• Daniel Borkmann's avatar
    tc: built-in eBPF exec proxy · 4bd62446
    Daniel Borkmann authored
    This work follows upon commit 6256f8c9 ("tc, bpf: finalize eBPF
    support for cls and act front-end") and takes up the idea proposed by
    Hannes Frederic Sowa to spawn a shell (or any other command) that holds
    generated eBPF map file descriptors.
    
    File descriptors, based on their id, are being fetched from the same
    unix domain socket as demonstrated in the bpf_agent, the shell spawned
    via execvpe(2) and the map fds passed over the environment, and thus
    are made available to applications in the fashion of std{in,out,err}
    for read/write access, for example in case of iproute2's examples/bpf/:
    
      # env | grep BPF
      BPF_NUM_MAPS=3
      BPF_MAP1=6        <- BPF_MAP_ID_QUEUE (id 1)
      BPF_MAP0=5        <- BPF_MAP_ID_PROTO (id 0)
      BPF_MAP2=7        <- BPF_MAP_ID_DROPS (id 2)
    
      # ls -la /proc/self/fd
      [...]
      lrwx------. 1 root root 64 Apr 14 16:46 0 -> /dev/pts/4
      lrwx------. 1 root root 64 Apr 14 16:46 1 -> /dev/pts/4
      lrwx------. 1 root root 64 Apr 14 16:46 2 -> /dev/pts/4
      [...]
      lrwx------. 1 root root 64 Apr 14 16:46 5 -> anon_inode:bpf-map
      lrwx------. 1 root root 64 Apr 14 16:46 6 -> anon_inode:bpf-map
      lrwx------. 1 root root 64 Apr 14 16:46 7 -> anon_inode:bpf-map
    
    The advantage (as opposed to the direct/native usage) is that now the
    shell is map fd owner and applications can terminate and easily reattach
    to descriptors w/o any kernel changes. Moreover, multiple applications
    can easily read/write eBPF maps simultaneously.
    
    To further allow users for experimenting with that, next step is to add
    a small helper that can get along with simple data types, so that also
    shell scripts can make use of bpf syscall, f.e to read/write into maps.
    
    Generally, this allows for prepopulating maps, or any runtime altering
    which could influence eBPF program behaviour (f.e. different run-time
    classifications, skb modifications, ...), dumping of statistics, etc.
    
    Reference: http://thread.gmane.org/gmane.linux.network/357471/focus=357860Suggested-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
    4bd62446
tc_filter.c 9.38 KB