This is v3 of the RFC sent earlier, (https://patchwork.ozlabs.org/cover/931785/).
v2->v3: - As per the review feedback received, this patchset reuses as much code as possible from sockmap/sk_msg. e.g. it uses existing struct sk_msg_buff, struct sk_msg_md, sk_msg_convert_ctx_access and part of code from sk_msg_convert_ctx_access. - bpf helper bpf_msg_pull_data() is used to access packet data. Some issues found with bpf_msg_pull_data() are therefore fixed in patch 3. - A feedback was given that unprivileged user can attach a new BPF_PROG_TYPE_SOCKET_SG_FILTER to a non-rds socket e.g. normal tcp/udp through the SO_ATTACH_BPF sockopt, where input context is skb instead of sg list and can cause issues. However, I found that as an unprivileged, user can attach any kind of eBPF program to socket using SO_ATTACH_BPF, not only socksg. But if eBPF program is faulty, kernel BPF verifier take care of it and invalidate any access to kernel data, doesn't let eBPF program to run. - socksg programs now returns action code (e.g. SOCKSG_PASS etc,.). Background: The motivation for this work is to allow eBPF based firewalling for kernel modules that do not always get their packet as an sk_buff from their downlink drivers. One such instance of this use-case is RDS, which can be run both over IB (driver RDMA's a scatterlist to the RDS module) or over TCP (TCP passes an sk_buff to the RDS module). This patchset uses exiting socket filter infrastructure and extend it with new eBPF program type that deals with struct scatterlist. Existing bpf helper bpf_msg_pull_data() is used to inspect packet data that are in form struct scatterlist. For RDS, the integrated approach treats the scatterlist as the common denominator, and allows the application to write a filter for processing a scatterlist. Details: Patch 1 adds new eBPF prog type BPF_PROG_TYPE_SOCKET_SG_FILTER which uses the existing socket filter infrastructure for bpf program attach and load. eBPF program of type BPF_PROG_TYPE_SOCKET_SG_FILTER deals with struct scatterlist as bpf context contrast to BPF_PROG_TYPE_SOCKET_FILTER which deals with struct skb. This new eBPF program type allow socket filter to run on packet data that is in form of struct scatterlist. Patch 2 adds sg_filter_run() that runs BPF_PROG_TYPE_SOCKET_SG_FILTER. Patch 3 fixes bpf_msg_pull_data() for the bugs that were found while doing some experiment with different size of packets. patch 4 allows rds_recv_incoming to invoke socket filter program which deals with struct scatterlist. Patch 5 adds socket filter eBPF sample program that uses patches 1 to 4. The sample program opens an rds socket, attach ebpf program (socksg i.e. BPF_PROG_TYPE_SOCKET_SG_FILTER) to rds socket and uses bpf_msg_pull_data() helper to inspect RDS packet data. For a test, current sample program only prints first few bytes of packet data. Testing: To confirm data accuracy and results, RDS packets of various sizes has been tested with socksg program along with various start and end values for bpf_msg_pull_data(). All such tests shows accurate results. Thanks. -Tushar Tushar Dave (5): eBPF: Add new eBPF prog type BPF_PROG_TYPE_SOCKET_SG_FILTER ebpf: Add sg_filter_run() ebpf: fix bpf_msg_pull_data rds: invoke socket sg filter attached to rds socket ebpf: Add sample ebpf program for SOCKET_SG_FILTER include/linux/bpf_types.h | 1 + include/linux/filter.h | 8 + include/uapi/linux/bpf.h | 7 + kernel/bpf/syscall.c | 1 + kernel/bpf/verifier.c | 1 + net/core/filter.c | 140 +++++++++++++---- net/rds/ib.c | 1 + net/rds/ib.h | 1 + net/rds/ib_recv.c | 12 ++ net/rds/rds.h | 2 + net/rds/recv.c | 17 +++ net/rds/tcp.c | 2 + net/rds/tcp.h | 2 + net/rds/tcp_recv.c | 38 +++++ samples/bpf/Makefile | 3 + samples/bpf/bpf_load.c | 11 +- samples/bpf/rds_filter_kern.c | 42 +++++ samples/bpf/rds_filter_user.c | 339 +++++++++++++++++++++++++++++++++++++++++ tools/bpf/bpftool/prog.c | 1 + tools/include/uapi/linux/bpf.h | 7 + tools/lib/bpf/libbpf.c | 3 + tools/lib/bpf/libbpf.h | 2 + 22 files changed, 607 insertions(+), 34 deletions(-) create mode 100644 samples/bpf/rds_filter_kern.c create mode 100644 samples/bpf/rds_filter_user.c -- 1.8.3.1
