Message ID | 160650040292.2890576.17040975200628427127.stgit@firesoul |
---|---|
State | Superseded |
Headers | show |
Series | [bpf-next,V8,1/8] bpf: Remove MTU check in __bpf_skb_max_len | expand |
On 11/27/20 7:06 PM, Jesper Dangaard Brouer wrote: > The use-case for dropping the MTU check when TC-BPF does redirect to > ingress, is described by Eyal Birger in email[0]. The summary is the > ability to increase packet size (e.g. with IPv6 headers for NAT64) and > ingress redirect packet and let normal netstack fragment packet as needed. > > [0] https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19Qo4W4Q@mail.gmail.com/ > > V4: > - Keep net_device "up" (IFF_UP) check. > - Adjustment to handle bpf_redirect_peer() helper > > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> > --- > include/linux/netdevice.h | 31 +++++++++++++++++++++++++++++-- > net/core/dev.c | 19 ++----------------- > net/core/filter.c | 14 +++++++++++--- > 3 files changed, 42 insertions(+), 22 deletions(-) > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > index 7ce648a564f7..4a854e09e918 100644 > --- a/include/linux/netdevice.h > +++ b/include/linux/netdevice.h > @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb); > bool is_skb_forwardable(const struct net_device *dev, > const struct sk_buff *skb); > > +static __always_inline bool __is_skb_forwardable(const struct net_device *dev, > + const struct sk_buff *skb, > + const bool check_mtu) > +{ > + const u32 vlan_hdr_len = 4; /* VLAN_HLEN */ > + unsigned int len; > + > + if (!(dev->flags & IFF_UP)) > + return false; > + > + if (!check_mtu) > + return true; > + > + len = dev->mtu + dev->hard_header_len + vlan_hdr_len; > + if (skb->len <= len) > + return true; > + > + /* if TSO is enabled, we don't care about the length as the packet > + * could be forwarded without being segmented before > + */ > + if (skb_is_gso(skb)) > + return true; > + > + return false; > +} > + > static __always_inline int ____dev_forward_skb(struct net_device *dev, > - struct sk_buff *skb) > + struct sk_buff *skb, > + const bool check_mtu) > { > if (skb_orphan_frags(skb, GFP_ATOMIC) || > - unlikely(!is_skb_forwardable(dev, skb))) { > + unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) { > atomic_long_inc(&dev->rx_dropped); > kfree_skb(skb); > return NET_RX_DROP; > diff --git a/net/core/dev.c b/net/core/dev.c > index 60d325bda0d7..6ceb6412ee97 100644 > --- a/net/core/dev.c > +++ b/net/core/dev.c > @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff *skb) > > bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb) > { > - unsigned int len; > - > - if (!(dev->flags & IFF_UP)) > - return false; > - > - len = dev->mtu + dev->hard_header_len + VLAN_HLEN; > - if (skb->len <= len) > - return true; > - > - /* if TSO is enabled, we don't care about the length as the packet > - * could be forwarded without being segmented before > - */ > - if (skb_is_gso(skb)) > - return true; > - > - return false; > + return __is_skb_forwardable(dev, skb, true); > } > EXPORT_SYMBOL_GPL(is_skb_forwardable); Only user of is_skb_forwardable() that is left after this patch is bridge, maybe the whole thing should be moved into the header? > int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) > { > - int ret = ____dev_forward_skb(dev, skb); > + int ret = ____dev_forward_skb(dev, skb, true); > > if (likely(!ret)) { > skb->protocol = eth_type_trans(skb, dev); > diff --git a/net/core/filter.c b/net/core/filter.c > index d6125cfc49c3..4673afe59533 100644 > --- a/net/core/filter.c > +++ b/net/core/filter.c > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = { > > static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb) > { > - return dev_forward_skb(dev, skb); > + int ret = ____dev_forward_skb(dev, skb, false); > + > + if (likely(!ret)) { > + skb->protocol = eth_type_trans(skb, dev); > + skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); > + ret = netif_rx(skb); Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally? One extra call otherwise. > + } > + > + return ret; > } > > static inline int __bpf_rx_skb_no_mac(struct net_device *dev, > struct sk_buff *skb) > { > - int ret = ____dev_forward_skb(dev, skb); > + int ret = ____dev_forward_skb(dev, skb, false); > > if (likely(!ret)) { > skb->dev = dev; > @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb) > goto out_drop; > dev = ops->ndo_get_peer_dev(dev); > if (unlikely(!dev || > - !is_skb_forwardable(dev, skb) || > + !__is_skb_forwardable(dev, skb, false) || If we only use __is_skb_forwardable() with false directly here, maybe then lets just have the !(dev->flags & IFF_UP) test here instead.. > net_eq(net, dev_net(dev)))) > goto out_drop; > skb->dev = dev; > >
On Thu, 3 Dec 2020 00:43:36 +0100 Daniel Borkmann <daniel@iogearbox.net> wrote: > On 11/27/20 7:06 PM, Jesper Dangaard Brouer wrote: > > The use-case for dropping the MTU check when TC-BPF does redirect to > > ingress, is described by Eyal Birger in email[0]. The summary is the > > ability to increase packet size (e.g. with IPv6 headers for NAT64) and > > ingress redirect packet and let normal netstack fragment packet as needed. > > > > [0] https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19Qo4W4Q@mail.gmail.com/ > > > > V4: > > - Keep net_device "up" (IFF_UP) check. > > - Adjustment to handle bpf_redirect_peer() helper > > > > Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> > > --- > > include/linux/netdevice.h | 31 +++++++++++++++++++++++++++++-- > > net/core/dev.c | 19 ++----------------- > > net/core/filter.c | 14 +++++++++++--- > > 3 files changed, 42 insertions(+), 22 deletions(-) > > > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > > index 7ce648a564f7..4a854e09e918 100644 > > --- a/include/linux/netdevice.h > > +++ b/include/linux/netdevice.h > > @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb); > > bool is_skb_forwardable(const struct net_device *dev, > > const struct sk_buff *skb); > > > > +static __always_inline bool __is_skb_forwardable(const struct net_device *dev, > > + const struct sk_buff *skb, > > + const bool check_mtu) > > +{ > > + const u32 vlan_hdr_len = 4; /* VLAN_HLEN */ > > + unsigned int len; > > + > > + if (!(dev->flags & IFF_UP)) > > + return false; > > + > > + if (!check_mtu) > > + return true; > > + > > + len = dev->mtu + dev->hard_header_len + vlan_hdr_len; > > + if (skb->len <= len) > > + return true; > > + > > + /* if TSO is enabled, we don't care about the length as the packet > > + * could be forwarded without being segmented before > > + */ > > + if (skb_is_gso(skb)) > > + return true; > > + > > + return false; > > +} > > + > > static __always_inline int ____dev_forward_skb(struct net_device *dev, > > - struct sk_buff *skb) > > + struct sk_buff *skb, > > + const bool check_mtu) > > { > > if (skb_orphan_frags(skb, GFP_ATOMIC) || > > - unlikely(!is_skb_forwardable(dev, skb))) { > > + unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) { > > atomic_long_inc(&dev->rx_dropped); > > kfree_skb(skb); > > return NET_RX_DROP; > > diff --git a/net/core/dev.c b/net/core/dev.c > > index 60d325bda0d7..6ceb6412ee97 100644 > > --- a/net/core/dev.c > > +++ b/net/core/dev.c > > @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff *skb) > > > > bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb) > > { > > - unsigned int len; > > - > > - if (!(dev->flags & IFF_UP)) > > - return false; > > - > > - len = dev->mtu + dev->hard_header_len + VLAN_HLEN; > > - if (skb->len <= len) > > - return true; > > - > > - /* if TSO is enabled, we don't care about the length as the packet > > - * could be forwarded without being segmented before > > - */ > > - if (skb_is_gso(skb)) > > - return true; > > - > > - return false; > > + return __is_skb_forwardable(dev, skb, true); > > } > > EXPORT_SYMBOL_GPL(is_skb_forwardable); > > Only user of is_skb_forwardable() that is left after this patch is bridge, maybe > the whole thing should be moved into the header? Well, yes, maybe... I just felt it belongs in another patchset. > > int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) > > { > > - int ret = ____dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, true); > > > > if (likely(!ret)) { > > skb->protocol = eth_type_trans(skb, dev); > > diff --git a/net/core/filter.c b/net/core/filter.c > > index d6125cfc49c3..4673afe59533 100644 > > --- a/net/core/filter.c > > +++ b/net/core/filter.c > > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = { > > > > static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb) > > { > > - return dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, false); > > + > > + if (likely(!ret)) { > > + skb->protocol = eth_type_trans(skb, dev); > > + skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); > > + ret = netif_rx(skb); > > Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally? > One extra call otherwise. This is because the function below calls netif_rx(), which is just outside patch-diff-window. Thus, it looked wrong/strange to call netif_rx_internal(), but sure I can use netif_rx_internal() instead. > > > + } > > + > > + return ret; > > } > > > > static inline int __bpf_rx_skb_no_mac(struct net_device *dev, > > struct sk_buff *skb) > > { > > - int ret = ____dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, false); > > > > if (likely(!ret)) { > > skb->dev = dev; > > @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb) > > goto out_drop; > > dev = ops->ndo_get_peer_dev(dev); > > if (unlikely(!dev || > > - !is_skb_forwardable(dev, skb) || > > + !__is_skb_forwardable(dev, skb, false) || > > If we only use __is_skb_forwardable() with false directly here, maybe then > lets just have the !(dev->flags & IFF_UP) test here instead.. Sure, let do that. > > net_eq(net, dev_net(dev)))) > > goto out_drop; > > skb->dev = dev; > > -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer
On Thu, 17 Dec 2020 15:46:55 +0100 Jesper Dangaard Brouer <brouer@redhat.com> wrote: > > > diff --git a/net/core/filter.c b/net/core/filter.c > > > index d6125cfc49c3..4673afe59533 100644 > > > --- a/net/core/filter.c > > > +++ b/net/core/filter.c > > > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = { > > > > > > static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb) > > > { > > > - return dev_forward_skb(dev, skb); > > > + int ret = ____dev_forward_skb(dev, skb, false); > > > + > > > + if (likely(!ret)) { > > > + skb->protocol = eth_type_trans(skb, dev); > > > + skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); > > > + ret = netif_rx(skb); > > > > Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally? > > One extra call otherwise. > > This is because the function below calls netif_rx(), which is just > outside patch-diff-window. Thus, it looked wrong/strange to call > netif_rx_internal(), but sure I can use netif_rx_internal() instead. Well, when building I found that we obviously cannot call netif_rx_internal() as this is filter.c, else we get a build error: net/core/filter.c:2091:9: error: implicit declaration of function ‘netif_rx_internal’ [-Werror=implicit-function-declaration] 2091 | ret = netif_rx_internal(skb); | ^~~~~~~~~~~~~~~~~ -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 7ce648a564f7..4a854e09e918 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct sk_buff *skb); bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb); +static __always_inline bool __is_skb_forwardable(const struct net_device *dev, + const struct sk_buff *skb, + const bool check_mtu) +{ + const u32 vlan_hdr_len = 4; /* VLAN_HLEN */ + unsigned int len; + + if (!(dev->flags & IFF_UP)) + return false; + + if (!check_mtu) + return true; + + len = dev->mtu + dev->hard_header_len + vlan_hdr_len; + if (skb->len <= len) + return true; + + /* if TSO is enabled, we don't care about the length as the packet + * could be forwarded without being segmented before + */ + if (skb_is_gso(skb)) + return true; + + return false; +} + static __always_inline int ____dev_forward_skb(struct net_device *dev, - struct sk_buff *skb) + struct sk_buff *skb, + const bool check_mtu) { if (skb_orphan_frags(skb, GFP_ATOMIC) || - unlikely(!is_skb_forwardable(dev, skb))) { + unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) { atomic_long_inc(&dev->rx_dropped); kfree_skb(skb); return NET_RX_DROP; diff --git a/net/core/dev.c b/net/core/dev.c index 60d325bda0d7..6ceb6412ee97 100644 --- a/net/core/dev.c +++ b/net/core/dev.c @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff *skb) bool is_skb_forwardable(const struct net_device *dev, const struct sk_buff *skb) { - unsigned int len; - - if (!(dev->flags & IFF_UP)) - return false; - - len = dev->mtu + dev->hard_header_len + VLAN_HLEN; - if (skb->len <= len) - return true; - - /* if TSO is enabled, we don't care about the length as the packet - * could be forwarded without being segmented before - */ - if (skb_is_gso(skb)) - return true; - - return false; + return __is_skb_forwardable(dev, skb, true); } EXPORT_SYMBOL_GPL(is_skb_forwardable); int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) { - int ret = ____dev_forward_skb(dev, skb); + int ret = ____dev_forward_skb(dev, skb, true); if (likely(!ret)) { skb->protocol = eth_type_trans(skb, dev); diff --git a/net/core/filter.c b/net/core/filter.c index d6125cfc49c3..4673afe59533 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto bpf_csum_level_proto = { static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff *skb) { - return dev_forward_skb(dev, skb); + int ret = ____dev_forward_skb(dev, skb, false); + + if (likely(!ret)) { + skb->protocol = eth_type_trans(skb, dev); + skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); + ret = netif_rx(skb); + } + + return ret; } static inline int __bpf_rx_skb_no_mac(struct net_device *dev, struct sk_buff *skb) { - int ret = ____dev_forward_skb(dev, skb); + int ret = ____dev_forward_skb(dev, skb, false); if (likely(!ret)) { skb->dev = dev; @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb) goto out_drop; dev = ops->ndo_get_peer_dev(dev); if (unlikely(!dev || - !is_skb_forwardable(dev, skb) || + !__is_skb_forwardable(dev, skb, false) || net_eq(net, dev_net(dev)))) goto out_drop; skb->dev = dev;
The use-case for dropping the MTU check when TC-BPF does redirect to ingress, is described by Eyal Birger in email[0]. The summary is the ability to increase packet size (e.g. with IPv6 headers for NAT64) and ingress redirect packet and let normal netstack fragment packet as needed. [0] https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19Qo4W4Q@mail.gmail.com/ V4: - Keep net_device "up" (IFF_UP) check. - Adjustment to handle bpf_redirect_peer() helper Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> --- include/linux/netdevice.h | 31 +++++++++++++++++++++++++++++-- net/core/dev.c | 19 ++----------------- net/core/filter.c | 14 +++++++++++--- 3 files changed, 42 insertions(+), 22 deletions(-)