Re: [PATCH v2 net-next 0/5] Add bpf support to set sk_bound_dev_if
On 10/31/16 at 11:16am, David Ahern wrote: > On 10/31/16 11:01 AM, David Miller wrote: > > Also, any reason why you don't allow the cgroup bpf sk filter to return > > an error code so that the sock creation could be cancelled if the eBPF > > program desires that? It could be useful, I suppose. > > My first draft at this feature had that but I removed it for simplicity now. > Can certainly add it back. We're trying to standardize on common return codes for all program types. The lwt bpf series defines BPF_ codes which are compatible with TC_ACT_* values to make lwt_bpf and cls_bpf compatible. Would be great to use the same return codes and implement the ones that make sense.
Re: [PATCH v2 net-next 0/5] Add bpf support to set sk_bound_dev_if
On 10/31/16 11:01 AM, David Miller wrote: > From: David Ahern > Date: Wed, 26 Oct 2016 17:58:37 -0700 > >> The recently added VRF support in Linux leverages the bind-to-device >> API for programs to specify an L3 domain for a socket. While >> SO_BINDTODEVICE has been around for ages, not every ipv4/ipv6 capable >> program has support for it. Even for those programs that do support it, >> the API requires processes to be started as root (CAP_NET_RAW) which >> is not desirable from a general security perspective. >> >> This patch set leverages Daniel Mack's work to attach bpf programs to >> a cgroup: >> >> https://www.mail-archive.com/netdev@vger.kernel.org/msg134028.html >> >> to provide a capability to set sk_bound_dev_if for all AF_INET{6} >> sockets opened by a process in a cgroup when the sockets are allocated. >> >> This capability enables running any program in a VRF context and is key >> to deploying Management VRF, a fundamental configuration for networking >> gear, with any Linux OS installation. > > Ok, after some review I think I understand what's going on here. > > It would initially seem simpler to just support forced sk_bound_dev_if > in cgroups. But I think I understand why you may have gone this way: That's what the l3mdev cgroup patch does -- force the sk_bound_dev_if for sockets. Tejun pushed back on adding new controllers. The cgroup+bpf is another way to accomplish the end goal. The key is using the cgroup infra for parent-child inheritance of the policy, holder of the policy "data" to be applied, tracking what processes are in a group, what the group is for a specific process, and on. No need to reinvent that part. > > 1) The cgroup-bpf code always has the cgroup hierarchy propagation >logic. > > 2) The may be use cases for doing things with other sock members. > > With respect to #2, do you know of any such planned use cases already? One suggestion is the local port binding limitations that Mahesh and Anoop were looking into. > > Also, any reason why you don't allow the cgroup bpf sk filter to return > an error code so that the sock creation could be cancelled if the eBPF > program desires that? It could be useful, I suppose. My first draft at this feature had that but I removed it for simplicity now. Can certainly add it back.
Re: [PATCH v2 net-next 0/5] Add bpf support to set sk_bound_dev_if
From: David Ahern Date: Wed, 26 Oct 2016 17:58:37 -0700 > The recently added VRF support in Linux leverages the bind-to-device > API for programs to specify an L3 domain for a socket. While > SO_BINDTODEVICE has been around for ages, not every ipv4/ipv6 capable > program has support for it. Even for those programs that do support it, > the API requires processes to be started as root (CAP_NET_RAW) which > is not desirable from a general security perspective. > > This patch set leverages Daniel Mack's work to attach bpf programs to > a cgroup: > > https://www.mail-archive.com/netdev@vger.kernel.org/msg134028.html > > to provide a capability to set sk_bound_dev_if for all AF_INET{6} > sockets opened by a process in a cgroup when the sockets are allocated. > > This capability enables running any program in a VRF context and is key > to deploying Management VRF, a fundamental configuration for networking > gear, with any Linux OS installation. Ok, after some review I think I understand what's going on here. It would initially seem simpler to just support forced sk_bound_dev_if in cgroups. But I think I understand why you may have gone this way: 1) The cgroup-bpf code always has the cgroup hierarchy propagation logic. 2) The may be use cases for doing things with other sock members. With respect to #2, do you know of any such planned use cases already? Also, any reason why you don't allow the cgroup bpf sk filter to return an error code so that the sock creation could be cancelled if the eBPF program desires that? It could be useful, I suppose. Thanks.
[PATCH v2 net-next 0/5] Add bpf support to set sk_bound_dev_if
The recently added VRF support in Linux leverages the bind-to-device API for programs to specify an L3 domain for a socket. While SO_BINDTODEVICE has been around for ages, not every ipv4/ipv6 capable program has support for it. Even for those programs that do support it, the API requires processes to be started as root (CAP_NET_RAW) which is not desirable from a general security perspective. This patch set leverages Daniel Mack's work to attach bpf programs to a cgroup: https://www.mail-archive.com/netdev@vger.kernel.org/msg134028.html to provide a capability to set sk_bound_dev_if for all AF_INET{6} sockets opened by a process in a cgroup when the sockets are allocated. This capability enables running any program in a VRF context and is key to deploying Management VRF, a fundamental configuration for networking gear, with any Linux OS installation. v2 - addressed Daniel's comments: dropped the bpf_sock_store_u32 helper and used bpf_prog_run_save_cb on the code move - picked up Mickaël Salaün's subtype patch with a few small tweaks - removed new prog type in favor of a subtype on the BPF_PROG_TYPE_CGROUP from Daniel Mack's patch set - moved the filter hook from sk_alloc to inet{6}_create David Ahern (5): bpf: Refactor cgroups code in prep for new type bpf: Add eBPF program subtype and is_valid_subtype() verifier bpf: Add new cgroup attach type to enable sock modifications samples: bpf: Add prog_subtype to bpf_prog_load samples: bpf: add userspace example for modifying sk_bound_dev_if include/linux/bpf.h | 7 ++- include/linux/filter.h | 3 +- include/uapi/linux/bpf.h| 15 +- kernel/bpf/cgroup.c | 36 +++-- kernel/bpf/syscall.c| 11 ++-- kernel/bpf/verifier.c | 10 +++- kernel/trace/bpf_trace.c| 16 -- net/core/filter.c | 115 +--- net/ipv4/af_inet.c | 4 ++ net/ipv6/af_inet6.c | 3 ++ samples/bpf/Makefile| 2 + samples/bpf/bpf_load.c | 2 +- samples/bpf/fds_example.c | 2 +- samples/bpf/libbpf.c| 5 +- samples/bpf/libbpf.h| 3 +- samples/bpf/sock_example.c | 2 +- samples/bpf/test_cgrp2_attach.c | 4 +- samples/bpf/test_cgrp2_sock.c | 84 + 18 files changed, 280 insertions(+), 44 deletions(-) create mode 100644 samples/bpf/test_cgrp2_sock.c -- 2.1.4