1. 09 Aug, 2019 5 commits
  2. 08 Aug, 2019 1 commit
    • Yonghong Song's avatar
      tools/bpf: fix core_reloc.c compilation error · b7076592
      Yonghong Song authored
      On my local machine, I have the following compilation errors:
      =====
        In file included from prog_tests/core_reloc.c:3:0:
        ./progs/core_reloc_types.h:517:46: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘fancy_char_ptr_t’
       typedef const char * const volatile restrict fancy_char_ptr_t;
                                                    ^
        ./progs/core_reloc_types.h:527:2: error: unknown type name ‘fancy_char_ptr_t’
          fancy_char_ptr_t d;
          ^
      =====
      
      I am using gcc 4.8.5. Later compilers may change their behavior not emitting the
      error. Nevertheless, let us fix the issue. "restrict" can be tested
      without typedef.
      
      Fixes: 9654e2ae ("selftests/bpf: add CO-RE relocs modifiers/typedef tests")
      Cc: Andrii Nakryiko <andriin@fb.com>
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      b7076592
  3. 07 Aug, 2019 19 commits
  4. 06 Aug, 2019 2 commits
  5. 01 Aug, 2019 3 commits
  6. 31 Jul, 2019 9 commits
    • Jakub Kicinski's avatar
      tools: bpftool: add support for reporting the effective cgroup progs · a98bf573
      Jakub Kicinski authored
      Takshak said in the original submission:
      
      With different bpf attach_flags available to attach bpf programs specially
      with BPF_F_ALLOW_OVERRIDE and BPF_F_ALLOW_MULTI, the list of effective
      bpf-programs available to any sub-cgroups really needs to be available for
      easy debugging.
      
      Using BPF_F_QUERY_EFFECTIVE flag, one can get the list of not only attached
      bpf-programs to a cgroup but also the inherited ones from parent cgroup.
      
      So a new option is introduced to use BPF_F_QUERY_EFFECTIVE query flag here
      to list all the effective bpf-programs available for execution at a specified
      cgroup.
      
      Reused modified test program test_cgroup_attach from tools/testing/selftests/bpf:
        # ./test_cgroup_attach
      
      With old bpftool:
      
       # bpftool cgroup show /sys/fs/cgroup/cgroup-test-work-dir/cg1/
        ID       AttachType      AttachFlags     Name
        271      egress          multi           pkt_cntr_1
        272      egress          multi           pkt_cntr_2
      
      Attached new program pkt_cntr_4 in cg2 gives following:
      
       # bpftool cgroup show /sys/fs/cgroup/cgroup-test-work-dir/cg1/cg2
        ID       AttachType      AttachFlags     Name
        273      egress          override        pkt_cntr_4
      
      And with new "effective" option it shows all effective programs for cg2:
      
       # bpftool cgroup show /sys/fs/cgroup/cgroup-test-work-dir/cg1/cg2 effective
        ID       AttachType      AttachFlags     Name
        273      egress          override        pkt_cntr_4
        271      egress          override        pkt_cntr_1
        272      egress          override        pkt_cntr_2
      
      Compared to original submission use a local flag instead of global
      option.
      
      We need to clear query_flags on every command, in case batch mode
      wants to use varying settings.
      
      v2: (Takshak)
       - forbid duplicated flags;
       - fix cgroup path freeing.
      Signed-off-by: default avatarTakshak Chahande <ctakshak@fb.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Reviewed-by: default avatarQuentin Monnet <quentin.monnet@netronome.com>
      Reviewed-by: default avatarTakshak Chahande <ctakshak@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a98bf573
    • Andrii Nakryiko's avatar
      selftests/bpf: fix clearing buffered output between tests/subtests · bf8ff0f8
      Andrii Nakryiko authored
      Clear buffered output once test or subtests finishes even if test was
      successful. Not doing this leads to accumulation of output from previous
      tests and on first failed tests lots of irrelevant output will be
      dumped, greatly confusing things.
      
      v1->v2: fix Fixes tag, add more context to patch
      
      Fixes: 3a516a0a ("selftests/bpf: add sub-tests support for test_progs")
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      bf8ff0f8
    • Alexei Starovoitov's avatar
      Merge branch 'gen-syn-cookie' · 116e7dbe
      Alexei Starovoitov authored
      Petar Penkov says:
      
      ====================
      This patch series introduces a BPF helper function that allows generating SYN
      cookies from BPF. Currently, this helper is enabled at both the TC hook and the
      XDP hook.
      
      The first two patches in the series add/modify several TCP helper functions to
      allow for SKB-less operation, as is the case at the XDP hook.
      
      The third patch introduces the bpf_tcp_gen_syncookie helper function which
      generates a SYN cookie for either XDP or TC programs. The return value of
      this function contains both the MSS value, encoded in the cookie, and the
      cookie itself.
      
      The last three patches sync tools/ and add a test.
      
      Performance evaluation:
      I sent 10Mpps to a fixed port on a host with 2 10G bonded Mellanox 4 NICs from
      random IPv6 source addresses. Without XDP I observed 7.2Mpps (syn-acks) being
      sent out if the IPv6 packets carry 20 bytes of TCP options or 7.6Mpps if they
      carry no options. If I attached a simple program that checks if a packet is
      IPv6/TCP/SYN, looks up the socket, issues a cookie, and sends it back out after
      swapping src/dest, recomputing the checksum, and setting the ACK flag, I
      observed 10Mpps being sent back out.
      
      Changes since v1:
      1/ Added performance numbers to the cover letter
      2/ Patch 2: Refactored a bit to fix compilation issues
      3/ Patch 3: Changed ENOTSUPP to EOPNOTSUPP at Toke's suggestion
      
      Changes since RFC:
      1/ Cookie is returned in host order at Alexei's suggestion
      2/ If cookies are not enabled via a sysctl, the helper function returns
         -ENOENT instead of -EINVAL at Lorenz's suggestion
      3/ Fixed documentation to properly reflect that MSS is 16 bits at
         Lorenz's suggestion
      4/ BPF helper requires TCP length to match ->doff field, rather than to simply
         be no more than 20 bytes at Eric and Alexei's suggestion
      5/ Packet type is looked up from the packet version field, rather than from the
         socket. v4 packets are rejected on v6-only sockets but should work with
         dual stack listeners at Eric's suggestion
      6/ Removed unnecessary `net` argument from helper function in patch 2 at
         Lorenz's suggestion
      7/ Changed test to only pass MSS option so we can convince the verifier that the
         memory access is not out of bounds
      
      Note that 7/ below illustrates the verifier might need to be extended to allow
      passing a variable tcph->doff to the helper function like below:
      
      __u32 thlen = tcph->doff * 4;
      if (thlen < sizeof(*tcph))
      	return;
      __s64 cookie = bpf_tcp_gen_syncookie(sk, ipv4h, 20, tcph, thlen);
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      116e7dbe
    • Petar Penkov's avatar
      selftests/bpf: add test for bpf_tcp_gen_syncookie · 91bc3578
      Petar Penkov authored
      Modify the existing bpf_tcp_check_syncookie test to also generate a
      SYN cookie, pass the packet to the kernel, and verify that the two
      cookies are the same (and both valid). Since cloned SKBs are skipped
      during generic XDP, this test does not issue a SYN cookie when run in
      XDP mode. We therefore only check that a valid SYN cookie was issued at
      the TC hook.
      
      Additionally, verify that the MSS for that SYN cookie is within
      expected range.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      91bc3578
    • Petar Penkov's avatar
      selftests/bpf: bpf_tcp_gen_syncookie->bpf_helpers · 637f71c0
      Petar Penkov authored
      Expose bpf_tcp_gen_syncookie to selftests.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      637f71c0
    • Petar Penkov's avatar
      bpf: sync bpf.h to tools/ · 3745ee18
      Petar Penkov authored
      Sync updated documentation for bpf_redirect_map.
      
      Sync the bpf_tcp_gen_syncookie helper function definition with the one
      in tools/uapi.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      3745ee18
    • Petar Penkov's avatar
      bpf: add bpf_tcp_gen_syncookie helper · 70d66244
      Petar Penkov authored
      This helper function allows BPF programs to try to generate SYN
      cookies, given a reference to a listener socket. The function works
      from XDP and with an skb context since bpf_skc_lookup_tcp can lookup a
      socket in both cases.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      70d66244
    • Petar Penkov's avatar
      tcp: add skb-less helpers to retrieve SYN cookie · 9349d600
      Petar Penkov authored
      This patch allows generation of a SYN cookie before an SKB has been
      allocated, as is the case at XDP.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      9349d600
    • Petar Penkov's avatar
      tcp: tcp_syn_flood_action read port from socket · 96511278
      Petar Penkov authored
      This allows us to call this function before an SKB has been
      allocated.
      Signed-off-by: default avatarPetar Penkov <ppenkov@google.com>
      Reviewed-by: default avatarLorenz Bauer <lmb@cloudflare.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      96511278
  7. 29 Jul, 2019 1 commit
    • Alexei Starovoitov's avatar
      Merge branch 'devmap_hash' · d3406913
      Alexei Starovoitov authored
      Toke Høiland-Jørgensen says:
      
      ====================
      This series adds a new map type, devmap_hash, that works like the existing
      devmap type, but using a hash-based indexing scheme. This is useful for the use
      case where a devmap is indexed by ifindex (for instance for use with the routing
      table lookup helper). For this use case, the regular devmap needs to be sized
      after the maximum ifindex number, not the number of devices in it. A hash-based
      indexing scheme makes it possible to size the map after the number of devices it
      should contain instead.
      
      This was previously part of my patch series that also turned the regular
      bpf_redirect() helper into a map-based one; for this series I just pulled out
      the patches that introduced the new map type.
      
      Changelog:
      
      v5:
      
      - Dynamically set the number of hash buckets by rounding up max_entries to the
        nearest power of two (mirroring the regular hashmap), as suggested by Jesper.
      
      v4:
      
      - Remove check_memlock parameter that was left over from an earlier patch
        series.
      - Reorder struct members to avoid holes.
      
      v3:
      
      - Rework the split into different patches
      - Use spin_lock_irqsave()
      - Also add documentation and bash completion definitions for bpftool
      
      v2:
      
      - Split commit adding the new map type so uapi and tools changes are separate.
      
      Changes to these patches since the previous series:
      
      - Rebase on top of the other devmap changes (makes this one simpler!)
      - Don't enforce key==val, but allow arbitrary indexes.
      - Rename the type to devmap_hash to reflect the fact that it's just a hashmap now.
      ====================
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      d3406913