| Message ID | 20220503171437.666326-1-maximmi@nvidia.com |
|---|---|
| Headers | show |
| Series | New BPF helpers to accelerate synproxy | expand |
On Tue, May 3, 2022 at 10:14 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > > The first patch of this series is a documentation fix. > > The second patch allows BPF helpers to accept memory regions of fixed > size without doing runtime size checks. > > The two next patches add new functionality that allows XDP to > accelerate iptables synproxy. > > v1 of this series [1] used to include a patch that exposed conntrack > lookup to BPF using stable helpers. It was superseded by series [2] by > Kumar Kartikeya Dwivedi, which implements this functionality using > unstable helpers. > > The third patch adds new helpers to issue and check SYN cookies without > binding to a socket, which is useful in the synproxy scenario. > > The fourth patch adds a selftest, which includes an XDP program and a > userspace control application. The XDP program uses socketless SYN > cookie helpers and queries conntrack status instead of socket status. > The userspace control application allows to tune parameters of the XDP > program. This program also serves as a minimal example of usage of the > new functionality. > > The last patch exposes the new helpers to TC BPF. > > The draft of the new functionality was presented on Netdev 0x15 [3]. > > v2 changes: > > Split into two series, submitted bugfixes to bpf, dropped the conntrack > patches, implemented the timestamp cookie in BPF using bpf_loop, dropped > the timestamp cookie patch. > > v3 changes: > > Moved some patches from bpf to bpf-next, dropped the patch that changed > error codes, split the new helpers into IPv4/IPv6, added verifier > functionality to accept memory regions of fixed size. > > v4 changes: > > Converted the selftest to the test_progs runner. Replaced some > deprecated functions in xdp_synproxy userspace helper. > > v5 changes: > > Fixed a bug in the selftest. Added questionable functionality to support > new helpers in TC BPF, added selftests for it. > > v6 changes: > > Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced > fclose with pclose and fixed the MSS for IPv6 in the selftest. > > v7 changes: > > Fixed the off-by-one error in indices, changed the section name to > "xdp", added missing kernel config options to vmtest in CI. > > v8 changes: > > Properly rebased, dropped the first patch (the same change was applied > by someone else), updated the cover letter. > > v9 changes: > > Fixed selftests for no_alu32. > > [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ > [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ > [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP > > Maxim Mikityanskiy (5): > bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie > bpf: Allow helpers to accept pointers with a fixed size > bpf: Add helpers to issue and check SYN cookies in XDP > bpf: Add selftests for raw syncookie helpers > bpf: Allow the new syncookie helpers to work with SKBs > Is it expected that your selftests will fail on s390x? Please check [0] [0] https://github.com/kernel-patches/bpf/runs/6277764463?check_suite_focus=true#step:6:6130 > include/linux/bpf.h | 10 + > include/net/tcp.h | 1 + > include/uapi/linux/bpf.h | 88 +- > kernel/bpf/verifier.c | 26 +- > net/core/filter.c | 128 +++ > net/ipv4/tcp_input.c | 3 +- > scripts/bpf_doc.py | 4 + > tools/include/uapi/linux/bpf.h | 88 +- > tools/testing/selftests/bpf/.gitignore | 1 + > tools/testing/selftests/bpf/Makefile | 5 +- > .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ > .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ > tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ > 13 files changed, 1761 insertions(+), 22 deletions(-) > create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c > create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c > create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c > > -- > 2.30.2 >
On 2022-05-07 00:51, Andrii Nakryiko wrote: > On Tue, May 3, 2022 at 10:14 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: >> >> The first patch of this series is a documentation fix. >> >> The second patch allows BPF helpers to accept memory regions of fixed >> size without doing runtime size checks. >> >> The two next patches add new functionality that allows XDP to >> accelerate iptables synproxy. >> >> v1 of this series [1] used to include a patch that exposed conntrack >> lookup to BPF using stable helpers. It was superseded by series [2] by >> Kumar Kartikeya Dwivedi, which implements this functionality using >> unstable helpers. >> >> The third patch adds new helpers to issue and check SYN cookies without >> binding to a socket, which is useful in the synproxy scenario. >> >> The fourth patch adds a selftest, which includes an XDP program and a >> userspace control application. The XDP program uses socketless SYN >> cookie helpers and queries conntrack status instead of socket status. >> The userspace control application allows to tune parameters of the XDP >> program. This program also serves as a minimal example of usage of the >> new functionality. >> >> The last patch exposes the new helpers to TC BPF. >> >> The draft of the new functionality was presented on Netdev 0x15 [3]. >> >> v2 changes: >> >> Split into two series, submitted bugfixes to bpf, dropped the conntrack >> patches, implemented the timestamp cookie in BPF using bpf_loop, dropped >> the timestamp cookie patch. >> >> v3 changes: >> >> Moved some patches from bpf to bpf-next, dropped the patch that changed >> error codes, split the new helpers into IPv4/IPv6, added verifier >> functionality to accept memory regions of fixed size. >> >> v4 changes: >> >> Converted the selftest to the test_progs runner. Replaced some >> deprecated functions in xdp_synproxy userspace helper. >> >> v5 changes: >> >> Fixed a bug in the selftest. Added questionable functionality to support >> new helpers in TC BPF, added selftests for it. >> >> v6 changes: >> >> Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced >> fclose with pclose and fixed the MSS for IPv6 in the selftest. >> >> v7 changes: >> >> Fixed the off-by-one error in indices, changed the section name to >> "xdp", added missing kernel config options to vmtest in CI. >> >> v8 changes: >> >> Properly rebased, dropped the first patch (the same change was applied >> by someone else), updated the cover letter. >> >> v9 changes: >> >> Fixed selftests for no_alu32. >> >> [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ >> [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ >> [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP >> >> Maxim Mikityanskiy (5): >> bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie >> bpf: Allow helpers to accept pointers with a fixed size >> bpf: Add helpers to issue and check SYN cookies in XDP >> bpf: Add selftests for raw syncookie helpers >> bpf: Allow the new syncookie helpers to work with SKBs >> > > Is it expected that your selftests will fail on s390x? Please check [0] I see it fails with: test_synproxy:FAIL:ethtool -K tmp0 tx off unexpected error: 32512 (errno 2) errno 2 is ENOENT, probably the ethtool binary is missing from the s390x image? When reviewing v6, you said you added ethtool to the CI image. Maybe it was added to x86_64 only? Could you add it to s390x? [1]: https://patchwork.kernel.org/project/netdevbpf/patch/20220422172422.4037988-6-maximmi@nvidia.com/ > [0] https://github.com/kernel-patches/bpf/runs/6277764463?check_suite_focus=true#step:6:6130 > >> include/linux/bpf.h | 10 + >> include/net/tcp.h | 1 + >> include/uapi/linux/bpf.h | 88 +- >> kernel/bpf/verifier.c | 26 +- >> net/core/filter.c | 128 +++ >> net/ipv4/tcp_input.c | 3 +- >> scripts/bpf_doc.py | 4 + >> tools/include/uapi/linux/bpf.h | 88 +- >> tools/testing/selftests/bpf/.gitignore | 1 + >> tools/testing/selftests/bpf/Makefile | 5 +- >> .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ >> .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ >> tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ >> 13 files changed, 1761 insertions(+), 22 deletions(-) >> create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c >> create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c >> create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c >> >> -- >> 2.30.2 >>
On Tue, May 10, 2022 at 12:21 PM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > > On 2022-05-07 00:51, Andrii Nakryiko wrote: > > On Tue, May 3, 2022 at 10:14 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > >> > >> The first patch of this series is a documentation fix. > >> > >> The second patch allows BPF helpers to accept memory regions of fixed > >> size without doing runtime size checks. > >> > >> The two next patches add new functionality that allows XDP to > >> accelerate iptables synproxy. > >> > >> v1 of this series [1] used to include a patch that exposed conntrack > >> lookup to BPF using stable helpers. It was superseded by series [2] by > >> Kumar Kartikeya Dwivedi, which implements this functionality using > >> unstable helpers. > >> > >> The third patch adds new helpers to issue and check SYN cookies without > >> binding to a socket, which is useful in the synproxy scenario. > >> > >> The fourth patch adds a selftest, which includes an XDP program and a > >> userspace control application. The XDP program uses socketless SYN > >> cookie helpers and queries conntrack status instead of socket status. > >> The userspace control application allows to tune parameters of the XDP > >> program. This program also serves as a minimal example of usage of the > >> new functionality. > >> > >> The last patch exposes the new helpers to TC BPF. > >> > >> The draft of the new functionality was presented on Netdev 0x15 [3]. > >> > >> v2 changes: > >> > >> Split into two series, submitted bugfixes to bpf, dropped the conntrack > >> patches, implemented the timestamp cookie in BPF using bpf_loop, dropped > >> the timestamp cookie patch. > >> > >> v3 changes: > >> > >> Moved some patches from bpf to bpf-next, dropped the patch that changed > >> error codes, split the new helpers into IPv4/IPv6, added verifier > >> functionality to accept memory regions of fixed size. > >> > >> v4 changes: > >> > >> Converted the selftest to the test_progs runner. Replaced some > >> deprecated functions in xdp_synproxy userspace helper. > >> > >> v5 changes: > >> > >> Fixed a bug in the selftest. Added questionable functionality to support > >> new helpers in TC BPF, added selftests for it. > >> > >> v6 changes: > >> > >> Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced > >> fclose with pclose and fixed the MSS for IPv6 in the selftest. > >> > >> v7 changes: > >> > >> Fixed the off-by-one error in indices, changed the section name to > >> "xdp", added missing kernel config options to vmtest in CI. > >> > >> v8 changes: > >> > >> Properly rebased, dropped the first patch (the same change was applied > >> by someone else), updated the cover letter. > >> > >> v9 changes: > >> > >> Fixed selftests for no_alu32. > >> > >> [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ > >> [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ > >> [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP > >> > >> Maxim Mikityanskiy (5): > >> bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie > >> bpf: Allow helpers to accept pointers with a fixed size > >> bpf: Add helpers to issue and check SYN cookies in XDP > >> bpf: Add selftests for raw syncookie helpers > >> bpf: Allow the new syncookie helpers to work with SKBs > >> > > > > Is it expected that your selftests will fail on s390x? Please check [0] > > I see it fails with: > > test_synproxy:FAIL:ethtool -K tmp0 tx off unexpected error: 32512 (errno 2) > > errno 2 is ENOENT, probably the ethtool binary is missing from the s390x > image? When reviewing v6, you said you added ethtool to the CI image. > Maybe it was added to x86_64 only? Could you add it to s390x? > Could be that it was outdated in s390x, but with [0] just merged in it should have pretty recent one. [0] https://github.com/libbpf/ci/pull/16 > [1]: > https://patchwork.kernel.org/project/netdevbpf/patch/20220422172422.4037988-6-maximmi@nvidia.com/ > > > [0] https://github.com/kernel-patches/bpf/runs/6277764463?check_suite_focus=true#step:6:6130 > > > >> include/linux/bpf.h | 10 + > >> include/net/tcp.h | 1 + > >> include/uapi/linux/bpf.h | 88 +- > >> kernel/bpf/verifier.c | 26 +- > >> net/core/filter.c | 128 +++ > >> net/ipv4/tcp_input.c | 3 +- > >> scripts/bpf_doc.py | 4 + > >> tools/include/uapi/linux/bpf.h | 88 +- > >> tools/testing/selftests/bpf/.gitignore | 1 + > >> tools/testing/selftests/bpf/Makefile | 5 +- > >> .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ > >> .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ > >> tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ > >> 13 files changed, 1761 insertions(+), 22 deletions(-) > >> create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c > >> create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c > >> create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c > >> > >> -- > >> 2.30.2 > >> >
On 2022-05-11 02:59, Andrii Nakryiko wrote: > On Tue, May 10, 2022 at 12:21 PM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: >> >> On 2022-05-07 00:51, Andrii Nakryiko wrote: >>> On Tue, May 3, 2022 at 10:14 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: >>>> >>>> The first patch of this series is a documentation fix. >>>> >>>> The second patch allows BPF helpers to accept memory regions of fixed >>>> size without doing runtime size checks. >>>> >>>> The two next patches add new functionality that allows XDP to >>>> accelerate iptables synproxy. >>>> >>>> v1 of this series [1] used to include a patch that exposed conntrack >>>> lookup to BPF using stable helpers. It was superseded by series [2] by >>>> Kumar Kartikeya Dwivedi, which implements this functionality using >>>> unstable helpers. >>>> >>>> The third patch adds new helpers to issue and check SYN cookies without >>>> binding to a socket, which is useful in the synproxy scenario. >>>> >>>> The fourth patch adds a selftest, which includes an XDP program and a >>>> userspace control application. The XDP program uses socketless SYN >>>> cookie helpers and queries conntrack status instead of socket status. >>>> The userspace control application allows to tune parameters of the XDP >>>> program. This program also serves as a minimal example of usage of the >>>> new functionality. >>>> >>>> The last patch exposes the new helpers to TC BPF. >>>> >>>> The draft of the new functionality was presented on Netdev 0x15 [3]. >>>> >>>> v2 changes: >>>> >>>> Split into two series, submitted bugfixes to bpf, dropped the conntrack >>>> patches, implemented the timestamp cookie in BPF using bpf_loop, dropped >>>> the timestamp cookie patch. >>>> >>>> v3 changes: >>>> >>>> Moved some patches from bpf to bpf-next, dropped the patch that changed >>>> error codes, split the new helpers into IPv4/IPv6, added verifier >>>> functionality to accept memory regions of fixed size. >>>> >>>> v4 changes: >>>> >>>> Converted the selftest to the test_progs runner. Replaced some >>>> deprecated functions in xdp_synproxy userspace helper. >>>> >>>> v5 changes: >>>> >>>> Fixed a bug in the selftest. Added questionable functionality to support >>>> new helpers in TC BPF, added selftests for it. >>>> >>>> v6 changes: >>>> >>>> Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced >>>> fclose with pclose and fixed the MSS for IPv6 in the selftest. >>>> >>>> v7 changes: >>>> >>>> Fixed the off-by-one error in indices, changed the section name to >>>> "xdp", added missing kernel config options to vmtest in CI. >>>> >>>> v8 changes: >>>> >>>> Properly rebased, dropped the first patch (the same change was applied >>>> by someone else), updated the cover letter. >>>> >>>> v9 changes: >>>> >>>> Fixed selftests for no_alu32. >>>> >>>> [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ >>>> [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ >>>> [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP >>>> >>>> Maxim Mikityanskiy (5): >>>> bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie >>>> bpf: Allow helpers to accept pointers with a fixed size >>>> bpf: Add helpers to issue and check SYN cookies in XDP >>>> bpf: Add selftests for raw syncookie helpers >>>> bpf: Allow the new syncookie helpers to work with SKBs >>>> >>> >>> Is it expected that your selftests will fail on s390x? Please check [0] >> >> I see it fails with: >> >> test_synproxy:FAIL:ethtool -K tmp0 tx off unexpected error: 32512 (errno 2) >> >> errno 2 is ENOENT, probably the ethtool binary is missing from the s390x >> image? When reviewing v6, you said you added ethtool to the CI image. >> Maybe it was added to x86_64 only? Could you add it to s390x? >> > > Could be that it was outdated in s390x, but with [0] just merged in it > should have pretty recent one. Do you mean the image was outdated and didn't contain ethtool? Or ethtool was in the image, but was outdated? If the latter, I would expect it to work, this specific ethtool command has worked for ages. > [0] https://github.com/libbpf/ci/pull/16 > >> [1]: >> https://patchwork.kernel.org/project/netdevbpf/patch/20220422172422.4037988-6-maximmi@nvidia.com/ >> >>> [0] https://github.com/kernel-patches/bpf/runs/6277764463?check_suite_focus=true#step:6:6130 >>> >>>> include/linux/bpf.h | 10 + >>>> include/net/tcp.h | 1 + >>>> include/uapi/linux/bpf.h | 88 +- >>>> kernel/bpf/verifier.c | 26 +- >>>> net/core/filter.c | 128 +++ >>>> net/ipv4/tcp_input.c | 3 +- >>>> scripts/bpf_doc.py | 4 + >>>> tools/include/uapi/linux/bpf.h | 88 +- >>>> tools/testing/selftests/bpf/.gitignore | 1 + >>>> tools/testing/selftests/bpf/Makefile | 5 +- >>>> .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ >>>> .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ >>>> tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ >>>> 13 files changed, 1761 insertions(+), 22 deletions(-) >>>> create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c >>>> create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c >>>> create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c >>>> >>>> -- >>>> 2.30.2 >>>> >>
On Wed, May 18, 2022 at 6:43 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > > On 2022-05-16 20:17, Maxim Mikityanskiy wrote: > > On 2022-05-11 14:48, Maxim Mikityanskiy wrote: > >> On 2022-05-11 02:59, Andrii Nakryiko wrote: > >>> On Tue, May 10, 2022 at 12:21 PM Maxim Mikityanskiy > >>> <maximmi@nvidia.com> wrote: > >>>> > >>>> On 2022-05-07 00:51, Andrii Nakryiko wrote: > >>>>> > >>>>> Is it expected that your selftests will fail on s390x? Please check > >>>>> [0] > >>>> > >>>> I see it fails with: > >>>> > >>>> test_synproxy:FAIL:ethtool -K tmp0 tx off unexpected error: 32512 > >>>> (errno 2) > >>>> > >>>> errno 2 is ENOENT, probably the ethtool binary is missing from the > >>>> s390x > >>>> image? When reviewing v6, you said you added ethtool to the CI image. > >>>> Maybe it was added to x86_64 only? Could you add it to s390x? > >>>> > >>> > >>> Could be that it was outdated in s390x, but with [0] just merged in it > >>> should have pretty recent one. > >> > >> Do you mean the image was outdated and didn't contain ethtool? Or > >> ethtool was in the image, but was outdated? If the latter, I would > >> expect it to work, this specific ethtool command has worked for ages. > > > > Hi Andrii, > > > > Could you reply this question? I need to understand whether I need to > > make any changes to the CI before resubmitting. > > I brought up a s390x VM to run the test locally, and there are two > issues with the latest (2022-05-09) s390x image: > > 1. It lacks stdbuf. stdbuf is used by > tools/testing/selftests/bpf/vmtest.sh to run any test, and this is > clearly broken. Hence two questions: > > 1.1. How does CI work without stdbuf in the image? I thought it used the > same vmtest.sh script, is that right? no, CI doesn't use vmtest.sh. vmtest.sh is an approximation of what CI is doing, but it doesn't share the code/scripts (it does use the same kernel config and VM image, though) > > 1.2. Who can add stdbuf to the image (to fix local runs)? > For s390x things I usually ping Ilya. Ilya, can you help here please? > 2. It lacks iptables needed by my test, so if I resubmit my series, it > will fail on the CI again. Who can add iptables to the image? Ditto, I'll defer to Ilya for this. > > I also compared the old (2021-03-24) and the new (2022-05-09) s390x > images, and ethtool was indeed added only after my submission, so that > explains the current CI error. > > > Thanks, > > Max >
The first patch of this series is a documentation fix. The second patch allows BPF helpers to accept memory regions of fixed size without doing runtime size checks. The two next patches add new functionality that allows XDP to accelerate iptables synproxy. v1 of this series [1] used to include a patch that exposed conntrack lookup to BPF using stable helpers. It was superseded by series [2] by Kumar Kartikeya Dwivedi, which implements this functionality using unstable helpers. The third patch adds new helpers to issue and check SYN cookies without binding to a socket, which is useful in the synproxy scenario. The fourth patch adds a selftest, which includes an XDP program and a userspace control application. The XDP program uses socketless SYN cookie helpers and queries conntrack status instead of socket status. The userspace control application allows to tune parameters of the XDP program. This program also serves as a minimal example of usage of the new functionality. The last patch exposes the new helpers to TC BPF. The draft of the new functionality was presented on Netdev 0x15 [3]. v2 changes: Split into two series, submitted bugfixes to bpf, dropped the conntrack patches, implemented the timestamp cookie in BPF using bpf_loop, dropped the timestamp cookie patch. v3 changes: Moved some patches from bpf to bpf-next, dropped the patch that changed error codes, split the new helpers into IPv4/IPv6, added verifier functionality to accept memory regions of fixed size. v4 changes: Converted the selftest to the test_progs runner. Replaced some deprecated functions in xdp_synproxy userspace helper. v5 changes: Fixed a bug in the selftest. Added questionable functionality to support new helpers in TC BPF, added selftests for it. v6 changes: Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced fclose with pclose and fixed the MSS for IPv6 in the selftest. v7 changes: Fixed the off-by-one error in indices, changed the section name to "xdp", added missing kernel config options to vmtest in CI. v8 changes: Properly rebased, dropped the first patch (the same change was applied by someone else), updated the cover letter. v9 changes: Fixed selftests for no_alu32. [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP Maxim Mikityanskiy (5): bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie bpf: Allow helpers to accept pointers with a fixed size bpf: Add helpers to issue and check SYN cookies in XDP bpf: Add selftests for raw syncookie helpers bpf: Allow the new syncookie helpers to work with SKBs include/linux/bpf.h | 10 + include/net/tcp.h | 1 + include/uapi/linux/bpf.h | 88 +- kernel/bpf/verifier.c | 26 +- net/core/filter.c | 128 +++ net/ipv4/tcp_input.c | 3 +- scripts/bpf_doc.py | 4 + tools/include/uapi/linux/bpf.h | 88 +- tools/testing/selftests/bpf/.gitignore | 1 + tools/testing/selftests/bpf/Makefile | 5 +- .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ 13 files changed, 1761 insertions(+), 22 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c