bpf: add icmp_send_unreach kfunc #5648
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: 5345e64 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
6978e3e to
1661322
Compare
Author
|
Upstream branch: 5b4c54a |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/980967=>bpf-next
branch
from
40ec30e to
db34d08
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
1661322 to
6217ef6
Compare
Author
|
Upstream branch: cd7c97f |
Move and rename nf_reject_fill_skb_dst from ipv4/netfilter/nf_reject_ipv4 to ip_route_reply_fetch_dst in ipv4/route.c so that it can be reused in the following patches by BPF kfuncs. Netfilter uses nf_ip_route that is almost a transparent wrapper around ip_route_output_key so this patch inlines it. Signed-off-by: Mahe Tardy <[email protected]>
Move and rename nf_reject6_fill_skb_dst from ipv6/netfilter/nf_reject_ipv6 to ip6_route_reply_fetch_dst in ipv6/route.c so that it can be reused in the following patches by BPF kfuncs. Netfilter uses nf_ip6_route that is almost a transparent wrapper around ip6_route_outputy so this patch inlines it. Signed-off-by: Mahe Tardy <[email protected]>
This is needed in the context of Tetragon to provide improved feedback (in contrast to just dropping packets) to east-west traffic when blocked by policies using cgroup_skb programs. This reuse concepts from netfilter reject target codepath with the differences that: * Packets are cloned since the BPF user can still return SK_PASS from the cgroup_skb progs and the current skb need to stay untouched (cgroup_skb hooks only allow read-only skb payload). * Since cgroup_skb programs are called late in the stack, checksums do not need to be computed or verified, and IPv4 fragmentation does not need to be checked (ip_local_deliver should take care of that earlier). Signed-off-by: Mahe Tardy <[email protected]>
This test opens a server and client, attach a cgroup_skb program on egress and calls the icmp_send_unreach function from the client egress so that an ICMP unreach control message is sent back to the client. It then fetches the message from the error queue to confirm the correct ICMP unreach code has been sent. Note that the BPF program returns SK_PASS to let the connection being established to finish the test cases quicker. Otherwise, you have to wait for the TCP three-way handshake to timeout in the kernel and retrieve the errno translated from the unreach code set by the ICMP control message. Signed-off-by: Mahe Tardy <[email protected]>
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/980967=>bpf-next
branch
from
db34d08 to
940a143
Compare
Author
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=986364 expired. Closing PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: add icmp_send_unreach kfunc
version: 3
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=986364