• Daniel Borkmann's avatar
    {f,m}_bpf: allow updates on program arrays · 91d88eeb
    Daniel Borkmann authored
    Since we have all infrastructure in place now, allow atomic live updates
    on program arrays. This can be very useful e.g. in case programs that are
    being tail-called need to be replaced, f.e. when classifier functionality
    needs to be changed, new protocols added/removed during runtime, etc.
    
    Thus, provide a way for in-place code updates, minimal example: Given is
    an object file cls.o that contains the entry point in section 'classifier',
    has a globally pinned program array 'jmp' with 2 slots and id of 0, and
    two tail called programs under section '0/0' (prog array key 0) and '0/1'
    (prog array key 1), the section encoding for the loader is <id/key>.
    Adding the filter loads everything into cls_bpf:
    
      tc filter add dev foo parent ffff: bpf da obj cls.o
    
    Now, the program under section '0/1' needs to be replaced with an updated
    version that resides in the same section (also full path to tc's subfolder
    of the mount point can be passed, e.g. /sys/fs/bpf/tc/globals/jmp):
    
      tc exec bpf graft m:globals/jmp obj cls.o sec 0/1
    
    In case the program resides under a different section 'foo', it can also
    be injected into the program array like:
    
      tc exec bpf graft m:globals/jmp key 1 obj cls.o sec foo
    
    If the new tail called classifier program is already available as a pinned
    object somewhere (here: /sys/fs/bpf/tc/progs/parser), it can be injected
    into the prog array like:
    
      tc exec bpf graft m:globals/jmp key 1 fd m:progs/parser
    
    In the kernel, the program on key 1 is being atomically replaced and the
    old one's refcount dropped.
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    91d88eeb
tc_bpf.c 39.8 KB