New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: policy: cleanups to reduce program size #27369
bpf: policy: cleanups to reduce program size #27369
Conversation
/ci-verifier |
1 similar comment
/ci-verifier |
We already have protocol-specific helpers for egress policy. Add the matching helpers for ingress policy, and make the naming consistent. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
9e09c2b
to
dc3ff03
Compare
We're currently including the IPPROTO_ICMP handling into the IPv6 path, and the IPPROTO_ICMPV6 handling into the IPv4 path. Pass a static ethertype from the policy helpers, so that the compiler can be a bit smarter and only includes the relevant code. Also load the ICMP header just once, and share it amongst the code that handles ALLOW_ICMP_FRAG_NEEDED and ENABLE_ICMP_RULE. Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
Use goto statements to consolidate the calls to __account_and_check(). Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
dc3ff03
to
b7c4a57
Compare
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I fully understand the usefulness of the last patch.. Otherwise looks good!
Is the compiler not smart enough to consolidate these calls itself? What is the benefit of reducing the text size if we are only going through one of the branches?
Nope - I was a bit surprised too :). The baseline is With the patch applied this becomes That's not much of course. But I'll take wins where I can get them, until the 4.19 kernel is gone. |
/* Convert from unsigned char to unsigned short | ||
* considering byte order(little-endian). | ||
* In the little-endian case, for example, 2byte data "AB" | ||
* convert to "BA". | ||
* Therefore, the "icmp_type" should be shifted not just casting. | ||
*/ | ||
key.dport = (__u16)(icmphdr.type << 8); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can this be correct on all architectures without using some form of ntohs()
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, looks like this was originally introduced by @chez-shanpu in #16516 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, probably this line should use bpf_htons()
instead of using shift.
I'll fix it and submit a PR.
This brings a bit of innocent fine-tuning for the BPF policy code.
For the example of
bpf_host
'stail_rev_nodeport_lb6()
(containing HostFW policy code), it shaves off around 100 instructions.