On Thu, 3 Dec 2020 00:43:36 +0100 Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 11/27/20 7:06 PM, Jesper Dangaard Brouer wrote: > > The use-case for dropping the MTU check when TC-BPF does redirect to > > ingress, is described by Eyal Birger in email[0]. The summary is the > > ability to increase packet size (e.g. with IPv6 headers for NAT64) and > > ingress redirect packet and let normal netstack fragment packet as needed. > > > > [0] > > https://lore.kernel.org/netdev/CAHsH6Gug-hsLGHQ6N0wtixdOa85LDZ3HNRHVd0opR=19qo4...@mail.gmail.com/ > > > > V4: > > - Keep net_device "up" (IFF_UP) check. > > - Adjustment to handle bpf_redirect_peer() helper > > > > Signed-off-by: Jesper Dangaard Brouer <bro...@redhat.com> > > --- > > include/linux/netdevice.h | 31 +++++++++++++++++++++++++++++-- > > net/core/dev.c | 19 ++----------------- > > net/core/filter.c | 14 +++++++++++--- > > 3 files changed, 42 insertions(+), 22 deletions(-) > > > > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h > > index 7ce648a564f7..4a854e09e918 100644 > > --- a/include/linux/netdevice.h > > +++ b/include/linux/netdevice.h > > @@ -3917,11 +3917,38 @@ int dev_forward_skb(struct net_device *dev, struct > > sk_buff *skb); > > bool is_skb_forwardable(const struct net_device *dev, > > const struct sk_buff *skb); > > > > +static __always_inline bool __is_skb_forwardable(const struct net_device > > *dev, > > + const struct sk_buff *skb, > > + const bool check_mtu) > > +{ > > + const u32 vlan_hdr_len = 4; /* VLAN_HLEN */ > > + unsigned int len; > > + > > + if (!(dev->flags & IFF_UP)) > > + return false; > > + > > + if (!check_mtu) > > + return true; > > + > > + len = dev->mtu + dev->hard_header_len + vlan_hdr_len; > > + if (skb->len <= len) > > + return true; > > + > > + /* if TSO is enabled, we don't care about the length as the packet > > + * could be forwarded without being segmented before > > + */ > > + if (skb_is_gso(skb)) > > + return true; > > + > > + return false; > > +} > > + > > static __always_inline int ____dev_forward_skb(struct net_device *dev, > > - struct sk_buff *skb) > > + struct sk_buff *skb, > > + const bool check_mtu) > > { > > if (skb_orphan_frags(skb, GFP_ATOMIC) || > > - unlikely(!is_skb_forwardable(dev, skb))) { > > + unlikely(!__is_skb_forwardable(dev, skb, check_mtu))) { > > atomic_long_inc(&dev->rx_dropped); > > kfree_skb(skb); > > return NET_RX_DROP; > > diff --git a/net/core/dev.c b/net/core/dev.c > > index 60d325bda0d7..6ceb6412ee97 100644 > > --- a/net/core/dev.c > > +++ b/net/core/dev.c > > @@ -2189,28 +2189,13 @@ static inline void net_timestamp_set(struct sk_buff > > *skb) > > > > bool is_skb_forwardable(const struct net_device *dev, const struct > > sk_buff *skb) > > { > > - unsigned int len; > > - > > - if (!(dev->flags & IFF_UP)) > > - return false; > > - > > - len = dev->mtu + dev->hard_header_len + VLAN_HLEN; > > - if (skb->len <= len) > > - return true; > > - > > - /* if TSO is enabled, we don't care about the length as the packet > > - * could be forwarded without being segmented before > > - */ > > - if (skb_is_gso(skb)) > > - return true; > > - > > - return false; > > + return __is_skb_forwardable(dev, skb, true); > > } > > EXPORT_SYMBOL_GPL(is_skb_forwardable); > > Only user of is_skb_forwardable() that is left after this patch is bridge, > maybe > the whole thing should be moved into the header? Well, yes, maybe... I just felt it belongs in another patchset. > > int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb) > > { > > - int ret = ____dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, true); > > > > if (likely(!ret)) { > > skb->protocol = eth_type_trans(skb, dev); > > diff --git a/net/core/filter.c b/net/core/filter.c > > index d6125cfc49c3..4673afe59533 100644 > > --- a/net/core/filter.c > > +++ b/net/core/filter.c > > @@ -2083,13 +2083,21 @@ static const struct bpf_func_proto > > bpf_csum_level_proto = { > > > > static inline int __bpf_rx_skb(struct net_device *dev, struct sk_buff > > *skb) > > { > > - return dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, false); > > + > > + if (likely(!ret)) { > > + skb->protocol = eth_type_trans(skb, dev); > > + skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); > > + ret = netif_rx(skb); > > Why netif_rx() and not netif_rx_internal() as in dev_forward_skb() originally? > One extra call otherwise. This is because the function below calls netif_rx(), which is just outside patch-diff-window. Thus, it looked wrong/strange to call netif_rx_internal(), but sure I can use netif_rx_internal() instead. > > > + } > > + > > + return ret; > > } > > > > static inline int __bpf_rx_skb_no_mac(struct net_device *dev, > > struct sk_buff *skb) > > { > > - int ret = ____dev_forward_skb(dev, skb); > > + int ret = ____dev_forward_skb(dev, skb, false); > > > > if (likely(!ret)) { > > skb->dev = dev; > > @@ -2480,7 +2488,7 @@ int skb_do_redirect(struct sk_buff *skb) > > goto out_drop; > > dev = ops->ndo_get_peer_dev(dev); > > if (unlikely(!dev || > > - !is_skb_forwardable(dev, skb) || > > + !__is_skb_forwardable(dev, skb, false) || > > If we only use __is_skb_forwardable() with false directly here, maybe then > lets just have the !(dev->flags & IFF_UP) test here instead.. Sure, let do that. > > net_eq(net, dev_net(dev)))) > > goto out_drop; > > skb->dev = dev; > > -- Best regards, Jesper Dangaard Brouer MSc.CS, Principal Kernel Engineer at Red Hat LinkedIn: http://www.linkedin.com/in/brouer
