Commit 7a483899 authored by David S. Miller's avatar David S. Miller

Merge branch 'sockmap-uapi-updates-and-fixes'

John Fastabend says:

====================
sockmap UAPI updates and fixes

This series updates sockmap UAPI, adds additional test cases and
provides a couple fixes.

First the UAPI changes. The original API added two sockmap specific
API artifacts (a) a new map_flags field with a sockmap specific update
command and (b) a new sockmap specific attach field in the attach data
structure. After this series instead of attaching programs with a
single command now two commands are used to attach programs to maps
individually. This allows us to add new programs easily in the future
and avoids any specific sockmap data structure additions. The
map_flags field is also removed and instead we allow socks to be
added to multiple maps that may or may not have programs attached.
This allows users to decide if a sock should run a SK_SKB program type
on receive based on the map it is attached to. This is a nice
improvement. See patches for specific details.

More test cases were added to test above changes and also stress test
the interface.

Finally two fixes/improvements were made. First a missing rcu
section was added. Second now sockmap can build without KCM being
used to trigger 'y' on CONFIG_STREAM_PARSER by selecting a new
BPF config option.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 901c5d2f 3f0d6a16
...@@ -39,8 +39,6 @@ struct bpf_map_ops { ...@@ -39,8 +39,6 @@ struct bpf_map_ops {
void (*map_fd_put_ptr)(void *ptr); void (*map_fd_put_ptr)(void *ptr);
u32 (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf); u32 (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf);
u32 (*map_fd_sys_lookup_elem)(void *ptr); u32 (*map_fd_sys_lookup_elem)(void *ptr);
int (*map_attach)(struct bpf_map *map,
struct bpf_prog *p1, struct bpf_prog *p2);
}; };
struct bpf_map { struct bpf_map {
...@@ -387,11 +385,19 @@ static inline void __dev_map_flush(struct bpf_map *map) ...@@ -387,11 +385,19 @@ static inline void __dev_map_flush(struct bpf_map *map)
#if defined(CONFIG_STREAM_PARSER) && defined(CONFIG_BPF_SYSCALL) #if defined(CONFIG_STREAM_PARSER) && defined(CONFIG_BPF_SYSCALL)
struct sock *__sock_map_lookup_elem(struct bpf_map *map, u32 key); struct sock *__sock_map_lookup_elem(struct bpf_map *map, u32 key);
int sock_map_attach_prog(struct bpf_map *map, struct bpf_prog *prog, u32 type);
#else #else
static inline struct sock *__sock_map_lookup_elem(struct bpf_map *map, u32 key) static inline struct sock *__sock_map_lookup_elem(struct bpf_map *map, u32 key)
{ {
return NULL; return NULL;
} }
static inline int sock_map_attach_prog(struct bpf_map *map,
struct bpf_prog *prog,
u32 type)
{
return -EOPNOTSUPP;
}
#endif #endif
/* verifier prototypes for helper functions called from eBPF programs */ /* verifier prototypes for helper functions called from eBPF programs */
......
...@@ -136,15 +136,13 @@ enum bpf_attach_type { ...@@ -136,15 +136,13 @@ enum bpf_attach_type {
BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_EGRESS,
BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_INET_SOCK_CREATE,
BPF_CGROUP_SOCK_OPS, BPF_CGROUP_SOCK_OPS,
BPF_CGROUP_SMAP_INGRESS, BPF_SK_SKB_STREAM_PARSER,
BPF_SK_SKB_STREAM_VERDICT,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
#define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE #define MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
/* If BPF_SOCKMAP_STRPARSER is used sockmap will use strparser on receive */
#define BPF_SOCKMAP_STRPARSER (1U << 0)
/* If BPF_F_ALLOW_OVERRIDE flag is used in BPF_PROG_ATTACH command /* If BPF_F_ALLOW_OVERRIDE flag is used in BPF_PROG_ATTACH command
* to the given target_fd cgroup the descendent cgroup will be able to * to the given target_fd cgroup the descendent cgroup will be able to
* override effective bpf program that was inherited from this cgroup * override effective bpf program that was inherited from this cgroup
...@@ -224,7 +222,6 @@ union bpf_attr { ...@@ -224,7 +222,6 @@ union bpf_attr {
__u32 attach_bpf_fd; /* eBPF program to attach */ __u32 attach_bpf_fd; /* eBPF program to attach */
__u32 attach_type; __u32 attach_type;
__u32 attach_flags; __u32 attach_flags;
__u32 attach_bpf_fd2;
}; };
struct { /* anonymous struct used by BPF_PROG_TEST_RUN command */ struct { /* anonymous struct used by BPF_PROG_TEST_RUN command */
...@@ -580,14 +577,11 @@ union bpf_attr { ...@@ -580,14 +577,11 @@ union bpf_attr {
* @flags: reserved for future use * @flags: reserved for future use
* Return: SK_REDIRECT * Return: SK_REDIRECT
* *
* int bpf_sock_map_update(skops, map, key, flags, map_flags) * int bpf_sock_map_update(skops, map, key, flags)
* @skops: pointer to bpf_sock_ops * @skops: pointer to bpf_sock_ops
* @map: pointer to sockmap to update * @map: pointer to sockmap to update
* @key: key to insert/update sock in map * @key: key to insert/update sock in map
* @flags: same flags as map update elem * @flags: same flags as map update elem
* @map_flags: sock map specific flags
* bit 1: Enable strparser
* other bits: reserved
*/ */
#define __BPF_FUNC_MAPPER(FN) \ #define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \ FN(unspec), \
......
This diff is collapsed.
...@@ -1093,12 +1093,12 @@ static int bpf_obj_get(const union bpf_attr *attr) ...@@ -1093,12 +1093,12 @@ static int bpf_obj_get(const union bpf_attr *attr)
#ifdef CONFIG_CGROUP_BPF #ifdef CONFIG_CGROUP_BPF
#define BPF_PROG_ATTACH_LAST_FIELD attach_bpf_fd2 #define BPF_PROG_ATTACH_LAST_FIELD attach_flags
static int sockmap_get_from_fd(const union bpf_attr *attr, int ptype) static int sockmap_get_from_fd(const union bpf_attr *attr)
{ {
struct bpf_prog *prog1, *prog2;
int ufd = attr->target_fd; int ufd = attr->target_fd;
struct bpf_prog *prog;
struct bpf_map *map; struct bpf_map *map;
struct fd f; struct fd f;
int err; int err;
...@@ -1108,29 +1108,16 @@ static int sockmap_get_from_fd(const union bpf_attr *attr, int ptype) ...@@ -1108,29 +1108,16 @@ static int sockmap_get_from_fd(const union bpf_attr *attr, int ptype)
if (IS_ERR(map)) if (IS_ERR(map))
return PTR_ERR(map); return PTR_ERR(map);
if (!map->ops->map_attach) { prog = bpf_prog_get_type(attr->attach_bpf_fd, BPF_PROG_TYPE_SK_SKB);
fdput(f); if (IS_ERR(prog)) {
return -EOPNOTSUPP;
}
prog1 = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
if (IS_ERR(prog1)) {
fdput(f); fdput(f);
return PTR_ERR(prog1); return PTR_ERR(prog);
}
prog2 = bpf_prog_get_type(attr->attach_bpf_fd2, ptype);
if (IS_ERR(prog2)) {
fdput(f);
bpf_prog_put(prog1);
return PTR_ERR(prog2);
} }
err = map->ops->map_attach(map, prog1, prog2); err = sock_map_attach_prog(map, prog, attr->attach_type);
if (err) { if (err) {
fdput(f); fdput(f);
bpf_prog_put(prog1); bpf_prog_put(prog);
bpf_prog_put(prog2);
return err; return err;
} }
...@@ -1165,16 +1152,13 @@ static int bpf_prog_attach(const union bpf_attr *attr) ...@@ -1165,16 +1152,13 @@ static int bpf_prog_attach(const union bpf_attr *attr)
case BPF_CGROUP_SOCK_OPS: case BPF_CGROUP_SOCK_OPS:
ptype = BPF_PROG_TYPE_SOCK_OPS; ptype = BPF_PROG_TYPE_SOCK_OPS;
break; break;
case BPF_CGROUP_SMAP_INGRESS: case BPF_SK_SKB_STREAM_PARSER:
ptype = BPF_PROG_TYPE_SK_SKB; case BPF_SK_SKB_STREAM_VERDICT:
break; return sockmap_get_from_fd(attr);
default: default:
return -EINVAL; return -EINVAL;
} }
if (attr->attach_type == BPF_CGROUP_SMAP_INGRESS)
return sockmap_get_from_fd(attr, ptype);
prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype); prog = bpf_prog_get_type(attr->attach_bpf_fd, ptype);
if (IS_ERR(prog)) if (IS_ERR(prog))
return PTR_ERR(prog); return PTR_ERR(prog);
......
...@@ -301,6 +301,18 @@ config BPF_JIT ...@@ -301,6 +301,18 @@ config BPF_JIT
/proc/sys/net/core/bpf_jit_harden (optional) /proc/sys/net/core/bpf_jit_harden (optional)
/proc/sys/net/core/bpf_jit_kallsyms (optional) /proc/sys/net/core/bpf_jit_kallsyms (optional)
config BPF_STREAM_PARSER
bool "enable BPF STREAM_PARSER"
depends on BPF_SYSCALL
select STREAM_PARSER
---help---
Enabling this allows a stream parser to be used with
BPF_MAP_TYPE_SOCKMAP.
BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets.
It can be used to enforce socket policy, implement socket redirects,
etc.
config NET_FLOW_LIMIT config NET_FLOW_LIMIT
bool bool
depends on RPS depends on RPS
......
...@@ -82,8 +82,7 @@ int bpf_sockmap(struct bpf_sock_ops *skops) ...@@ -82,8 +82,7 @@ int bpf_sockmap(struct bpf_sock_ops *skops)
if (lport == 10000) { if (lport == 10000) {
ret = 1; ret = 1;
err = bpf_sock_map_update(skops, &sock_map, &ret, err = bpf_sock_map_update(skops, &sock_map, &ret,
BPF_NOEXIST, BPF_NOEXIST);
BPF_SOCKMAP_STRPARSER);
bpf_printk("passive(%i -> %i) map ctx update err: %d\n", bpf_printk("passive(%i -> %i) map ctx update err: %d\n",
lport, bpf_ntohl(rport), err); lport, bpf_ntohl(rport), err);
} }
...@@ -95,8 +94,7 @@ int bpf_sockmap(struct bpf_sock_ops *skops) ...@@ -95,8 +94,7 @@ int bpf_sockmap(struct bpf_sock_ops *skops)
if (bpf_ntohl(rport) == 10001) { if (bpf_ntohl(rport) == 10001) {
ret = 10; ret = 10;
err = bpf_sock_map_update(skops, &sock_map, &ret, err = bpf_sock_map_update(skops, &sock_map, &ret,
BPF_NOEXIST, BPF_NOEXIST);
BPF_SOCKMAP_STRPARSER);
bpf_printk("active(%i -> %i) map ctx update err: %d\n", bpf_printk("active(%i -> %i) map ctx update err: %d\n",
lport, bpf_ntohl(rport), err); lport, bpf_ntohl(rport), err);
} }
......
...@@ -256,8 +256,16 @@ int main(int argc, char **argv) ...@@ -256,8 +256,16 @@ int main(int argc, char **argv)
} }
/* Attach programs to sockmap */ /* Attach programs to sockmap */
err = __bpf_prog_attach(prog_fd[0], prog_fd[1], map_fd[0], err = bpf_prog_attach(prog_fd[0], map_fd[0],
BPF_CGROUP_SMAP_INGRESS, 0); BPF_SK_SKB_STREAM_PARSER, 0);
if (err) {
fprintf(stderr, "ERROR: bpf_prog_attach (sockmap): %d (%s)\n",
err, strerror(errno));
return err;
}
err = bpf_prog_attach(prog_fd[1], map_fd[0],
BPF_SK_SKB_STREAM_VERDICT, 0);
if (err) { if (err) {
fprintf(stderr, "ERROR: bpf_prog_attach (sockmap): %d (%s)\n", fprintf(stderr, "ERROR: bpf_prog_attach (sockmap): %d (%s)\n",
err, strerror(errno)); err, strerror(errno));
......
...@@ -136,7 +136,8 @@ enum bpf_attach_type { ...@@ -136,7 +136,8 @@ enum bpf_attach_type {
BPF_CGROUP_INET_EGRESS, BPF_CGROUP_INET_EGRESS,
BPF_CGROUP_INET_SOCK_CREATE, BPF_CGROUP_INET_SOCK_CREATE,
BPF_CGROUP_SOCK_OPS, BPF_CGROUP_SOCK_OPS,
BPF_CGROUP_SMAP_INGRESS, BPF_SK_SKB_STREAM_PARSER,
BPF_SK_SKB_STREAM_VERDICT,
__MAX_BPF_ATTACH_TYPE __MAX_BPF_ATTACH_TYPE
}; };
...@@ -227,7 +228,6 @@ union bpf_attr { ...@@ -227,7 +228,6 @@ union bpf_attr {
__u32 attach_bpf_fd; /* eBPF program to attach */ __u32 attach_bpf_fd; /* eBPF program to attach */
__u32 attach_type; __u32 attach_type;
__u32 attach_flags; __u32 attach_flags;
__u32 attach_bpf_fd2;
}; };
struct { /* anonymous struct used by BPF_PROG_TEST_RUN command */ struct { /* anonymous struct used by BPF_PROG_TEST_RUN command */
...@@ -572,14 +572,11 @@ union bpf_attr { ...@@ -572,14 +572,11 @@ union bpf_attr {
* @flags: reserved for future use * @flags: reserved for future use
* Return: SK_REDIRECT * Return: SK_REDIRECT
* *
* int bpf_sock_map_update(skops, map, key, flags, map_flags) * int bpf_sock_map_update(skops, map, key, flags)
* @skops: pointer to bpf_sock_ops * @skops: pointer to bpf_sock_ops
* @map: pointer to sockmap to update * @map: pointer to sockmap to update
* @key: key to insert/update sock in map * @key: key to insert/update sock in map
* @flags: same flags as map update elem * @flags: same flags as map update elem
* @map_flags: sock map specific flags
* bit 1: Enable strparser
* other bits: reserved
*/ */
#define __BPF_FUNC_MAPPER(FN) \ #define __BPF_FUNC_MAPPER(FN) \
FN(unspec), \ FN(unspec), \
......
...@@ -235,28 +235,20 @@ int bpf_obj_get(const char *pathname) ...@@ -235,28 +235,20 @@ int bpf_obj_get(const char *pathname)
return sys_bpf(BPF_OBJ_GET, &attr, sizeof(attr)); return sys_bpf(BPF_OBJ_GET, &attr, sizeof(attr));
} }
int __bpf_prog_attach(int prog_fd1, int prog_fd2, int target_fd, int bpf_prog_attach(int prog_fd, int target_fd, enum bpf_attach_type type,
enum bpf_attach_type type,
unsigned int flags) unsigned int flags)
{ {
union bpf_attr attr; union bpf_attr attr;
bzero(&attr, sizeof(attr)); bzero(&attr, sizeof(attr));
attr.target_fd = target_fd; attr.target_fd = target_fd;
attr.attach_bpf_fd = prog_fd1; attr.attach_bpf_fd = prog_fd;
attr.attach_bpf_fd2 = prog_fd2;
attr.attach_type = type; attr.attach_type = type;
attr.attach_flags = flags; attr.attach_flags = flags;
return sys_bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)); return sys_bpf(BPF_PROG_ATTACH, &attr, sizeof(attr));
} }
int bpf_prog_attach(int prog_fd, int target_fd, enum bpf_attach_type type,
unsigned int flags)
{
return __bpf_prog_attach(prog_fd, 0, target_fd, type, flags);
}
int bpf_prog_detach(int target_fd, enum bpf_attach_type type) int bpf_prog_detach(int target_fd, enum bpf_attach_type type)
{ {
union bpf_attr attr; union bpf_attr attr;
......
...@@ -56,10 +56,6 @@ int bpf_obj_pin(int fd, const char *pathname); ...@@ -56,10 +56,6 @@ int bpf_obj_pin(int fd, const char *pathname);
int bpf_obj_get(const char *pathname); int bpf_obj_get(const char *pathname);
int bpf_prog_attach(int prog_fd, int attachable_fd, enum bpf_attach_type type, int bpf_prog_attach(int prog_fd, int attachable_fd, enum bpf_attach_type type,
unsigned int flags); unsigned int flags);
int __bpf_prog_attach(int prog1, int prog2,
int attachable_fd,
enum bpf_attach_type type,
unsigned int flags);
int bpf_prog_detach(int attachable_fd, enum bpf_attach_type type); int bpf_prog_detach(int attachable_fd, enum bpf_attach_type type);
int bpf_prog_test_run(int prog_fd, int repeat, void *data, __u32 size, int bpf_prog_test_run(int prog_fd, int repeat, void *data, __u32 size,
void *data_out, __u32 *size_out, __u32 *retval, void *data_out, __u32 *size_out, __u32 *retval,
......
...@@ -68,8 +68,7 @@ static int (*bpf_setsockopt)(void *ctx, int level, int optname, void *optval, ...@@ -68,8 +68,7 @@ static int (*bpf_setsockopt)(void *ctx, int level, int optname, void *optval,
static int (*bpf_sk_redirect_map)(void *map, int key, int flags) = static int (*bpf_sk_redirect_map)(void *map, int key, int flags) =
(void *) BPF_FUNC_sk_redirect_map; (void *) BPF_FUNC_sk_redirect_map;
static int (*bpf_sock_map_update)(void *map, void *key, void *value, static int (*bpf_sock_map_update)(void *map, void *key, void *value,
unsigned long long flags, unsigned long long flags) =
unsigned long long map_lags) =
(void *) BPF_FUNC_sock_map_update; (void *) BPF_FUNC_sock_map_update;
......
...@@ -19,18 +19,18 @@ int bpf_prog1(struct __sk_buff *skb) ...@@ -19,18 +19,18 @@ int bpf_prog1(struct __sk_buff *skb)
void *data = (void *)(long) skb->data; void *data = (void *)(long) skb->data;
__u32 lport = skb->local_port; __u32 lport = skb->local_port;
__u32 rport = skb->remote_port; __u32 rport = skb->remote_port;
char *d = data; __u8 *d = data;
if (data + 8 > data_end) if (data + 10 > data_end)
return skb->len; return skb->len;
/* This write/read is a bit pointless but tests the verifier and /* This write/read is a bit pointless but tests the verifier and
* strparser handler for read/write pkt data and access into sk * strparser handler for read/write pkt data and access into sk
* fields. * fields.
*/ */
d[0] = 1; d[7] = 1;
bpf_printk("data[0] = (%u): local_port %i remote %i\n", bpf_printk("parse: data[0] = (%u): local_port %i remote %i\n",
d[0], lport, bpf_ntohl(rport)); d[0], lport, bpf_ntohl(rport));
return skb->len; return skb->len;
} }
......
...@@ -12,13 +12,27 @@ int _version SEC("version") = 1; ...@@ -12,13 +12,27 @@ int _version SEC("version") = 1;
##__VA_ARGS__); \ ##__VA_ARGS__); \
}) })
struct bpf_map_def SEC("maps") sock_map = { struct bpf_map_def SEC("maps") sock_map_rx = {
.type = BPF_MAP_TYPE_SOCKMAP, .type = BPF_MAP_TYPE_SOCKMAP,
.key_size = sizeof(int), .key_size = sizeof(int),
.value_size = sizeof(int), .value_size = sizeof(int),
.max_entries = 20, .max_entries = 20,
}; };
struct bpf_map_def SEC("maps") sock_map_tx = {
.type = BPF_MAP_TYPE_SOCKMAP,
.key_size = sizeof(int),
.value_size = sizeof(int),
.max_entries = 20,
};
struct bpf_map_def SEC("maps") sock_map_break = {
.type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(int),
.value_size = sizeof(int),
.max_entries = 20,
};
SEC("sk_skb2") SEC("sk_skb2")
int bpf_prog2(struct __sk_buff *skb) int bpf_prog2(struct __sk_buff *skb)
{ {
...@@ -26,11 +40,15 @@ int bpf_prog2(struct __sk_buff *skb) ...@@ -26,11 +40,15 @@ int bpf_prog2(struct __sk_buff *skb)
void *data = (void *)(long) skb->data; void *data = (void *)(long) skb->data;
__u32 lport = skb->local_port; __u32 lport = skb->local_port;
__u32 rport = skb->remote_port; __u32 rport = skb->remote_port;
char *d = data; __u8 *d = data;
__u8 sk, map;
if (data + 8 > data_end) if (data + 8 > data_end)
return SK_DROP; return SK_DROP;
map = d[0];
sk = d[1];
d[0] = 0xd; d[0] = 0xd;
d[1] = 0xe; d[1] = 0xe;
d[2] = 0xa; d[2] = 0xa;
...@@ -40,9 +58,11 @@ int bpf_prog2(struct __sk_buff *skb) ...@@ -40,9 +58,11 @@ int bpf_prog2(struct __sk_buff *skb)
d[6] = 0xe; d[6] = 0xe;
d[7] = 0xf; d[7] = 0xf;
bpf_printk("data[0] = (%u): local_port %i remote %i\n", bpf_printk("verdict: data[0] = redir(%u:%u)\n", map, sk);
d[0], lport, bpf_ntohl(rport));
return bpf_sk_redirect_map(&sock_map, 5, 0); if (!map)
return bpf_sk_redirect_map(&sock_map_rx, sk, 0);
return bpf_sk_redirect_map(&sock_map_tx, sk, 0);
} }
char _license[] SEC("license") = "GPL"; char _license[] SEC("license") = "GPL";
...@@ -461,18 +461,19 @@ static void test_devmap(int task, void *data) ...@@ -461,18 +461,19 @@ static void test_devmap(int task, void *data)
#include <linux/err.h> #include <linux/err.h>
#define SOCKMAP_PARSE_PROG "./sockmap_parse_prog.o" #define SOCKMAP_PARSE_PROG "./sockmap_parse_prog.o"
#define SOCKMAP_VERDICT_PROG "./sockmap_verdict_prog.o" #define SOCKMAP_VERDICT_PROG "./sockmap_verdict_prog.o"
static void test_sockmap(int task, void *data) static void test_sockmap(int tasks, void *data)
{ {
int one = 1, map_fd_rx, map_fd_tx, map_fd_break, s, sc, rc;
struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_break;
int ports[] = {50200, 50201, 50202, 50204}; int ports[] = {50200, 50201, 50202, 50204};
int err, i, fd, sfd[6] = {0xdeadbeef}; int err, i, fd, sfd[6] = {0xdeadbeef};
char buf[] = "hello sockmap user\n"; u8 buf[20] = {0x0, 0x5, 0x3, 0x2, 0x1, 0x0};
int one = 1, map_fd, s, sc, rc;
int parse_prog, verdict_prog; int parse_prog, verdict_prog;
struct bpf_map *bpf_map;
struct sockaddr_in addr; struct sockaddr_in addr;
struct bpf_object *obj; struct bpf_object *obj;
struct timeval to; struct timeval to;
__u32 key, value; __u32 key, value;
pid_t pid[tasks];
fd_set w; fd_set w;
/* Create some sockets to use with sockmap */ /* Create some sockets to use with sockmap */
...@@ -547,20 +548,26 @@ static void test_sockmap(int task, void *data) ...@@ -547,20 +548,26 @@ static void test_sockmap(int task, void *data)
goto out_sockmap; goto out_sockmap;
} }
/* Nothing attached so these should fail */ /* Test update without programs */
for (i = 0; i < 6; i++) { for (i = 0; i < 6; i++) {
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY); err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY);
if (!err) { if (err) {
printf("Failed invalid update sockmap '%i:%i'\n", printf("Failed noprog update sockmap '%i:%i'\n",
i, sfd[i]); i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
} }
/* Test attaching bad fds */ /* Test attaching bad fds */
err = __bpf_prog_attach(-1, -2, fd, BPF_CGROUP_SMAP_INGRESS, 0); err = bpf_prog_attach(-1, fd, BPF_SK_SKB_STREAM_PARSER, 0);
if (!err) {
printf("Failed invalid parser prog attach\n");
goto out_sockmap;
}
err = bpf_prog_attach(-1, fd, BPF_SK_SKB_STREAM_VERDICT, 0);
if (!err) { if (!err) {
printf("Failed invalid prog attach\n"); printf("Failed invalid verdict prog attach\n");
goto out_sockmap; goto out_sockmap;
} }
...@@ -579,30 +586,74 @@ static void test_sockmap(int task, void *data) ...@@ -579,30 +586,74 @@ static void test_sockmap(int task, void *data)
goto out_sockmap; goto out_sockmap;
} }
bpf_map = bpf_object__find_map_by_name(obj, "sock_map"); bpf_map_rx = bpf_object__find_map_by_name(obj, "sock_map_rx");
if (IS_ERR(bpf_map)) { if (IS_ERR(bpf_map_rx)) {
printf("Failed to load map from verdict prog\n"); printf("Failed to load map rx from verdict prog\n");
goto out_sockmap; goto out_sockmap;
} }
map_fd = bpf_map__fd(bpf_map); map_fd_rx = bpf_map__fd(bpf_map_rx);
if (map_fd < 0) { if (map_fd_rx < 0) {
printf("Failed to get map fd\n"); printf("Failed to get map fd\n");
goto out_sockmap; goto out_sockmap;
} }
err = __bpf_prog_attach(parse_prog, verdict_prog, map_fd, bpf_map_tx = bpf_object__find_map_by_name(obj, "sock_map_tx");
BPF_CGROUP_SMAP_INGRESS, 0); if (IS_ERR(bpf_map_tx)) {
printf("Failed to load map tx from verdict prog\n");
goto out_sockmap;
}
map_fd_tx = bpf_map__fd(bpf_map_tx);
if (map_fd_tx < 0) {
printf("Failed to get map tx fd\n");
goto out_sockmap;
}
bpf_map_break = bpf_object__find_map_by_name(obj, "sock_map_break");
if (IS_ERR(bpf_map_break)) {
printf("Failed to load map tx from verdict prog\n");
goto out_sockmap;
}
map_fd_break = bpf_map__fd(bpf_map_break);
if (map_fd_break < 0) {
printf("Failed to get map tx fd\n");
goto out_sockmap;
}
err = bpf_prog_attach(parse_prog, map_fd_break,
BPF_SK_SKB_STREAM_PARSER, 0);
if (!err) {
printf("Allowed attaching SK_SKB program to invalid map\n");
goto out_sockmap;
}
err = bpf_prog_attach(parse_prog, map_fd_rx,
BPF_SK_SKB_STREAM_PARSER, 0);
if (err) {
printf("Failed stream parser bpf prog attach\n");
goto out_sockmap;
}
err = bpf_prog_attach(verdict_prog, map_fd_rx,
BPF_SK_SKB_STREAM_VERDICT, 0);
if (err) { if (err) {
printf("Failed bpf prog attach\n"); printf("Failed stream verdict bpf prog attach\n");
goto out_sockmap; goto out_sockmap;
} }
/* Test map update elem */ /* Test map update elem afterwards fd lives in fd and map_fd */
for (i = 0; i < 6; i++) { for (i = 0; i < 6; i++) {
err = bpf_map_update_elem(map_fd, &i, &sfd[i], BPF_ANY); err = bpf_map_update_elem(map_fd_rx, &i, &sfd[i], BPF_ANY);
if (err) { if (err) {
printf("Failed map_fd update sockmap %i '%i:%i'\n", printf("Failed map_fd_rx update sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap;
}
err = bpf_map_update_elem(map_fd_tx, &i, &sfd[i], BPF_ANY);
if (err) {
printf("Failed map_fd_tx update sockmap %i '%i:%i'\n",
err, i, sfd[i]); err, i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
...@@ -610,16 +661,25 @@ static void test_sockmap(int task, void *data) ...@@ -610,16 +661,25 @@ static void test_sockmap(int task, void *data)
/* Test map delete elem and remove send/recv sockets */ /* Test map delete elem and remove send/recv sockets */
for (i = 2; i < 4; i++) { for (i = 2; i < 4; i++) {
err = bpf_map_delete_elem(map_fd, &i); err = bpf_map_delete_elem(map_fd_rx, &i);
if (err) { if (err) {
printf("Failed delete sockmap %i '%i:%i'\n", printf("Failed delete sockmap rx %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap;
}
err = bpf_map_delete_elem(map_fd_tx, &i);
if (err) {
printf("Failed delete sockmap tx %i '%i:%i'\n",
err, i, sfd[i]); err, i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
} }
/* Test map send/recv */ /* Test map send/recv */
sc = send(sfd[2], buf, 10, 0); for (i = 0; i < 2; i++) {
buf[0] = i;
buf[1] = 0x5;
sc = send(sfd[2], buf, 20, 0);
if (sc < 0) { if (sc < 0) {
printf("Failed sockmap send\n"); printf("Failed sockmap send\n");
goto out_sockmap; goto out_sockmap;
...@@ -648,104 +708,112 @@ static void test_sockmap(int task, void *data) ...@@ -648,104 +708,112 @@ static void test_sockmap(int task, void *data)
printf("Failed sockmap recv\n"); printf("Failed sockmap recv\n");
goto out_sockmap; goto out_sockmap;
} }
/* Delete the reset of the elems include some NULL elems */
for (i = 0; i < 6; i++) {
err = bpf_map_delete_elem(map_fd, &i);
if (err && (i == 0 || i == 1 || i >= 4)) {
printf("Failed delete sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap;
} else if (!err && (i == 2 || i == 3)) {
printf("Failed null delete sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap;
}
}
/* Test having multiple SMAPs open and active on same fds */
err = __bpf_prog_attach(parse_prog, verdict_prog, fd,
BPF_CGROUP_SMAP_INGRESS, 0);
if (err) {
printf("Failed fd bpf prog attach\n");
goto out_sockmap;
} }
for (i = 0; i < 6; i++) { /* Negative null entry lookup from datapath should be dropped */
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY); buf[0] = 1;
if (err) { buf[1] = 12;
printf("Failed fd update sockmap %i '%i:%i'\n", sc = send(sfd[2], buf, 20, 0);
err, i, sfd[i]); if (sc < 0) {
printf("Failed sockmap send\n");
goto out_sockmap; goto out_sockmap;
} }
}
/* Test duplicate socket add of NOEXIST, ANY and EXIST */ /* Push fd into same slot */
i = 0; i = 2;
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_NOEXIST); err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_NOEXIST);
if (!err) { if (!err) {
printf("Failed BPF_NOEXIST create\n"); printf("Failed allowed sockmap dup slot BPF_NOEXIST\n");
goto out_sockmap; goto out_sockmap;
} }
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY); err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY);
if (err) { if (err) {
printf("Failed sockmap update BPF_ANY\n"); printf("Failed sockmap update new slot BPF_ANY\n");
goto out_sockmap; goto out_sockmap;
} }
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_EXIST); err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_EXIST);
if (err) { if (err) {
printf("Failed sockmap update BPF_EXIST\n"); printf("Failed sockmap update new slot BPF_EXIST\n");
goto out_sockmap; goto out_sockmap;
} }
/* The above were pushing fd into same slot try different slot now */ /* Delete the elems without programs */
i = 2; for (i = 0; i < 6; i++) {
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_NOEXIST); err = bpf_map_delete_elem(fd, &i);
if (!err) { if (err) {
printf("Failed BPF_NOEXIST create\n"); printf("Failed delete sockmap %i '%i:%i'\n",
goto out_sockmap; err, i, sfd[i]);
}
} }
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY); /* Test having multiple maps open and set with programs on same fds */
err = bpf_prog_attach(parse_prog, fd,
BPF_SK_SKB_STREAM_PARSER, 0);
if (err) { if (err) {
printf("Failed sockmap update BPF_ANY\n"); printf("Failed fd bpf parse prog attach\n");
goto out_sockmap; goto out_sockmap;
} }
err = bpf_prog_attach(verdict_prog, fd,
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_EXIST); BPF_SK_SKB_STREAM_VERDICT, 0);
if (err) { if (err) {
printf("Failed sockmap update BPF_EXIST\n"); printf("Failed fd bpf verdict prog attach\n");
goto out_sockmap; goto out_sockmap;
} }
/* Try pushing fd into different map, this is not allowed at the for (i = 4; i < 6; i++) {
* moment. Which programs would we use? err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_ANY);
*/
err = bpf_map_update_elem(map_fd, &i, &sfd[i], BPF_NOEXIST);
if (!err) { if (!err) {
printf("Failed BPF_NOEXIST create\n"); printf("Failed allowed duplicate programs in update ANY sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_NOEXIST);
err = bpf_map_update_elem(map_fd, &i, &sfd[i], BPF_ANY);
if (!err) { if (!err) {
printf("Failed sockmap update BPF_ANY\n"); printf("Failed allowed duplicate program in update NOEXIST sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
err = bpf_map_update_elem(fd, &i, &sfd[i], BPF_EXIST);
err = bpf_map_update_elem(map_fd, &i, &sfd[i], BPF_EXIST);
if (!err) { if (!err) {
printf("Failed sockmap update BPF_EXIST\n"); printf("Failed allowed duplicate program in update EXIST sockmap %i '%i:%i'\n",
err, i, sfd[i]);
goto out_sockmap; goto out_sockmap;
} }
}
/* Test tasks number of forked operations */
for (i = 0; i < tasks; i++) {
pid[i] = fork();
if (pid[i] == 0) {
for (i = 0; i < 6; i++) {
bpf_map_delete_elem(map_fd_tx, &i);
bpf_map_delete_elem(map_fd_rx, &i);
bpf_map_update_elem(map_fd_tx, &i,
&sfd[i], BPF_ANY);
bpf_map_update_elem(map_fd_rx, &i,
&sfd[i], BPF_ANY);
}
exit(0);
} else if (pid[i] == -1) {
printf("Couldn't spawn #%d process!\n", i);
exit(1);
}
}
for (i = 0; i < tasks; i++) {
int status;
assert(waitpid(pid[i], &status, 0) == pid[i]);
assert(status == 0);
}
/* Test map close sockets */ /* Test map close sockets */
for (i = 0; i < 6; i++) for (i = 0; i < 6; i++)
close(sfd[i]); close(sfd[i]);
close(fd); close(fd);
close(map_fd); close(map_fd_rx);
bpf_object__close(obj); bpf_object__close(obj);
return; return;
out: out:
......
...@@ -1118,6 +1118,104 @@ static struct bpf_test tests[] = { ...@@ -1118,6 +1118,104 @@ static struct bpf_test tests[] = {
.result = ACCEPT, .result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB, .prog_type = BPF_PROG_TYPE_SK_SKB,
}, },
{
"invalid access of tc_classid for SK_SKB",
.insns = {
BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
offsetof(struct __sk_buff, tc_classid)),
BPF_EXIT_INSN(),
},
.result = REJECT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
.errstr = "invalid bpf_context access",
},
{
"check skb->mark is writeable by SK_SKB",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
offsetof(struct __sk_buff, mark)),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{
"check skb->tc_index is writeable by SK_SKB",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
offsetof(struct __sk_buff, tc_index)),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{
"check skb->priority is writeable by SK_SKB",
.insns = {
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
offsetof(struct __sk_buff, priority)),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{
"direct packet read for SK_SKB",
.insns = {
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
offsetof(struct __sk_buff, data)),
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct __sk_buff, data_end)),
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{
"direct packet write for SK_SKB",
.insns = {
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
offsetof(struct __sk_buff, data)),
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct __sk_buff, data_end)),
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{
"overlapping checks for direct packet access SK_SKB",
.insns = {
BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
offsetof(struct __sk_buff, data)),
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct __sk_buff, data_end)),
BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
.result = ACCEPT,
.prog_type = BPF_PROG_TYPE_SK_SKB,
},
{ {
"check skb->mark is not writeable by sockets", "check skb->mark is not writeable by sockets",
.insns = { .insns = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment