From patchwork Wed Mar 25 05:57:41 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 221913 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 87BEAC54FCF for ; Wed, 25 Mar 2020 05:58:01 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4C1752074D for ; Wed, 25 Mar 2020 05:58:01 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WYrAZa5K" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726700AbgCYF6A (ORCPT ); Wed, 25 Mar 2020 01:58:00 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:46800 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725781AbgCYF6A (ORCPT ); Wed, 25 Mar 2020 01:58:00 -0400 Received: by mail-pg1-f194.google.com with SMTP id k191so620003pgc.13; Tue, 24 Mar 2020 22:57:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=LOBnpjoCVWdEtHtGbj23rQxMzW+lA3sQQ/MK31NWfSY=; b=WYrAZa5KP/CQ+JtkJnlSTmWyxrK7U3l/IYMwuDc+OW9c6ZePD3nOizVrFTW3v/SmxD Khh9VTGuT4ZT1mpLhLQN5m3DjdhI7AN4EBpwKEQgtN7TOupxkFmV5siT/dcAW8FsciOl tjX1kFObMcSB1JTUBIOMvoDXd6en+AHS2PFwVJDqgQkylZ0/5W24hmaW6hbCMGlvJAJ+ OPxnpl0mU3+7UIJhOxFMMoCgJs9qjg380MqpX929Fv8eiuevNcWj2SUCWphfdzHkp4P1 F384LPJ7EVYWqv6awEk1q5c8zC25FCtEV5CMVVkBIRhWORosECCNLYE83s5bUoT547ti K2Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=LOBnpjoCVWdEtHtGbj23rQxMzW+lA3sQQ/MK31NWfSY=; b=KFS5RYjZ+yeDeLHDukygJloXI172gcSTM0ayE3itnaorwcrcOPj8SuJYNe/O7Fdrco sc/SJa2+vwbKAwSiNuTmSDJgdHhwV9RoaKAFko5pUpXt1QhNrOw2+Mf4NnjrYCmEMwyh FmxEyFwXTo2nRaCzXcX2bbZ+K8l9O0jRiGMp9VBP0XLdYMHGx7iacqmoBZXuC2snbSKA RxTnvPL3aUC40PvvVx+kSkHhoIMV2Zs1FLboXzvGZTa0nE3OEyOg4rISFIlPEUPM6C4N P6kPVOYbwF9NRBKgqqoBQ9Im7qCKpCU1yfN5iqKoyTnPVQsXQO+h5akjXHqEhv/o24pR wWlA== X-Gm-Message-State: ANhLgQ2uQgGrYpr2VnLN2VDRHG3cU6jFaBUEkD2mw5IRNWEab8l7JmYS osYfy9Jl7VKS23EY8cG6lqRSJ5tW X-Google-Smtp-Source: ADFU+vspkAFUsoDQ6wAjtIGsL0M2QsHKc3w4CPKSxhsPLai5s1SE2+3eF+1QuSY9hx7u7h3SLpYFaQ== X-Received: by 2002:a63:54e:: with SMTP id 75mr1423427pgf.398.1585115877812; Tue, 24 Mar 2020 22:57:57 -0700 (PDT) Received: from localhost.localdomain (c-73-93-5-123.hsd1.ca.comcast.net. [73.93.5.123]) by smtp.gmail.com with ESMTPSA id e10sm17605716pfm.121.2020.03.24.22.57.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2020 22:57:57 -0700 (PDT) From: Joe Stringer To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, eric.dumazet@gmail.com, lmb@cloudflare.com, kafai@fb.com Subject: [PATCHv2 bpf-next 1/5] bpf: Add socket assign support Date: Tue, 24 Mar 2020 22:57:41 -0700 Message-Id: <20200325055745.10710-2-joe@wand.net.nz> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200325055745.10710-1-joe@wand.net.nz> References: <20200325055745.10710-1-joe@wand.net.nz> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Add support for TPROXY via a new bpf helper, bpf_sk_assign(). This helper requires the BPF program to discover the socket via a call to bpf_sk*_lookup_*(), then pass this socket to the new helper. The helper takes its own reference to the socket in addition to any existing reference that may or may not currently be obtained for the duration of BPF processing. For the destination socket to receive the traffic, the traffic must be routed towards that socket via local route. The simplest example route is below, but in practice you may want to route traffic more narrowly (eg by CIDR): $ ip route add local default dev lo This patch avoids trying to introduce an extra bit into the skb->sk, as that would require more invasive changes to all code interacting with the socket to ensure that the bit is handled correctly, such as all error-handling cases along the path from the helper in BPF through to the orphan path in the input. Instead, we opt to use the destructor variable to switch on the prefetch of the socket. Signed-off-by: Joe Stringer --- v2: Use skb->destructor to determine socket prefetch usage instead of introducing a new metadata_dst Restrict socket assign to same netns as TC device Restrict assigning reuseport sockets Adjust commit wording v1: Initial version --- include/net/sock.h | 7 +++++++ include/uapi/linux/bpf.h | 25 ++++++++++++++++++++++++- net/core/filter.c | 31 +++++++++++++++++++++++++++++++ net/core/sock.c | 9 +++++++++ net/ipv4/ip_input.c | 3 ++- net/ipv6/ip6_input.c | 3 ++- net/sched/act_bpf.c | 2 ++ tools/include/uapi/linux/bpf.h | 25 ++++++++++++++++++++++++- 8 files changed, 101 insertions(+), 4 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index b5cca7bae69b..2613d21a667a 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -1657,6 +1657,7 @@ struct sk_buff *sock_omalloc(struct sock *sk, unsigned long size, void skb_orphan_partial(struct sk_buff *skb); void sock_rfree(struct sk_buff *skb); void sock_efree(struct sk_buff *skb); +void sock_pfree(struct sk_buff *skb); #ifdef CONFIG_INET void sock_edemux(struct sk_buff *skb); #else @@ -2526,6 +2527,12 @@ void sock_net_set(struct sock *sk, struct net *net) write_pnet(&sk->sk_net, net); } +static inline bool +skb_sk_is_prefetched(struct sk_buff *skb) +{ + return skb->destructor == sock_pfree; +} + static inline struct sock *skb_steal_sock(struct sk_buff *skb) { if (skb->sk) { diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h index 5d01c5c7e598..0c6f151deebe 100644 --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -2950,6 +2950,28 @@ union bpf_attr { * restricted to raw_tracepoint bpf programs. * Return * 0 on success, or a negative error in case of failure. + * + * int bpf_sk_assign(struct sk_buff *skb, struct bpf_sock *sk, u64 flags) + * Description + * Assign the *sk* to the *skb*. When combined with appropriate + * routing configuration to receive the packet towards the socket, + * will cause *skb* to be delivered to the specified socket. + * Subsequent redirection of *skb* via **bpf_redirect**\ (), + * **bpf_clone_redirect**\ () or other methods outside of BPF may + * interfere with successful delivery to the socket. + * + * This operation is only valid from TC ingress path. + * + * The *flags* argument must be zero. + * Return + * 0 on success, or a negative errno in case of failure. + * + * * **-EINVAL** Unsupported flags specified. + * * **-ENETUNREACH** Socket is unreachable (wrong netns). + * * **-ENOENT** Socket is unavailable for assignment. + * * **-EOPNOTSUPP** Unsupported operation, for example a + * call from outside of TC ingress. + * * **-ESOCKTNOSUPPORT** Socket type not supported (reuseport). */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -3073,7 +3095,8 @@ union bpf_attr { FN(jiffies64), \ FN(read_branch_records), \ FN(get_ns_current_pid_tgid), \ - FN(xdp_output), + FN(xdp_output), \ + FN(sk_assign), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call diff --git a/net/core/filter.c b/net/core/filter.c index 96350a743539..f7f9b6631f75 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5860,6 +5860,35 @@ static const struct bpf_func_proto bpf_tcp_gen_syncookie_proto = { .arg5_type = ARG_CONST_SIZE, }; +BPF_CALL_3(bpf_sk_assign, struct sk_buff *, skb, struct sock *, sk, u64, flags) +{ + if (flags != 0) + return -EINVAL; + if (!skb_at_tc_ingress(skb)) + return -EOPNOTSUPP; + if (unlikely(sk->sk_reuseport)) + return -ESOCKTNOSUPPORT; + if (unlikely(dev_net(skb->dev) != sock_net(sk))) + return -ENETUNREACH; + if (unlikely(!refcount_inc_not_zero(&sk->sk_refcnt))) + return -ENOENT; + + skb_orphan(skb); + skb->sk = sk; + skb->destructor = sock_pfree; + + return 0; +} + +static const struct bpf_func_proto bpf_sk_assign_proto = { + .func = bpf_sk_assign, + .gpl_only = false, + .ret_type = RET_INTEGER, + .arg1_type = ARG_PTR_TO_CTX, + .arg2_type = ARG_PTR_TO_SOCK_COMMON, + .arg3_type = ARG_ANYTHING, +}; + #endif /* CONFIG_INET */ bool bpf_helper_changes_pkt_data(void *func) @@ -6153,6 +6182,8 @@ tc_cls_act_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_skb_ecn_set_ce_proto; case BPF_FUNC_tcp_gen_syncookie: return &bpf_tcp_gen_syncookie_proto; + case BPF_FUNC_sk_assign: + return &bpf_sk_assign_proto; #endif default: return bpf_base_func_proto(func_id); diff --git a/net/core/sock.c b/net/core/sock.c index 0fc8937a7ff4..cfaf60267360 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -2071,6 +2071,15 @@ void sock_efree(struct sk_buff *skb) } EXPORT_SYMBOL(sock_efree); +/* Buffer destructor for prefetch/receive path where reference count may + * not be held, e.g. for listen sockets. + */ +void sock_pfree(struct sk_buff *skb) +{ + sock_edemux(skb); +} +EXPORT_SYMBOL(sock_pfree); + kuid_t sock_i_uid(struct sock *sk) { kuid_t uid; diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index aa438c6758a7..b0c244af1e4d 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -509,7 +509,8 @@ static struct sk_buff *ip_rcv_core(struct sk_buff *skb, struct net *net) IPCB(skb)->iif = skb->skb_iif; /* Must drop socket now because of tproxy. */ - skb_orphan(skb); + if (!skb_sk_is_prefetched(skb)) + skb_orphan(skb); return skb; diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index 7b089d0ac8cd..e96304d8a4a7 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c @@ -285,7 +285,8 @@ static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev, rcu_read_unlock(); /* Must drop socket now because of tproxy. */ - skb_orphan(skb); + if (!skb_sk_is_prefetched(skb)) + skb_orphan(skb); return skb; err: diff --git a/net/sched/act_bpf.c b/net/sched/act_bpf.c index 46f47e58b3be..6c7ed8fcc909 100644 --- a/net/sched/act_bpf.c +++ b/net/sched/act_bpf.c @@ -53,6 +53,8 @@ static int tcf_bpf_act(struct sk_buff *skb, const struct tc_action *act, bpf_compute_data_pointers(skb); filter_res = BPF_PROG_RUN(filter, skb); } + if (filter_res != TC_ACT_OK) + skb_orphan(skb); rcu_read_unlock(); /* A BPF program may overwrite the default action opcode. diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index 5d01c5c7e598..0c6f151deebe 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h @@ -2950,6 +2950,28 @@ union bpf_attr { * restricted to raw_tracepoint bpf programs. * Return * 0 on success, or a negative error in case of failure. + * + * int bpf_sk_assign(struct sk_buff *skb, struct bpf_sock *sk, u64 flags) + * Description + * Assign the *sk* to the *skb*. When combined with appropriate + * routing configuration to receive the packet towards the socket, + * will cause *skb* to be delivered to the specified socket. + * Subsequent redirection of *skb* via **bpf_redirect**\ (), + * **bpf_clone_redirect**\ () or other methods outside of BPF may + * interfere with successful delivery to the socket. + * + * This operation is only valid from TC ingress path. + * + * The *flags* argument must be zero. + * Return + * 0 on success, or a negative errno in case of failure. + * + * * **-EINVAL** Unsupported flags specified. + * * **-ENETUNREACH** Socket is unreachable (wrong netns). + * * **-ENOENT** Socket is unavailable for assignment. + * * **-EOPNOTSUPP** Unsupported operation, for example a + * call from outside of TC ingress. + * * **-ESOCKTNOSUPPORT** Socket type not supported (reuseport). */ #define __BPF_FUNC_MAPPER(FN) \ FN(unspec), \ @@ -3073,7 +3095,8 @@ union bpf_attr { FN(jiffies64), \ FN(read_branch_records), \ FN(get_ns_current_pid_tgid), \ - FN(xdp_output), + FN(xdp_output), \ + FN(sk_assign), /* integer value in 'imm' field of BPF_CALL instruction selects which helper * function eBPF program intends to call From patchwork Wed Mar 25 05:57:43 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 221912 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC5A5C54FD5 for ; Wed, 25 Mar 2020 05:58:04 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BFE4C2074D for ; Wed, 25 Mar 2020 05:58:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="s6ixoIzD" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727392AbgCYF6E (ORCPT ); Wed, 25 Mar 2020 01:58:04 -0400 Received: from mail-pj1-f67.google.com ([209.85.216.67]:38240 "EHLO mail-pj1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725781AbgCYF6D (ORCPT ); Wed, 25 Mar 2020 01:58:03 -0400 Received: by mail-pj1-f67.google.com with SMTP id m15so567686pje.3; Tue, 24 Mar 2020 22:58:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5okIGh2vwOTEA3JNBGE+wuo//bGh6mzInA8cwTSERzo=; b=s6ixoIzDpq3jfw5wArEmR70TflLWvxMSvHJ6Kv1f7wkEGwqzrp/NB/P6AbOgbBT4Py GuEBKScNQTkEl49gIkmoZiESl+H5GxOT8sTYNHP2aMf2j2enb4zEplpkj5NNwwU0NPSH OeI7eeQuTfPt4VE4lU87iqQCl/5InNn0KUKdIfzjLhDLrXOCKzp0pPdf64JbFESfWTqr 0rbm+Xo4No3ALFYcBD56Nz5zO1Gp4VV2R7H0XpcVTla6wQ8TsJB8jP6c+yw2jbWxHeJW /QdwIgVubTaN/fphlZRGl+tYMgIvj6wAHwRiZh4thK14qyPkf7QzIu5cLAGe8aJ4dFLa IjRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=5okIGh2vwOTEA3JNBGE+wuo//bGh6mzInA8cwTSERzo=; b=iDcNCIFYf+1TkWRDuf9YjbN3mF0ggPjZ7xfJGAfx/JBdJ8DR+nK6BrSIGAh7yFZIia +wdb52PlFH12SaIosjVZ/i6JgQdBNgCSI4o2HO8ndC+Jl0rNPdLtXq4sjs+zm6a9gEx6 Vc11lxqAqDaYDx6wWkdWlkTW1cebTEFSXD8sBKCBtkMqjnL5UylkHtBejlPpiYJ2XK8q sATCGNC4Fs95gTnk6JxZsSNPtTT82icaMqx5yG+rWuFpxiwHmdYAb1SBFEJobd4cKexQ jY2RABdi7QFbRvto4oPzwZehha/4N3M26Pb8LE1tKXSohrDV42lDtatHLD5apUQu10oX /tXQ== X-Gm-Message-State: ANhLgQ01QBUYCDOGRnZDj5fozLqrtOK99R408USADp/mSo2ptVp2Uzc/ 6FxJtYsQKU5lfNjeWb595A2GjGAP X-Google-Smtp-Source: ADFU+vugpyTJjkUgDaw75Tc2R9ggrSI3SEIxea//9nJ4DlGWFxJUs2hzvCtgTTSi7ioboJwF735e5A== X-Received: by 2002:a17:902:a9c5:: with SMTP id b5mr1720550plr.126.1585115880828; Tue, 24 Mar 2020 22:58:00 -0700 (PDT) Received: from localhost.localdomain (c-73-93-5-123.hsd1.ca.comcast.net. [73.93.5.123]) by smtp.gmail.com with ESMTPSA id e10sm17605716pfm.121.2020.03.24.22.57.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2020 22:58:00 -0700 (PDT) From: Joe Stringer To: bpf@vger.kernel.org Cc: netdev@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, eric.dumazet@gmail.com, lmb@cloudflare.com, kafai@fb.com Subject: [PATCHv2 bpf-next 3/5] net: Track socket refcounts in skb_steal_sock() Date: Tue, 24 Mar 2020 22:57:43 -0700 Message-Id: <20200325055745.10710-4-joe@wand.net.nz> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200325055745.10710-1-joe@wand.net.nz> References: <20200325055745.10710-1-joe@wand.net.nz> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Refactor the UDP/TCP handlers slightly to allow skb_steal_sock() to make the determination of whether the socket is reference counted in the case where it is prefetched by earlier logic such as early_demux or dst_sk_prefetch. Signed-off-by: Joe Stringer --- v2: Initial version --- include/net/inet6_hashtables.h | 3 +-- include/net/inet_hashtables.h | 3 +-- include/net/sock.h | 10 +++++++++- net/ipv4/udp.c | 6 ++++-- net/ipv6/udp.c | 9 ++++++--- 5 files changed, 21 insertions(+), 10 deletions(-) diff --git a/include/net/inet6_hashtables.h b/include/net/inet6_hashtables.h index fe96bf247aac..81b965953036 100644 --- a/include/net/inet6_hashtables.h +++ b/include/net/inet6_hashtables.h @@ -85,9 +85,8 @@ static inline struct sock *__inet6_lookup_skb(struct inet_hashinfo *hashinfo, int iif, int sdif, bool *refcounted) { - struct sock *sk = skb_steal_sock(skb); + struct sock *sk = skb_steal_sock(skb, refcounted); - *refcounted = true; if (sk) return sk; diff --git a/include/net/inet_hashtables.h b/include/net/inet_hashtables.h index d0019d3395cf..ad64ba6a057f 100644 --- a/include/net/inet_hashtables.h +++ b/include/net/inet_hashtables.h @@ -379,10 +379,9 @@ static inline struct sock *__inet_lookup_skb(struct inet_hashinfo *hashinfo, const int sdif, bool *refcounted) { - struct sock *sk = skb_steal_sock(skb); + struct sock *sk = skb_steal_sock(skb, refcounted); const struct iphdr *iph = ip_hdr(skb); - *refcounted = true; if (sk) return sk; diff --git a/include/net/sock.h b/include/net/sock.h index 2613d21a667a..1ca2e808cb8e 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2533,15 +2533,23 @@ skb_sk_is_prefetched(struct sk_buff *skb) return skb->destructor == sock_pfree; } -static inline struct sock *skb_steal_sock(struct sk_buff *skb) +/** + * skb_steal_sock + * @skb to steal the socket from + * @refcounted is set to true if the socket is reference-counted + */ +static inline struct sock * +skb_steal_sock(struct sk_buff *skb, bool *refcounted) { if (skb->sk) { struct sock *sk = skb->sk; + *refcounted = true; skb->destructor = NULL; skb->sk = NULL; return sk; } + *refcounted = false; return NULL; } diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 2633fc231593..b4035021bbd3 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2288,6 +2288,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, struct rtable *rt = skb_rtable(skb); __be32 saddr, daddr; struct net *net = dev_net(skb->dev); + bool refcounted; /* * Validate the packet. @@ -2313,7 +2314,7 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, if (udp4_csum_init(skb, uh, proto)) goto csum_error; - sk = skb_steal_sock(skb); + sk = skb_steal_sock(skb, &refcounted); if (sk) { struct dst_entry *dst = skb_dst(skb); int ret; @@ -2322,7 +2323,8 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, udp_sk_rx_dst_set(sk, dst); ret = udp_unicast_rcv_skb(sk, skb, uh); - sock_put(sk); + if (refcounted) + sock_put(sk); return ret; } diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 5dc439a391fe..7d4151747340 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -843,6 +843,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, struct net *net = dev_net(skb->dev); struct udphdr *uh; struct sock *sk; + bool refcounted; u32 ulen = 0; if (!pskb_may_pull(skb, sizeof(struct udphdr))) @@ -879,7 +880,7 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, goto csum_error; /* Check if the socket is already available, e.g. due to early demux */ - sk = skb_steal_sock(skb); + sk = skb_steal_sock(skb, &refcounted); if (sk) { struct dst_entry *dst = skb_dst(skb); int ret; @@ -888,12 +889,14 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, udp6_sk_rx_dst_set(sk, dst); if (!uh->check && !udp_sk(sk)->no_check6_rx) { - sock_put(sk); + if (refcounted) + sock_put(sk); goto report_csum_error; } ret = udp6_unicast_rcv_skb(sk, skb, uh); - sock_put(sk); + if (refcounted) + sock_put(sk); return ret; } From patchwork Wed Mar 25 05:57:45 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 221911 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.6 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF59AC1975A for ; Wed, 25 Mar 2020 05:58:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AC68A20714 for ; Wed, 25 Mar 2020 05:58:08 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Gm39fmOe" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727420AbgCYF6I (ORCPT ); Wed, 25 Mar 2020 01:58:08 -0400 Received: from mail-pj1-f46.google.com ([209.85.216.46]:35665 "EHLO mail-pj1-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726072AbgCYF6G (ORCPT ); Wed, 25 Mar 2020 01:58:06 -0400 Received: by mail-pj1-f46.google.com with SMTP id g9so574185pjp.0; Tue, 24 Mar 2020 22:58:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=sUtEhbKz06F2Ntj2VG0U/6YSVY5TYQY6ImX+pNJOM24=; b=Gm39fmOew6glZ6vLwEeNULrQoNAy3PLRsj2BrrGlX6MfxPMnObB9F86K1E0toqQUdB iZsWPkCb/7GQcgakCvvVxG5NFCKIKzeYSvEd24qIxb5ei5FH4u6+fQXow1mn79kuadHP neLK1LS6DhSGFWuMCpjz3qnHQS18VYk9Uqy9Pfv61675zk1XHQuaLNYE1s2N1PAZ3+5H VYlhd0ynBluP6SRmCKJGGf8ihvDLP819iYXoz537hdgsfjH5TPzzcHKNRgC5fifKDhrY pTq5dYMiwVoYSa4E4fyJhYTSLI51xTHCp74QpxEvYX0H3geZ7ERVYAi7XAbE1WAATISL noXw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=sUtEhbKz06F2Ntj2VG0U/6YSVY5TYQY6ImX+pNJOM24=; b=FfWmFOCo78XRUCkNOVh19Ltrl2qpb0Hzmp8QMkWo9Q69BW85+sP3RGfYOoPkAXn9Pd XvEWUufJKps6v3F8aTAlTNyDLWah0va5mQNSp1Qo2+vwnrJQG941/0DOII+bo+N6ioI6 LtTRGkqWn22UK3yIbN7fNfhZdl2lBNjFNdTRr7Y2fsgXd90a+FvL6D7FqmQwmn6Cwkjz QptN3ksSSsTL2dvZoW2RDKdJUV7+L4ZbcjG7bjxnboExE6C82Rt5PEKXp2Iv+cInskXv 5WZrGW5GLonRDbFqUtU1hFb+i6BAD1LWvVOxoR8lL11cInh8PHEz3u49oeIZTSrtct6P 8ymA== X-Gm-Message-State: ANhLgQ0bgLq5FfPYzOL97MfvEwLgE9zXb9/dnjFMxSiURSLM+4PTWn3c Yhz/qC2AJLdzxzM1iSsYDKmi/HL2 X-Google-Smtp-Source: ADFU+vtYYU6K8doYI2pYU7oyKj7Ic6YOLo5HNg2Esg0F2lb4aO4hChEZINK92SLYuk9Mfn2JhINWyA== X-Received: by 2002:a17:902:598e:: with SMTP id p14mr1600357pli.276.1585115883832; Tue, 24 Mar 2020 22:58:03 -0700 (PDT) Received: from localhost.localdomain (c-73-93-5-123.hsd1.ca.comcast.net. [73.93.5.123]) by smtp.gmail.com with ESMTPSA id e10sm17605716pfm.121.2020.03.24.22.58.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 24 Mar 2020 22:58:03 -0700 (PDT) From: Joe Stringer To: bpf@vger.kernel.org Cc: Lorenz Bauer , netdev@vger.kernel.org, daniel@iogearbox.net, ast@kernel.org, eric.dumazet@gmail.com, kafai@fb.com Subject: [PATCHv2 bpf-next 5/5] selftests: bpf: add test for sk_assign Date: Tue, 24 Mar 2020 22:57:45 -0700 Message-Id: <20200325055745.10710-6-joe@wand.net.nz> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200325055745.10710-1-joe@wand.net.nz> References: <20200325055745.10710-1-joe@wand.net.nz> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Lorenz Bauer Attach a tc direct-action classifier to lo in a fresh network namespace, and rewrite all connection attempts to localhost:4321 to localhost:1234 (for port tests) and connections to unreachable IPv4/IPv6 IPs to the local socket (for address tests). Keep in mind that both client to server and server to client traffic passes the classifier. Signed-off-by: Lorenz Bauer Co-authored-by: Joe Stringer Signed-off-by: Joe Stringer --- v2: Rebase onto test_progs infrastructure v1: Initial commit --- tools/testing/selftests/bpf/Makefile | 2 +- .../selftests/bpf/prog_tests/sk_assign.c | 244 ++++++++++++++++++ .../selftests/bpf/progs/test_sk_assign.c | 127 +++++++++ 3 files changed, 372 insertions(+), 1 deletion(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/sk_assign.c create mode 100644 tools/testing/selftests/bpf/progs/test_sk_assign.c diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile index 7729892e0b04..4f7f83d059ca 100644 --- a/tools/testing/selftests/bpf/Makefile +++ b/tools/testing/selftests/bpf/Makefile @@ -76,7 +76,7 @@ TEST_PROGS_EXTENDED := with_addr.sh \ # Compile but not part of 'make run_tests' TEST_GEN_PROGS_EXTENDED = test_sock_addr test_skb_cgroup_id_user \ flow_dissector_load test_flow_dissector test_tcp_check_syncookie_user \ - test_lirc_mode2_user xdping test_cpp runqslower + test_lirc_mode2_user xdping test_cpp runqslower test_sk_assign TEST_CUSTOM_PROGS = urandom_read diff --git a/tools/testing/selftests/bpf/prog_tests/sk_assign.c b/tools/testing/selftests/bpf/prog_tests/sk_assign.c new file mode 100644 index 000000000000..1f0afcc20c48 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/sk_assign.c @@ -0,0 +1,244 @@ +// SPDX-License-Identifier: GPL-2.0 +// Copyright (c) 2018 Facebook +// Copyright (c) 2019 Cloudflare +// Copyright (c) 2020 Isovalent, Inc. +/* + * Test that the socket assign program is able to redirect traffic towards a + * socket, regardless of whether the port or address destination of the traffic + * matches the port. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include + +#include "test_progs.h" + +#define TEST_DPORT 4321 +#define TEST_DADDR (0xC0A80203) +#define NS_SELF "/proc/self/ns/net" + +static __u32 duration; + +static bool configure_stack(int self_net) +{ + /* Move to a new networking namespace */ + if (CHECK_FAIL(unshare(CLONE_NEWNET))) + return false; + + /* Configure necessary links, routes */ + if (CHECK_FAIL(system("ip link set dev lo up"))) + return false; + if (CHECK_FAIL(system("ip route add local default dev lo"))) + return false; + if (CHECK_FAIL(system("ip -6 route add local default dev lo"))) + return false; + + /* Load qdisc, BPF program */ + if (CHECK_FAIL(system("tc qdisc add dev lo clsact"))) + return false; + if (CHECK_FAIL(system("tc filter add dev lo ingress bpf direct-action " + "object-file ./test_sk_assign.o section sk_assign_test"))) + return false; + + return true; +} + +static int start_server(const struct sockaddr *addr, socklen_t len) +{ + int fd; + + fd = socket(addr->sa_family, SOCK_STREAM, 0); + if (CHECK_FAIL(fd == -1)) + goto out; + if (CHECK_FAIL(bind(fd, addr, len) == -1)) + goto close_out; + if (CHECK_FAIL(listen(fd, 128) == -1)) + goto close_out; + + goto out; + +close_out: + close(fd); + fd = -1; +out: + return fd; +} + +static void handle_timeout(int signum) +{ + if (signum == SIGALRM) + fprintf(stderr, "Timed out while connecting to server\n"); + kill(0, SIGKILL); +} + +static struct sigaction timeout_action = { + .sa_handler = handle_timeout, +}; + +static int connect_to_server(const struct sockaddr *addr, socklen_t len) +{ + int fd = -1; + + fd = socket(addr->sa_family, SOCK_STREAM, 0); + if (CHECK_FAIL(fd == -1)) + goto out; + if (CHECK_FAIL(sigaction(SIGALRM, &timeout_action, NULL))) + goto out; + alarm(3); + if (CHECK_FAIL(connect(fd, addr, len) == -1)) + goto close_out; + + goto out; + +close_out: + close(fd); + fd = -1; +out: + return fd; +} + +static in_port_t get_port(int fd) +{ + struct sockaddr_storage name; + socklen_t len; + in_port_t port = 0; + + len = sizeof(name); + if (CHECK_FAIL(getsockname(fd, (struct sockaddr *)&name, &len))) + return port; + + switch (name.ss_family) { + case AF_INET: + port = ((struct sockaddr_in *)&name)->sin_port; + break; + case AF_INET6: + port = ((struct sockaddr_in6 *)&name)->sin6_port; + break; + default: + CHECK(1, "Invalid address family", "%d\n", name.ss_family); + } + return port; +} + +static int run_test(int server_fd, const struct sockaddr *addr, socklen_t len) +{ + int client = -1, srv_client = -1; + char buf[] = "testing"; + in_port_t port; + int ret = 1; + + client = connect_to_server(addr, len); + if (client == -1) { + perror("Cannot connect to server"); + goto out; + } + + srv_client = accept(server_fd, NULL, NULL); + if (CHECK_FAIL(srv_client == -1)) { + perror("Can't accept connection"); + goto out; + } + if (CHECK_FAIL(write(client, buf, sizeof(buf)) != sizeof(buf))) { + perror("Can't write on client"); + goto out; + } + if (CHECK_FAIL(read(srv_client, buf, sizeof(buf)) != sizeof(buf))) { + perror("Can't read on server"); + goto out; + } + + port = get_port(srv_client); + if (CHECK_FAIL(!port)) + goto out; + if (CHECK(port != htons(TEST_DPORT), "Expected", "port %u but got %u", + TEST_DPORT, ntohs(port))) + goto out; + + ret = 0; +out: + close(client); + close(srv_client); + return ret; +} + +static int do_sk_assign(void) +{ + struct sockaddr_in addr4; + struct sockaddr_in6 addr6; + int server = -1; + int server_v6 = -1; + int err = 1; + + memset(&addr4, 0, sizeof(addr4)); + addr4.sin_family = AF_INET; + addr4.sin_addr.s_addr = htonl(INADDR_LOOPBACK); + addr4.sin_port = htons(1234); + + memset(&addr6, 0, sizeof(addr6)); + addr6.sin6_family = AF_INET6; + addr6.sin6_addr = in6addr_loopback; + addr6.sin6_port = htons(1234); + + server = start_server((const struct sockaddr *)&addr4, sizeof(addr4)); + if (server == -1) + goto out; + + server_v6 = start_server((const struct sockaddr *)&addr6, + sizeof(addr6)); + if (server_v6 == -1) + goto out; + + /* Connect to unbound ports */ + addr4.sin_port = htons(TEST_DPORT); + addr6.sin6_port = htons(TEST_DPORT); + + test__start_subtest("ipv4 port redir"); + if (run_test(server, (const struct sockaddr *)&addr4, sizeof(addr4))) + goto out; + + test__start_subtest("ipv6 port redir"); + if (run_test(server_v6, (const struct sockaddr *)&addr6, sizeof(addr6))) + goto out; + + /* Connect to unbound addresses */ + addr4.sin_addr.s_addr = htonl(TEST_DADDR); + addr6.sin6_addr.s6_addr32[3] = htonl(TEST_DADDR); + + test__start_subtest("ipv4 addr redir"); + if (run_test(server, (const struct sockaddr *)&addr4, sizeof(addr4))) + goto out; + + test__start_subtest("ipv6 addr redir"); + if (run_test(server_v6, (const struct sockaddr *)&addr6, sizeof(addr6))) + goto out; + + err = 0; +out: + close(server); + close(server_v6); + return err; +} + +void test_sk_assign(void) +{ + int self_net; + + self_net = open(NS_SELF, O_RDONLY); + if (CHECK_FAIL(self_net < 0)) { + perror("Unable to open "NS_SELF); + return; + } + + if (!configure_stack(self_net)) { + perror("configure_stack"); + goto cleanup; + } + + do_sk_assign(); + +cleanup: + close(self_net); +} diff --git a/tools/testing/selftests/bpf/progs/test_sk_assign.c b/tools/testing/selftests/bpf/progs/test_sk_assign.c new file mode 100644 index 000000000000..7de30ad3f594 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_sk_assign.c @@ -0,0 +1,127 @@ +// SPDX-License-Identifier: GPL-2.0 +// Copyright (c) 2019 Cloudflare Ltd. + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int _version SEC("version") = 1; +char _license[] SEC("license") = "GPL"; + +/* Fill 'tuple' with L3 info, and attempt to find L4. On fail, return NULL. */ +static struct bpf_sock_tuple *get_tuple(void *data, __u64 nh_off, + void *data_end, __u16 eth_proto, + bool *ipv4) +{ + struct bpf_sock_tuple *result; + __u8 proto = 0; + __u64 ihl_len; + + if (eth_proto == bpf_htons(ETH_P_IP)) { + struct iphdr *iph = (struct iphdr *)(data + nh_off); + + if (iph + 1 > data_end) + return NULL; + if (iph->ihl != 5) + /* Options are not supported */ + return NULL; + ihl_len = iph->ihl * 4; + proto = iph->protocol; + *ipv4 = true; + result = (struct bpf_sock_tuple *)&iph->saddr; + } else if (eth_proto == bpf_htons(ETH_P_IPV6)) { + struct ipv6hdr *ip6h = (struct ipv6hdr *)(data + nh_off); + + if (ip6h + 1 > data_end) + return NULL; + ihl_len = sizeof(*ip6h); + proto = ip6h->nexthdr; + *ipv4 = false; + result = (struct bpf_sock_tuple *)&ip6h->saddr; + } else { + return NULL; + } + + if (result + 1 > data_end || proto != IPPROTO_TCP) + return NULL; + + return result; +} + +SEC("sk_assign_test") +int bpf_sk_assign_test(struct __sk_buff *skb) +{ + void *data_end = (void *)(long)skb->data_end; + void *data = (void *)(long)skb->data; + struct ethhdr *eth = (struct ethhdr *)(data); + struct bpf_sock_tuple *tuple, ln = {0}; + struct bpf_sock *sk; + int tuple_len; + bool ipv4; + int ret; + + if (eth + 1 > data_end) + return TC_ACT_SHOT; + + tuple = get_tuple(data, sizeof(*eth), data_end, eth->h_proto, &ipv4); + if (!tuple) + return TC_ACT_SHOT; + + tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6); + sk = bpf_skc_lookup_tcp(skb, tuple, tuple_len, BPF_F_CURRENT_NETNS, 0); + if (sk) { + if (sk->state != BPF_TCP_LISTEN) + goto assign; + + bpf_sk_release(sk); + } + + if (ipv4) { + if (tuple->ipv4.dport != bpf_htons(4321)) + return TC_ACT_OK; + + ln.ipv4.daddr = bpf_htonl(0x7f000001); + ln.ipv4.dport = bpf_htons(1234); + + sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv4), + BPF_F_CURRENT_NETNS, 0); + } else { + if (tuple->ipv6.dport != bpf_htons(4321)) + return TC_ACT_OK; + + /* Upper parts of daddr are already zero. */ + ln.ipv6.daddr[3] = bpf_htonl(0x1); + ln.ipv6.dport = bpf_htons(1234); + + sk = bpf_skc_lookup_tcp(skb, &ln, sizeof(ln.ipv6), + BPF_F_CURRENT_NETNS, 0); + } + + /* We can't do a single skc_lookup_tcp here, because then the compiler + * will likely spill tuple_len to the stack. This makes it lose all + * bounds information in the verifier, which then rejects the call as + * unsafe. + */ + if (!sk) + return TC_ACT_SHOT; + + if (sk->state != BPF_TCP_LISTEN) { + bpf_sk_release(sk); + return TC_ACT_SHOT; + } + +assign: + ret = bpf_sk_assign(skb, sk, 0); + bpf_sk_release(sk); + return ret == 0 ? TC_ACT_OK : TC_ACT_SHOT; +}