Socket lookup BPF API from tc/xdp ingress does not respect VRF bindings. #5002
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![kernel-patches-daemon-bpf[bot]](https://avatars.githubusercontent.com/u/70728002?s=60&v=4){kind=small}
|
Upstream branch: f52cc62 |
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
3d2d695
to
aa6738c
Compare
|
Upstream branch: f52cc62 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
3fd4170
to
ba6bc14
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
aa6738c
to
5c8a65c
Compare
|
Upstream branch: 2b5fdc0 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
ba6bc14
to
47261c6
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
5c8a65c
to
18af752
Compare
|
Upstream branch: 415d7a4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
47261c6
to
0247569
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=743268 expired. Closing PR. |
|
Upstream branch: 415d7a4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
0247569
to
16cd6c6
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
18af752
to
b6ce5c5
Compare
|
Upstream branch: 415d7a4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
16cd6c6
to
2469c6d
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
b6ce5c5
to
1a3ac93
Compare
|
Upstream branch: 415d7a4 |
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
2469c6d
to
bbc7199
Compare
kernel-patches-daemon-bpf
bot
force-pushed
the
bpf_base
branch
from
1a3ac93
to
a12f196
Compare
Change BPF helper socket lookup functions to use TC specific variants: bpf_tc_sk_lookup_tcp() / bpf_tc_sk_lookup_udp() / bpf_tc_skc_lookup_tcp() instead of sharing implementation with the cg / sk_skb hooking points. This allows introducing a separate logic for the TC flow. The tc functions are identical to the original code. Acked-by: Stanislav Fomichev <sdf@google.com> Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> Reviewed-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Gilad Sever <gilad9366@gmail.com>
skb->dev always exists in the tc flow. There is no need to use bpf_skc_lookup(), bpf_sk_lookup() from this code path. This change facilitates fixing the tc flow to be VRF aware. Acked-by: Stanislav Fomichev <sdf@google.com> Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> Reviewed-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Gilad Sever <gilad9366@gmail.com>
|
Upstream branch: 415d7a4 |
When calling bpf_sk_lookup_tcp(), bpf_sk_lookup_udp() or
bpf_skc_lookup_tcp() from tc/xdp ingress, VRF socket bindings aren't
respoected, i.e. unbound sockets are returned, and bound sockets aren't
found.
VRF binding is determined by the sdif argument to sk_lookup(), however
when called from tc the IP SKB control block isn't initialized and thus
inet{,6}_sdif() always returns 0.
Fix by calculating sdif for the tc/xdp flows by observing the device's
l3 enslaved state.
The cg/sk_skb hooking points which are expected to support
inet{,6}_sdif() pass sdif=-1 which makes __bpf_skc_lookup() use the
existing logic.
Fixes: 6acc9b4 ("bpf: Add helper to retrieve socket in BPF")
Acked-by: Stanislav Fomichev <sdf@google.com>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Reviewed-by: Eyal Birger <eyal.birger@gmail.com>
Signed-off-by: Gilad Sever <gilad9366@gmail.com>
Verify that socket lookup via TC/XDP with all BPF APIs is VRF aware. Reviewed-by: Eyal Birger <eyal.birger@gmail.com> Signed-off-by: Gilad Sever <gilad9366@gmail.com> Acked-by: Stanislav Fomichev <sdf@google.com>
kernel-patches-daemon-bpf
bot
force-pushed
the
series/741728=>bpf
branch
from
bbc7199
to
502459d
Compare
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=743268 irrelevant now. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: Socket lookup BPF API from tc/xdp ingress does not respect VRF bindings.
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=743268