argument, &peek_flag, 1 }, + {"netns", required_argument, NULL, 'n'}, {0, 0, NULL, 0 } }; @@ -1585,6 +1589,7 @@ char *map_names[] = { "sock_bytes", "sock_redir_flags", "sock_skb_opts", + "sock_netns", }; int prog_attach_type[] = { @@ -1619,6 +1624,8 @@ static int populate_progs(char *bpf_file) struct bpf_object *obj; int i = 0; long err; + struct stat netns_sb; + uint64_t netns_ino; obj = bpf_object__open(bpf_file); err = libbpf_get_error(obj); @@ -1655,6 +1662,28 @@ static int populate_progs(char *bpf_file) } } + if (netns_opt == 0) { + err = stat("/proc/self/ns/net", &netns_sb); + if (err) { + fprintf(stderr, + "ERROR: cannot stat network namespace: %ld (%s)\n", + err, strerror(errno)); + return -1; + } + netns_ino = netns_sb.st_ino; + } else { + netns_ino = netns_opt; + } + i = 1; + err = bpf_map_update_elem(map_fd[8], &netns_ino, &i, BPF_ANY); + if (err) { + fprintf(stderr, + "ERROR: bpf_map_update_elem (netns): %ld (%s)\n", + err, strerror(errno)); + return -1; + } + + return 0; } @@ -1738,7 +1767,7 @@ int main(int argc, char **argv) if (argc < 2) return test_suite(-1); - while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:", + while ((opt = getopt_long(argc, argv, ":dhvc:r:i:l:t:p:q:n:", long_options, &longindex)) != -1) { switch (opt) { case 's': @@ -1805,6 +1834,9 @@ int main(int argc, char **argv) return -1; } break; + case 'n': + netns_opt = strtoull(optarg, NULL, 10); + break; case 0: break; case 'h': diff --git a/tools/testing/selftests/bpf/test_sockmap_kern.h b/tools/testing/selftests/bpf/test_sockmap_kern.h index e7639f66a941..317406dad6cf 100644 --- a/tools/testing/selftests/bpf/test_sockmap_kern.h +++ b/tools/testing/selftests/bpf/test_sockmap_kern.h @@ -91,6 +91,13 @@ struct bpf_map_def SEC("maps") sock_skb_opts = { .max_entries = 1 }; +struct bpf_map_def SEC("maps") sock_netns = { + .type = BPF_MAP_TYPE_HASH, + .key_size = sizeof(__u64), + .value_size = sizeof(int), + .max_entries = 16 +}; + SEC("sk_skb1") int bpf_prog1(struct __sk_buff *skb) { @@ -132,9 +139,24 @@ int bpf_sockmap(struct bpf_sock_ops *skops) { __u32 lport, rport; int op, err = 0, index, key, ret; + int i = 0; + __u64 netns_dev, netns_ino; + int *allowed; op = (int) skops->op; + netns_dev = skops->netns_dev; + netns_ino = skops->netns_ino; + bpf_printk("bpf_sockmap: netns_dev = %lu netns_ino = %lu\n", + netns_dev, netns_ino); + + // Only allow sockmap connection on the configured network namespace + allowed = bpf_map_lookup_elem(&sock_netns, &netns_ino); + if (allowed == NULL || *allowed == 0) { + bpf_printk("not binding connection on netns_ino %lu\n", + netns_ino); + return 0; + } switch (op) { case BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB: From patchwork Fri Apr 26 15:48:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alban Crequy X-Patchwork-Id: 1091578 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="K1ilNNQC"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44rJRD2Y0Zz9s5c for ; Sat, 27 Apr 2019 01:50:16 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726795AbfDZPuM (ORCPT ); Fri, 26 Apr 2019 11:50:12 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:35450 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726679AbfDZPuL (ORCPT ); Fri, 26 Apr 2019 11:50:11 -0400 Received: by mail-ed1-f65.google.com with SMTP id y67so3597022ede.2; Fri, 26 Apr 2019 08:50:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=MyGoYsy0dN3k8pVgiEb5o4itS/U7KcJ870ynPtHnyhQ=; b=K1ilNNQCMQQKNCY99Cmw6FKmayssrBL3yGMyAV61HXIXAcRiXpBiabGeW8/ESULGzy AIwD97CRurWve6MlVOkphjj+yx1InUa75L3icz7TlS+dtskDdwzqZol65vz7NKaKuD1I +W86bd/3hp0TXwMybc/M2pAm2imbnDimb0MZS861s625SU0ynxzhK/xDLG5rYjSU4eXI MTytB+qJ4xybq1KdZ0TXpmCepCaZIVRcuGSnnCrAzgv7vRF9ZDFUDkzayv3TROfnM7Gt S+u4VdzRmUJbHV6UP5csVJJ/MMNuV3Kpg2tMa26/Skb7Q9fYzdK7YC04JkVGHu3Z+Atn CxAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=MyGoYsy0dN3k8pVgiEb5o4itS/U7KcJ870ynPtHnyhQ=; b=hgQqq4IEVXQtHy8qHtvEJwfmy9pohdrDAYbJZ0T3xUcAuV0+gjHso2ZGesX/wQS6S7 g8BHVBlsyUOUTmNp1qENl0CjvQwOdKkzxT/MDX0dXUTCsdQXBFfplZeED2/l6EwWP+e+ YRq5YixlufQeUBV1KyB20whvEaeVMlb9U+/5meCYwLecuoxyIgUtpcHEPmpl9ZP5y/61 uD8fLF4dLXFIK6OE4ArWA7FYaR8EAfiAnL0ZpqQbTjbMjVOkQWy+IXR+aJN8eoFqVInS ylzyb0+QD3fV+jNK4EU41FbvkafVB1EWHo9i8R3wlETBUgg8o47xyGJT1GiUpVueosCo suxA== X-Gm-Message-State: APjAAAX9eh7EZYNnyt8/nBc80JB/JnFz4jN/Ai4ZudDk6fMqgpzuzASk MFJjYcNzbpgVCqzc1G4jPBM5BS5I+bofZg== X-Google-Smtp-Source: APXvYqzvaNCingq2Ttd9LAxHj34fnVAyEpKKEZJCkLNSuRurmhUt75z5aO68SWaCp1nu1FdsnVF7lQ== X-Received: by 2002:a05:6402:1557:: with SMTP id p23mr28290291edx.27.1556293809326; Fri, 26 Apr 2019 08:50:09 -0700 (PDT) Received: from neptune.fritz.box ([178.19.216.175]) by smtp.gmail.com with ESMTPSA id f15sm4603002eja.39.2019.04.26.08.50.06 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 26 Apr 2019 08:50:07 -0700 (PDT) From: Alban Crequy X-Google-Original-From: Alban Crequy To: john.fastabend@gmail.com, ast@kernel.org, daniel@iogearbox.net Cc: bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, alban@kinvolk.io, iago@kinvolk.io Subject: [PATCH bpf-next v3 4/4] selftests: bpf: verifier: read netns_dev and netns_ino from struct bpf_sock_ops Date: Fri, 26 Apr 2019 17:48:48 +0200 Message-Id: <20190426154848.23490-4-alban@kinvolk.io> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190426154848.23490-1-alban@kinvolk.io> References: <20190426154848.23490-1-alban@kinvolk.io> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Alban Crequy Tested with: > $ sudo ./test_verifier > ... > #905/p sockops accessing bpf_sock_ops->netns_dev, ok OK > #906/p sockops accessing bpf_sock_ops->netns_ino, ok OK > ... > Summary: 1421 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Alban Crequy --- Changes since v1: - This is a new selftest (review from Song) Changes since v2: - test partial reads on netns_dev (review from Y Song) - split in two tests --- .../testing/selftests/bpf/verifier/var_off.c | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/tools/testing/selftests/bpf/verifier/var_off.c b/tools/testing/selftests/bpf/verifier/var_off.c index 8504ac937809..9e4c6c78eb9d 100644 --- a/tools/testing/selftests/bpf/verifier/var_off.c +++ b/tools/testing/selftests/bpf/verifier/var_off.c @@ -246,3 +246,56 @@ .result = ACCEPT, .prog_type = BPF_PROG_TYPE_LWT_IN, }, +{ + "sockops accessing bpf_sock_ops->netns_dev, ok", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev)), + + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev)), + BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 4), + + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev)), + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 2), + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 4), + BPF_LDX_MEM(BPF_H, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 6), + + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev)), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 1), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 2), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 3), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 4), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 5), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 6), + BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_dev) + 7), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SOCK_OPS, +}, +{ + "sockops accessing bpf_sock_ops->netns_ino, ok", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, offsetof(struct bpf_sock_ops, + netns_ino)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + .prog_type = BPF_PROG_TYPE_SOCK_OPS, +},