1. 04 Oct, 2018 4 commits
    • Andrey Ignatov's avatar
      libbpf: Consistent prefixes for interfaces in nlattr.h. · f04bc8a4
      Andrey Ignatov authored
      libbpf is used more and more outside kernel tree. That means the library
      should follow good practices in library design and implementation to
      play well with third party code that uses it.
      
      One of such practices is to have a common prefix (or a few) for every
      interface, function or data structure, library provides. I helps to
      avoid name conflicts with other libraries and keeps API consistent.
      
      Inconsistent names in libbpf already cause problems in real life. E.g.
      an application can't use both libbpf and libnl due to conflicting
      symbols.
      
      Having common prefix will help to fix current and avoid future problems.
      
      libbpf already uses the following prefixes for its interfaces:
      * bpf_ for bpf system call wrappers, program/map/elf-object
        abstractions and a few other things;
      * btf_ for BTF related API;
      * libbpf_ for everything else.
      
      The patch adds libbpf_ prefix to interfaces in nlattr.h that use none of
      mentioned above prefixes and doesn't fit well into the first two
      categories.
      
      Since affected part of API is used in bpftool, the patch applies
      corresponding change to bpftool as well. Having it in a separate patch
      will cause a state of tree where bpftool is broken what may not be a
      good idea.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      f04bc8a4
    • Andrey Ignatov's avatar
      libbpf: Consistent prefixes for interfaces in libbpf.h. · aae57780
      Andrey Ignatov authored
      libbpf is used more and more outside kernel tree. That means the library
      should follow good practices in library design and implementation to
      play well with third party code that uses it.
      
      One of such practices is to have a common prefix (or a few) for every
      interface, function or data structure, library provides. I helps to
      avoid name conflicts with other libraries and keeps API consistent.
      
      Inconsistent names in libbpf already cause problems in real life. E.g.
      an application can't use both libbpf and libnl due to conflicting
      symbols.
      
      Having common prefix will help to fix current and avoid future problems.
      
      libbpf already uses the following prefixes for its interfaces:
      * bpf_ for bpf system call wrappers, program/map/elf-object
        abstractions and a few other things;
      * btf_ for BTF related API;
      * libbpf_ for everything else.
      
      The patch adds libbpf_ prefix to functions and typedef in libbpf.h that
      use none of mentioned above prefixes and doesn't fit well into the first
      two categories.
      
      Since affected part of API is used in bpftool, the patch applies
      corresponding change to bpftool as well. Having it in a separate patch
      will cause a state of tree where bpftool is broken what may not be a
      good idea.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      aae57780
    • Andrey Ignatov's avatar
      libbpf: Move __dump_nlmsg_t from API to implementation · 434fe9d4
      Andrey Ignatov authored
      This typedef is used only by implementation in netlink.c. Nothing uses
      it in public API. Move it to netlink.c.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      434fe9d4
    • Joe Stringer's avatar
      net: core: Fix build with CONFIG_IPV6=m · d71019b5
      Joe Stringer authored
      Stephen Rothwell reports the following link failure with IPv6 as module:
      
        x86_64-linux-gnu-ld: net/core/filter.o: in function `sk_lookup':
        (.text+0x19219): undefined reference to `__udp6_lib_lookup'
      
      Fix the build by only enabling the IPv6 socket lookup if IPv6 support is
      compiled into the kernel.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      d71019b5
  2. 03 Oct, 2018 14 commits
    • Daniel Borkmann's avatar
      Merge branch 'bpf-sk-lookup' · 33d9a7fd
      Daniel Borkmann authored
      Joe Stringer says:
      
      ====================
      This series proposes a new helper for the BPF API which allows BPF programs to
      perform lookups for sockets in a network namespace. This would allow programs
      to determine early on in processing whether the stack is expecting to receive
      the packet, and perform some action (eg drop, forward somewhere) based on this
      information.
      
      The series is structured roughly into:
      * Misc refactor
      * Add the socket pointer type
      * Add reference tracking to ensure that socket references are freed
      * Extend the BPF API to add sk_lookup_xxx() / sk_release() functions
      * Add tests/documentation
      
      The helper proposed in this series includes a parameter for a tuple which must
      be filled in by the caller to determine the socket to look up. The simplest
      case would be filling with the contents of the packet, ie mapping the packet's
      5-tuple into the parameter. In common cases, it may alternatively be useful to
      reverse the direction of the tuple and perform a lookup, to find the socket
      that initiates this connection; and if the BPF program ever performs a form of
      IP address translation, it may further be useful to be able to look up
      arbitrary tuples that are not based upon the packet, but instead based on state
      held in BPF maps or hardcoded in the BPF program.
      
      Currently, access into the socket's fields are limited to those which are
      otherwise already accessible, and are restricted to read-only access.
      
      Changes since v3:
      * New patch: "bpf: Reuse canonical string formatter for ctx errs"
      * Add PTR_TO_SOCKET to is_ctx_reg().
      * Add a few new checks to prevent mixing of socket/non-socket pointers.
      * Swap order of checks in sock_filter_is_valid_access().
      * Prefix register spill macros with "bpf_".
      * Add acks from previous round
      * Rebase
      
      Changes since v2:
      * New patch: "selftests/bpf: Generalize dummy program types".
        This enables adding verifier tests for socket lookup with tail calls.
      * Define the semantics of the new helpers more clearly in uAPI header.
      * Fix release of caller_net when netns is not specified.
      * Use skb->sk to find caller net when skb->dev is unavailable.
      * Fix build with !CONFIG_NET.
      * Replace ptr_id defensive coding when releasing reference state with an
        internal error (-EFAULT).
      * Remove flags argument to sk_release().
      * Add several new assembly tests suggested by Daniel.
      * Add a few new C tests.
      * Fix typo in verifier error message.
      
      Changes since v1:
      * Limit netns_id field to 32 bits
      * Reuse reg_type_mismatch() in more places
      * Reduce the number of passes at convert_ctx_access()
      * Replace ptr_id defensive coding when releasing reference state with an
        internal error (-EFAULT)
      * Rework 'struct bpf_sock_tuple' to allow passing a packet pointer
      * Allow direct packet access from helper
      * Fix compile error with CONFIG_IPV6 enabled
      * Improve commit messages
      
      Changes since RFC:
      * Split up sk_lookup() into sk_lookup_tcp(), sk_lookup_udp().
      * Only take references on the socket when necessary.
        * Make sk_release() only free the socket reference in this case.
      * Fix some runtime reference leaks:
        * Disallow BPF_LD_[ABS|IND] instructions while holding a reference.
        * Disallow bpf_tail_call() while holding a reference.
      * Prevent the same instruction being used for reference and other
        pointer type.
      * Simplify locating copies of a reference during helper calls by caching
        the pointer id from the caller.
      * Fix kbuild compilation warnings with particular configs.
      * Improve code comments describing the new verifier pieces.
      * Tested by Nitin
      ====================
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      33d9a7fd
    • Joe Stringer's avatar
      Documentation: Describe bpf reference tracking · a610b665
      Joe Stringer authored
      Document the new pointer types in the verifier and how the pointer ID
      tracking works to ensure that references which are taken are later
      released.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      a610b665
    • Joe Stringer's avatar
      selftests/bpf: Add C tests for reference tracking · de375f4e
      Joe Stringer authored
      Add some tests that demonstrate and test the balanced lookup/free
      nature of socket lookup. Section names that start with "fail" represent
      programs that are expected to fail verification; all others should
      succeed.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      de375f4e
    • Joe Stringer's avatar
      libbpf: Support loading individual progs · 29cd77f4
      Joe Stringer authored
      Allow the individual program load to be invoked. This will help with
      testing, where a single ELF may contain several sections, some of which
      denote subprograms that are expected to fail verification, along with
      some which are expected to pass verification. By allowing programs to be
      iterated and individually loaded, each program can be independently
      checked against its expected verification result.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      29cd77f4
    • Joe Stringer's avatar
      selftests/bpf: Add tests for reference tracking · b584ab88
      Joe Stringer authored
      reference tracking: leak potential reference
      reference tracking: leak potential reference on stack
      reference tracking: leak potential reference on stack 2
      reference tracking: zero potential reference
      reference tracking: copy and zero potential references
      reference tracking: release reference without check
      reference tracking: release reference
      reference tracking: release reference twice
      reference tracking: release reference twice inside branch
      reference tracking: alloc, check, free in one subbranch
      reference tracking: alloc, check, free in both subbranches
      reference tracking in call: free reference in subprog
      reference tracking in call: free reference in subprog and outside
      reference tracking in call: alloc & leak reference in subprog
      reference tracking in call: alloc in subprog, release outside
      reference tracking in call: sk_ptr leak into caller stack
      reference tracking in call: sk_ptr spill into caller stack
      reference tracking: allow LD_ABS
      reference tracking: forbid LD_ABS while holding reference
      reference tracking: allow LD_IND
      reference tracking: forbid LD_IND while holding reference
      reference tracking: check reference or tail call
      reference tracking: release reference then tail call
      reference tracking: leak possible reference over tail call
      reference tracking: leak checked reference over tail call
      reference tracking: mangle and release sock_or_null
      reference tracking: mangle and release sock
      reference tracking: access member
      reference tracking: write to member
      reference tracking: invalid 64-bit access of member
      reference tracking: access after release
      reference tracking: direct access for lookup
      unpriv: spill/fill of different pointers stx - ctx and sock
      unpriv: spill/fill of different pointers stx - leak sock
      unpriv: spill/fill of different pointers stx - sock and ctx (read)
      unpriv: spill/fill of different pointers stx - sock and ctx (write)
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      b584ab88
    • Joe Stringer's avatar
      selftests/bpf: Generalize dummy program types · 0c586079
      Joe Stringer authored
      Don't hardcode the dummy program types to SOCKET_FILTER type, as this
      prevents testing bpf_tail_call in conjunction with other program types.
      Instead, use the program type specified in the test case.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      0c586079
    • Joe Stringer's avatar
      bpf: Add helper to retrieve socket in BPF · 6acc9b43
      Joe Stringer authored
      This patch adds new BPF helper functions, bpf_sk_lookup_tcp() and
      bpf_sk_lookup_udp() which allows BPF programs to find out if there is a
      socket listening on this host, and returns a socket pointer which the
      BPF program can then access to determine, for instance, whether to
      forward or drop traffic. bpf_sk_lookup_xxx() may take a reference on the
      socket, so when a BPF program makes use of this function, it must
      subsequently pass the returned pointer into the newly added sk_release()
      to return the reference.
      
      By way of example, the following pseudocode would filter inbound
      connections at XDP if there is no corresponding service listening for
      the traffic:
      
        struct bpf_sock_tuple tuple;
        struct bpf_sock_ops *sk;
      
        populate_tuple(ctx, &tuple); // Extract the 5tuple from the packet
        sk = bpf_sk_lookup_tcp(ctx, &tuple, sizeof tuple, netns, 0);
        if (!sk) {
          // Couldn't find a socket listening for this traffic. Drop.
          return TC_ACT_SHOT;
        }
        bpf_sk_release(sk, 0);
        return TC_ACT_OK;
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      6acc9b43
    • Joe Stringer's avatar
      bpf: Add reference tracking to verifier · fd978bf7
      Joe Stringer authored
      Allow helper functions to acquire a reference and return it into a
      register. Specific pointer types such as the PTR_TO_SOCKET will
      implicitly represent such a reference. The verifier must ensure that
      these references are released exactly once in each path through the
      program.
      
      To achieve this, this commit assigns an id to the pointer and tracks it
      in the 'bpf_func_state', then when the function or program exits,
      verifies that all of the acquired references have been freed. When the
      pointer is passed to a function that frees the reference, it is removed
      from the 'bpf_func_state` and all existing copies of the pointer in
      registers are marked invalid.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      fd978bf7
    • Joe Stringer's avatar
      bpf: Macrofy stack state copy · 84dbf350
      Joe Stringer authored
      An upcoming commit will need very similar copy/realloc boilerplate, so
      refactor the existing stack copy/realloc functions into macros to
      simplify it.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      84dbf350
    • Joe Stringer's avatar
      bpf: Add PTR_TO_SOCKET verifier type · c64b7983
      Joe Stringer authored
      Teach the verifier a little bit about a new type of pointer, a
      PTR_TO_SOCKET. This pointer type is accessed from BPF through the
      'struct bpf_sock' structure.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      c64b7983
    • Joe Stringer's avatar
      bpf: Generalize ptr_or_null regs check · 840b9615
      Joe Stringer authored
      This check will be reused by an upcoming commit for conditional jump
      checks for sockets. Refactor it a bit to simplify the later commit.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      840b9615
    • Joe Stringer's avatar
      bpf: Reuse canonical string formatter for ctx errs · 9d2be44a
      Joe Stringer authored
      The array "reg_type_str" provides canonical formatting of register
      types, however a couple of places would previously check whether a
      register represented the context and write the name "context" directly.
      An upcoming commit will add another pointer type to these statements, so
      to provide more accurate error messages in the verifier, update these
      error messages to use "reg_type_str" instead.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      9d2be44a
    • Joe Stringer's avatar
      bpf: Simplify ptr_min_max_vals adjustment · aad2eeaf
      Joe Stringer authored
      An upcoming commit will add another two pointer types that need very
      similar behaviour, so generalise this function now.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      aad2eeaf
    • Joe Stringer's avatar
      bpf: Add iterator for spilled registers · f3709f69
      Joe Stringer authored
      Add this iterator for spilled registers, it concentrates the details of
      how to get the current frame's spilled registers into a single macro
      while clarifying the intention of the code which is calling the macro.
      Signed-off-by: default avatarJoe Stringer <joe@wand.net.nz>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      f3709f69
  3. 02 Oct, 2018 4 commits
  4. 01 Oct, 2018 11 commits
    • Daniel Borkmann's avatar
      Merge branch 'bpf-per-cpu-cgroup-storage' · cb86d0f8
      Daniel Borkmann authored
      Roman Gushchin says:
      
      ====================
      This patchset implements per-cpu cgroup local storage and provides
      an example how per-cpu and shared cgroup local storage can be used
      for efficient accounting of network traffic.
      
      v4->v3:
        1) incorporated Alexei's feedback
      
      v3->v2:
        1) incorporated Song's feedback
        2) rebased on top of current bpf-next
      
      v2->v1:
        1) added a selftest implementing network counters
        2) added a missing free() in cgroup local storage selftest
      ====================
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      cb86d0f8
    • Roman Gushchin's avatar
      selftests/bpf: cgroup local storage-based network counters · 371e4fcc
      Roman Gushchin authored
      This commit adds a bpf kselftest, which demonstrates how percpu
      and shared cgroup local storage can be used for efficient lookup-free
      network accounting.
      
      Cgroup local storage provides generic memory area with a very efficient
      lookup free access. To avoid expensive atomic operations for each
      packet, per-cpu cgroup local storage is used. Each packet is initially
      charged to a per-cpu counter, and only if the counter reaches certain
      value (32 in this case), the charge is moved into the global atomic
      counter. This allows to amortize atomic operations, keeping reasonable
      accuracy.
      
      The test also implements a naive network traffic throttling, mostly to
      demonstrate the possibility of bpf cgroup--based network bandwidth
      control.
      
      Expected output:
        ./test_netcnt
        test_netcnt:PASS
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      371e4fcc
    • Roman Gushchin's avatar
      samples/bpf: extend test_cgrp2_attach2 test to use per-cpu cgroup storage · 5fcbd29b
      Roman Gushchin authored
      This commit extends the test_cgrp2_attach2 test to cover per-cpu
      cgroup storage. Bpf program will use shared and per-cpu cgroup
      storages simultaneously, so a better coverage of corresponding
      core code will be achieved.
      
      Expected output:
        $ ./test_cgrp2_attach2
        Attached DROP prog. This ping in cgroup /foo should fail...
        ping: sendmsg: Operation not permitted
        Attached DROP prog. This ping in cgroup /foo/bar should fail...
        ping: sendmsg: Operation not permitted
        Attached PASS prog. This ping in cgroup /foo/bar should pass...
        Detached PASS from /foo/bar while DROP is attached to /foo.
        This ping in cgroup /foo/bar should fail...
        ping: sendmsg: Operation not permitted
        Attached PASS from /foo/bar and detached DROP from /foo.
        This ping in cgroup /foo/bar should pass...
        ### override:PASS
        ### multi:PASS
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      5fcbd29b
    • Roman Gushchin's avatar
      selftests/bpf: extend the storage test to test per-cpu cgroup storage · 919646d2
      Roman Gushchin authored
      This test extends the cgroup storage test to use per-cpu flavor
      of the cgroup storage as well.
      
      The test initializes a per-cpu cgroup storage to some non-zero initial
      value (1000), and then simple bumps a per-cpu counter each time
      the shared counter is atomically incremented. Then it reads all
      per-cpu areas from the userspace side, and checks that the sum
      of values adds to the expected sum.
      
      Expected output:
        $ ./test_cgroup_storage
        test_cgroup_storage:PASS
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      919646d2
    • Roman Gushchin's avatar
      selftests/bpf: add verifier per-cpu cgroup storage tests · a3c6054f
      Roman Gushchin authored
      This commits adds verifier tests covering per-cpu cgroup storage
      functionality. There are 6 new tests, which are exactly the same
      as for shared cgroup storage, but do use per-cpu cgroup storage
      map.
      
      Expected output:
        $ ./test_verifier
        #0/u add+sub+mul OK
        #0/p add+sub+mul OK
        ...
        #286/p invalid cgroup storage access 6 OK
        #287/p valid per-cpu cgroup storage access OK
        #288/p invalid per-cpu cgroup storage access 1 OK
        #289/p invalid per-cpu cgroup storage access 2 OK
        #290/p invalid per-cpu cgroup storage access 3 OK
        #291/p invalid per-cpu cgroup storage access 4 OK
        #292/p invalid per-cpu cgroup storage access 5 OK
        #293/p invalid per-cpu cgroup storage access 6 OK
        #294/p multiple registers share map_lookup_elem result OK
        ...
        #662/p mov64 src == dst OK
        #663/p mov64 src != dst OK
        Summary: 914 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      a3c6054f
    • Roman Gushchin's avatar
      bpftool: add support for PERCPU_CGROUP_STORAGE maps · e5487092
      Roman Gushchin authored
      This commit adds support for BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE
      map type.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      e5487092
    • Roman Gushchin's avatar
      bpf: sync include/uapi/linux/bpf.h to tools/include/uapi/linux/bpf.h · 25025e0a
      Roman Gushchin authored
      The sync is required due to the appearance of a new map type:
      BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE, which implements per-cpu
      cgroup local storage.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      25025e0a
    • Roman Gushchin's avatar
      bpf: don't allow create maps of per-cpu cgroup local storages · c6fdcd6e
      Roman Gushchin authored
      Explicitly forbid creating map of per-cpu cgroup local storages.
      This behavior matches the behavior of shared cgroup storages.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      c6fdcd6e
    • Roman Gushchin's avatar
      bpf: introduce per-cpu cgroup local storage · b741f163
      Roman Gushchin authored
      This commit introduced per-cpu cgroup local storage.
      
      Per-cpu cgroup local storage is very similar to simple cgroup storage
      (let's call it shared), except all the data is per-cpu.
      
      The main goal of per-cpu variant is to implement super fast
      counters (e.g. packet counters), which don't require neither
      lookups, neither atomic operations.
      
      >From userspace's point of view, accessing a per-cpu cgroup storage
      is similar to other per-cpu map types (e.g. per-cpu hashmaps and
      arrays).
      
      Writing to a per-cpu cgroup storage is not atomic, but is performed
      by copying longs, so some minimal atomicity is here, exactly
      as with other per-cpu maps.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      b741f163
    • Roman Gushchin's avatar
      bpf: rework cgroup storage pointer passing · f294b37e
      Roman Gushchin authored
      To simplify the following introduction of per-cpu cgroup storage,
      let's rework a bit a mechanism of passing a pointer to a cgroup
      storage into the bpf_get_local_storage(). Let's save a pointer
      to the corresponding bpf_cgroup_storage structure, instead of
      a pointer to the actual buffer.
      
      It will help us to handle per-cpu storage later, which has
      a different way of accessing to the actual data.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      f294b37e
    • Roman Gushchin's avatar
      bpf: extend cgroup bpf core to allow multiple cgroup storage types · 8bad74f9
      Roman Gushchin authored
      In order to introduce per-cpu cgroup storage, let's generalize
      bpf cgroup core to support multiple cgroup storage types.
      Potentially, per-node cgroup storage can be added later.
      
      This commit is mostly a formal change that replaces
      cgroup_storage pointer with a array of cgroup_storage pointers.
      It doesn't actually introduce a new storage type,
      it will be done later.
      
      Each bpf program is now able to have one cgroup storage of each type.
      Signed-off-by: default avatarRoman Gushchin <guro@fb.com>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      8bad74f9
  5. 28 Sep, 2018 1 commit
  6. 27 Sep, 2018 6 commits
    • Daniel Borkmann's avatar
      Merge branch 'bpf-libbpf-attach-by-name' · 78e6e5c1
      Daniel Borkmann authored
      Andrey Ignatov says:
      
      ====================
      This patch set introduces libbpf_attach_type_by_name function in libbpf
      to identify attach type by section name.
      
      This is useful to avoid writing same logic over and over again in user
      space applications that leverage libbpf.
      
      Patch 1 has more details on the new function and problem being solved.
      Patches 2 and 3 add support for new section names.
      Patch 4 uses new function in a selftest.
      Patch 5 adds selftest for libbpf_{prog,attach}_type_by_name.
      
      As a side note there are a lot of inconsistencies now between names used
      by libbpf and bpftool (e.g. cgroup/skb vs cgroup_skb, cgroup_device and
      device vs cgroup/dev, sockops vs sock_ops, etc). This patch set does not
      address it but it tries not to make it harder to address it in the future.
      ====================
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      78e6e5c1
    • Andrey Ignatov's avatar
      selftests/bpf: Test libbpf_{prog,attach}_type_by_name · 370920c4
      Andrey Ignatov authored
      Add selftest for libbpf functions libbpf_prog_type_by_name and
      libbpf_attach_type_by_name.
      
      Example of output:
        % ./tools/testing/selftests/bpf/test_section_names
        Summary: 35 PASSED, 0 FAILED
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      370920c4
    • Andrey Ignatov's avatar
      selftests/bpf: Use libbpf_attach_type_by_name in test_socket_cookie · c9bf507d
      Andrey Ignatov authored
      Use newly introduced libbpf_attach_type_by_name in test_socket_cookie
      selftest.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      c9bf507d
    • Andrey Ignatov's avatar
      libbpf: Support sk_skb/stream_{parser, verdict} section names · c6f6851b
      Andrey Ignatov authored
      Add section names for BPF_SK_SKB_STREAM_PARSER and
      BPF_SK_SKB_STREAM_VERDICT attach types to be able to identify them in
      libbpf_attach_type_by_name.
      
      "stream_parser" and "stream_verdict" are used instead of simple "parser"
      and "verdict" just to avoid possible confusion in a place where attach
      type is used alone (e.g. in bpftool's show sub-commands) since there is
      another attach point that can be named as "verdict": BPF_SK_MSG_VERDICT.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      c6f6851b
    • Andrey Ignatov's avatar
      libbpf: Support cgroup_skb/{e,in}gress section names · bafa7afe
      Andrey Ignatov authored
      Add section names for BPF_CGROUP_INET_INGRESS and BPF_CGROUP_INET_EGRESS
      attach types to be able to identify them in libbpf_attach_type_by_name.
      
      "cgroup_skb" is used instead of "cgroup/skb" mostly to easy possible
      unifying of how libbpf and bpftool works with section names:
      * bpftool uses "cgroup_skb" to in "prog list" sub-command;
      * bpftool uses "ingress" and "egress" in "cgroup list" sub-command;
      * having two parts instead of three in a string like "cgroup_skb/ingress"
        can be leveraged to split it to prog_type part and attach_type part,
        or vise versa: use two parts to make a section name.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      bafa7afe
    • Andrey Ignatov's avatar
      libbpf: Introduce libbpf_attach_type_by_name · 956b620f
      Andrey Ignatov authored
      There is a common use-case when ELF object contains multiple BPF
      programs and every program has its own section name. If it's cgroup-bpf
      then programs have to be 1) loaded and 2) attached to a cgroup.
      
      It's convenient to have information necessary to load BPF program
      together with program itself. This is where section name works fine in
      conjunction with libbpf_prog_type_by_name that identifies prog_type and
      expected_attach_type and these can be used with BPF_PROG_LOAD.
      
      But there is currently no way to identify attach_type by section name
      and it leads to messy code in user space that reinvents guessing logic
      every time it has to identify attach type to use with BPF_PROG_ATTACH.
      
      The patch introduces libbpf_attach_type_by_name that guesses attach type
      by section name if a program can be attached.
      
      The difference between expected_attach_type provided by
      libbpf_prog_type_by_name and attach_type provided by
      libbpf_attach_type_by_name is the former is used at BPF_PROG_LOAD time
      and can be zero if a program of prog_type X has only one corresponding
      attach type Y whether the latter provides specific attach type to use
      with BPF_PROG_ATTACH.
      
      No new section names were added to section_names array. Only existing
      ones were reorganized and attach_type was added where appropriate.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      956b620f