mbox series

[bpf-next,v10,0/6] New BPF helpers to accelerate synproxy

Message ID 20220615134847.3753567-1-maximmi@nvidia.com
Headers show
Series New BPF helpers to accelerate synproxy | expand

Message

Maxim Mikityanskiy June 15, 2022, 1:48 p.m. UTC
The first patch of this series is a documentation fix.

The second patch allows BPF helpers to accept memory regions of fixed
size without doing runtime size checks.

The two next patches add new functionality that allows XDP to
accelerate iptables synproxy.

v1 of this series [1] used to include a patch that exposed conntrack
lookup to BPF using stable helpers. It was superseded by series [2] by
Kumar Kartikeya Dwivedi, which implements this functionality using
unstable helpers.

The third patch adds new helpers to issue and check SYN cookies without
binding to a socket, which is useful in the synproxy scenario.

The fourth patch adds a selftest, which includes an XDP program and a
userspace control application. The XDP program uses socketless SYN
cookie helpers and queries conntrack status instead of socket status.
The userspace control application allows to tune parameters of the XDP
program. This program also serves as a minimal example of usage of the
new functionality.

The last two patches expose the new helpers to TC BPF and extend the
selftest.

The draft of the new functionality was presented on Netdev 0x15 [3].

v2 changes:

Split into two series, submitted bugfixes to bpf, dropped the conntrack
patches, implemented the timestamp cookie in BPF using bpf_loop, dropped
the timestamp cookie patch.

v3 changes:

Moved some patches from bpf to bpf-next, dropped the patch that changed
error codes, split the new helpers into IPv4/IPv6, added verifier
functionality to accept memory regions of fixed size.

v4 changes:

Converted the selftest to the test_progs runner. Replaced some
deprecated functions in xdp_synproxy userspace helper.

v5 changes:

Fixed a bug in the selftest. Added questionable functionality to support
new helpers in TC BPF, added selftests for it.

v6 changes:

Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced
fclose with pclose and fixed the MSS for IPv6 in the selftest.

v7 changes:

Fixed the off-by-one error in indices, changed the section name to
"xdp", added missing kernel config options to vmtest in CI.

v8 changes:

Properly rebased, dropped the first patch (the same change was applied
by someone else), updated the cover letter.

v9 changes:

Fixed selftests for no_alu32.

v10 changes:

Selftests for s390x were blacklisted due to lack of support of kfunc,
rebased the series, split selftests to separate commits, created
ARG_PTR_TO_FIXED_SIZE_MEM and packed arg_size, addressed the rest of
comments.

[1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/
[2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/
[3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP

Maxim Mikityanskiy (6):
  bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie
  bpf: Allow helpers to accept pointers with a fixed size
  bpf: Add helpers to issue and check SYN cookies in XDP
  selftests/bpf: Add selftests for raw syncookie helpers
  bpf: Allow the new syncookie helpers to work with SKBs
  selftests/bpf: Add selftests for raw syncookie helpers in TC mode

 include/linux/bpf.h                           |  13 +
 include/net/tcp.h                             |   1 +
 include/uapi/linux/bpf.h                      |  88 +-
 kernel/bpf/verifier.c                         |  43 +-
 net/core/filter.c                             | 128 +++
 net/ipv4/tcp_input.c                          |   3 +-
 scripts/bpf_doc.py                            |   4 +
 tools/include/uapi/linux/bpf.h                |  88 +-
 tools/testing/selftests/bpf/.gitignore        |   1 +
 tools/testing/selftests/bpf/Makefile          |   3 +-
 .../selftests/bpf/prog_tests/xdp_synproxy.c   | 183 ++++
 .../selftests/bpf/progs/xdp_synproxy_kern.c   | 833 ++++++++++++++++++
 tools/testing/selftests/bpf/xdp_synproxy.c    | 466 ++++++++++
 13 files changed, 1833 insertions(+), 21 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c
 create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c
 create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c

Comments

Alexei Starovoitov June 17, 2022, 4:38 a.m. UTC | #1
On Wed, Jun 15, 2022 at 6:49 AM Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
>
> The first patch of this series is a documentation fix.
>
> The second patch allows BPF helpers to accept memory regions of fixed
> size without doing runtime size checks.
>
> The two next patches add new functionality that allows XDP to
> accelerate iptables synproxy.
>
> v1 of this series [1] used to include a patch that exposed conntrack
> lookup to BPF using stable helpers. It was superseded by series [2] by
> Kumar Kartikeya Dwivedi, which implements this functionality using
> unstable helpers.
>
> The third patch adds new helpers to issue and check SYN cookies without
> binding to a socket, which is useful in the synproxy scenario.
>
> The fourth patch adds a selftest, which includes an XDP program and a
> userspace control application. The XDP program uses socketless SYN
> cookie helpers and queries conntrack status instead of socket status.
> The userspace control application allows to tune parameters of the XDP
> program. This program also serves as a minimal example of usage of the
> new functionality.
>
> The last two patches expose the new helpers to TC BPF and extend the
> selftest.
>
> The draft of the new functionality was presented on Netdev 0x15 [3].
>
> v2 changes:
>
> Split into two series, submitted bugfixes to bpf, dropped the conntrack
> patches, implemented the timestamp cookie in BPF using bpf_loop, dropped
> the timestamp cookie patch.
>
> v3 changes:
>
> Moved some patches from bpf to bpf-next, dropped the patch that changed
> error codes, split the new helpers into IPv4/IPv6, added verifier
> functionality to accept memory regions of fixed size.
>
> v4 changes:
>
> Converted the selftest to the test_progs runner. Replaced some
> deprecated functions in xdp_synproxy userspace helper.
>
> v5 changes:
>
> Fixed a bug in the selftest. Added questionable functionality to support
> new helpers in TC BPF, added selftests for it.
>
> v6 changes:
>
> Wrap the new helpers themselves into #ifdef CONFIG_SYN_COOKIES, replaced
> fclose with pclose and fixed the MSS for IPv6 in the selftest.
>
> v7 changes:
>
> Fixed the off-by-one error in indices, changed the section name to
> "xdp", added missing kernel config options to vmtest in CI.
>
> v8 changes:
>
> Properly rebased, dropped the first patch (the same change was applied
> by someone else), updated the cover letter.
>
> v9 changes:
>
> Fixed selftests for no_alu32.
>
> v10 changes:
>
> Selftests for s390x were blacklisted due to lack of support of kfunc,
> rebased the series, split selftests to separate commits, created
> ARG_PTR_TO_FIXED_SIZE_MEM and packed arg_size, addressed the rest of
> comments.

Applied.
Please follow up with a patch to add:
CONFIG_NETFILTER_SYNPROXY=y
CONFIG_NETFILTER_XT_TARGET_CT=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_SYNPROXY=y
CONFIG_IP_NF_RAW=y

to selftests/bpf/config.

Otherwise folks will not know what to enable when they see
test_synproxy:FAIL:iptables -t raw -I PREROUTING         -i tmp1 -p
tcp -m tcp --syn --dport 8080 -j CT --notrack unexpected error: 256
(errno 22)
patchwork-bot+netdevbpf@kernel.org June 17, 2022, 4:40 a.m. UTC | #2
Hello:

This series was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Wed, 15 Jun 2022 16:48:41 +0300 you wrote:
> The first patch of this series is a documentation fix.
> 
> The second patch allows BPF helpers to accept memory regions of fixed
> size without doing runtime size checks.
> 
> The two next patches add new functionality that allows XDP to
> accelerate iptables synproxy.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v10,1/6] bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie
    https://git.kernel.org/bpf/bpf-next/c/ac80287a6af9
  - [bpf-next,v10,2/6] bpf: Allow helpers to accept pointers with a fixed size
    https://git.kernel.org/bpf/bpf-next/c/508362ac66b0
  - [bpf-next,v10,3/6] bpf: Add helpers to issue and check SYN cookies in XDP
    https://git.kernel.org/bpf/bpf-next/c/33bf9885040c
  - [bpf-next,v10,4/6] selftests/bpf: Add selftests for raw syncookie helpers
    https://git.kernel.org/bpf/bpf-next/c/fb5cd0ce70d4
  - [bpf-next,v10,5/6] bpf: Allow the new syncookie helpers to work with SKBs
    https://git.kernel.org/bpf/bpf-next/c/9a4cf073866c
  - [bpf-next,v10,6/6] selftests/bpf: Add selftests for raw syncookie helpers in TC mode
    https://git.kernel.org/bpf/bpf-next/c/784d5dc0efc2

You are awesome, thank you!