mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-19 02:04:19 +08:00
2dbb9b9e6d
This patch adds a BPF_PROG_TYPE_SK_REUSEPORT which can select a SO_REUSEPORT sk from a BPF_MAP_TYPE_REUSEPORT_ARRAY. Like other non SK_FILTER/CGROUP_SKB program, it requires CAP_SYS_ADMIN. BPF_PROG_TYPE_SK_REUSEPORT introduces "struct sk_reuseport_kern" to store the bpf context instead of using the skb->cb[48]. At the SO_REUSEPORT sk lookup time, it is in the middle of transiting from a lower layer (ipv4/ipv6) to a upper layer (udp/tcp). At this point, it is not always clear where the bpf context can be appended in the skb->cb[48] to avoid saving-and-restoring cb[]. Even putting aside the difference between ipv4-vs-ipv6 and udp-vs-tcp. It is not clear if the lower layer is only ipv4 and ipv6 in the future and will it not touch the cb[] again before transiting to the upper layer. For example, in udp_gro_receive(), it uses the 48 byte NAPI_GRO_CB instead of IP[6]CB and it may still modify the cb[] after calling the udp[46]_lib_lookup_skb(). Because of the above reason, if sk->cb is used for the bpf ctx, saving-and-restoring is needed and likely the whole 48 bytes cb[] has to be saved and restored. Instead of saving, setting and restoring the cb[], this patch opts to create a new "struct sk_reuseport_kern" and setting the needed values in there. The new BPF_PROG_TYPE_SK_REUSEPORT and "struct sk_reuseport_(kern|md)" will serve all ipv4/ipv6 + udp/tcp combinations. There is no protocol specific usage at this point and it is also inline with the current sock_reuseport.c implementation (i.e. no protocol specific requirement). In "struct sk_reuseport_md", this patch exposes data/data_end/len with semantic similar to other existing usages. Together with "bpf_skb_load_bytes()" and "bpf_skb_load_bytes_relative()", the bpf prog can peek anywhere in the skb. The "bind_inany" tells the bpf prog that the reuseport group is bind-ed to a local INANY address which cannot be learned from skb. The new "bind_inany" is added to "struct sock_reuseport" which will be used when running the new "BPF_PROG_TYPE_SK_REUSEPORT" bpf prog in order to avoid repeating the "bind INANY" test on "sk_v6_rcv_saddr/sk->sk_rcv_saddr" every time a bpf prog is run. It can only be properly initialized when a "sk->sk_reuseport" enabled sk is adding to a hashtable (i.e. during "reuseport_alloc()" and "reuseport_add_sock()"). The new "sk_select_reuseport()" is the main helper that the bpf prog will use to select a SO_REUSEPORT sk. It is the only function that can use the new BPF_MAP_TYPE_REUSEPORT_ARRAY. As mentioned in the earlier patch, the validity of a selected sk is checked in run time in "sk_select_reuseport()". Doing the check in verification time is difficult and inflexible (consider the map-in-map use case). The runtime check is to compare the selected sk's reuseport_id with the reuseport_id that we want. This helper will return -EXXX if the selected sk cannot serve the incoming request (e.g. reuseport_id not match). The bpf prog can decide if it wants to do SK_DROP as its discretion. When the bpf prog returns SK_PASS, the kernel will check if a valid sk has been selected (i.e. "reuse_kern->selected_sk != NULL"). If it does , it will use the selected sk. If not, the kernel will select one from "reuse->socks[]" (as before this patch). The SK_DROP and SK_PASS handling logic will be in the next patch. Signed-off-by: Martin KaFai Lau <kafai@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
316 lines
7.9 KiB
C
316 lines
7.9 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
/*
|
|
* To speed up listener socket lookup, create an array to store all sockets
|
|
* listening on the same port. This allows a decision to be made after finding
|
|
* the first socket. An optional BPF program can also be configured for
|
|
* selecting the socket index from the array of available sockets.
|
|
*/
|
|
|
|
#include <net/sock_reuseport.h>
|
|
#include <linux/bpf.h>
|
|
#include <linux/idr.h>
|
|
#include <linux/rcupdate.h>
|
|
|
|
#define INIT_SOCKS 128
|
|
|
|
DEFINE_SPINLOCK(reuseport_lock);
|
|
|
|
#define REUSEPORT_MIN_ID 1
|
|
static DEFINE_IDA(reuseport_ida);
|
|
|
|
int reuseport_get_id(struct sock_reuseport *reuse)
|
|
{
|
|
int id;
|
|
|
|
if (reuse->reuseport_id)
|
|
return reuse->reuseport_id;
|
|
|
|
id = ida_simple_get(&reuseport_ida, REUSEPORT_MIN_ID, 0,
|
|
/* Called under reuseport_lock */
|
|
GFP_ATOMIC);
|
|
if (id < 0)
|
|
return id;
|
|
|
|
reuse->reuseport_id = id;
|
|
|
|
return reuse->reuseport_id;
|
|
}
|
|
|
|
static struct sock_reuseport *__reuseport_alloc(unsigned int max_socks)
|
|
{
|
|
unsigned int size = sizeof(struct sock_reuseport) +
|
|
sizeof(struct sock *) * max_socks;
|
|
struct sock_reuseport *reuse = kzalloc(size, GFP_ATOMIC);
|
|
|
|
if (!reuse)
|
|
return NULL;
|
|
|
|
reuse->max_socks = max_socks;
|
|
|
|
RCU_INIT_POINTER(reuse->prog, NULL);
|
|
return reuse;
|
|
}
|
|
|
|
int reuseport_alloc(struct sock *sk, bool bind_inany)
|
|
{
|
|
struct sock_reuseport *reuse;
|
|
|
|
/* bh lock used since this function call may precede hlist lock in
|
|
* soft irq of receive path or setsockopt from process context
|
|
*/
|
|
spin_lock_bh(&reuseport_lock);
|
|
|
|
/* Allocation attempts can occur concurrently via the setsockopt path
|
|
* and the bind/hash path. Nothing to do when we lose the race.
|
|
*/
|
|
reuse = rcu_dereference_protected(sk->sk_reuseport_cb,
|
|
lockdep_is_held(&reuseport_lock));
|
|
if (reuse) {
|
|
/* Only set reuse->bind_inany if the bind_inany is true.
|
|
* Otherwise, it will overwrite the reuse->bind_inany
|
|
* which was set by the bind/hash path.
|
|
*/
|
|
if (bind_inany)
|
|
reuse->bind_inany = bind_inany;
|
|
goto out;
|
|
}
|
|
|
|
reuse = __reuseport_alloc(INIT_SOCKS);
|
|
if (!reuse) {
|
|
spin_unlock_bh(&reuseport_lock);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
reuse->socks[0] = sk;
|
|
reuse->num_socks = 1;
|
|
reuse->bind_inany = bind_inany;
|
|
rcu_assign_pointer(sk->sk_reuseport_cb, reuse);
|
|
|
|
out:
|
|
spin_unlock_bh(&reuseport_lock);
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(reuseport_alloc);
|
|
|
|
static struct sock_reuseport *reuseport_grow(struct sock_reuseport *reuse)
|
|
{
|
|
struct sock_reuseport *more_reuse;
|
|
u32 more_socks_size, i;
|
|
|
|
more_socks_size = reuse->max_socks * 2U;
|
|
if (more_socks_size > U16_MAX)
|
|
return NULL;
|
|
|
|
more_reuse = __reuseport_alloc(more_socks_size);
|
|
if (!more_reuse)
|
|
return NULL;
|
|
|
|
more_reuse->max_socks = more_socks_size;
|
|
more_reuse->num_socks = reuse->num_socks;
|
|
more_reuse->prog = reuse->prog;
|
|
more_reuse->reuseport_id = reuse->reuseport_id;
|
|
more_reuse->bind_inany = reuse->bind_inany;
|
|
|
|
memcpy(more_reuse->socks, reuse->socks,
|
|
reuse->num_socks * sizeof(struct sock *));
|
|
more_reuse->synq_overflow_ts = READ_ONCE(reuse->synq_overflow_ts);
|
|
|
|
for (i = 0; i < reuse->num_socks; ++i)
|
|
rcu_assign_pointer(reuse->socks[i]->sk_reuseport_cb,
|
|
more_reuse);
|
|
|
|
/* Note: we use kfree_rcu here instead of reuseport_free_rcu so
|
|
* that reuse and more_reuse can temporarily share a reference
|
|
* to prog.
|
|
*/
|
|
kfree_rcu(reuse, rcu);
|
|
return more_reuse;
|
|
}
|
|
|
|
static void reuseport_free_rcu(struct rcu_head *head)
|
|
{
|
|
struct sock_reuseport *reuse;
|
|
|
|
reuse = container_of(head, struct sock_reuseport, rcu);
|
|
if (reuse->prog)
|
|
bpf_prog_destroy(reuse->prog);
|
|
if (reuse->reuseport_id)
|
|
ida_simple_remove(&reuseport_ida, reuse->reuseport_id);
|
|
kfree(reuse);
|
|
}
|
|
|
|
/**
|
|
* reuseport_add_sock - Add a socket to the reuseport group of another.
|
|
* @sk: New socket to add to the group.
|
|
* @sk2: Socket belonging to the existing reuseport group.
|
|
* May return ENOMEM and not add socket to group under memory pressure.
|
|
*/
|
|
int reuseport_add_sock(struct sock *sk, struct sock *sk2, bool bind_inany)
|
|
{
|
|
struct sock_reuseport *old_reuse, *reuse;
|
|
|
|
if (!rcu_access_pointer(sk2->sk_reuseport_cb)) {
|
|
int err = reuseport_alloc(sk2, bind_inany);
|
|
|
|
if (err)
|
|
return err;
|
|
}
|
|
|
|
spin_lock_bh(&reuseport_lock);
|
|
reuse = rcu_dereference_protected(sk2->sk_reuseport_cb,
|
|
lockdep_is_held(&reuseport_lock));
|
|
old_reuse = rcu_dereference_protected(sk->sk_reuseport_cb,
|
|
lockdep_is_held(&reuseport_lock));
|
|
if (old_reuse && old_reuse->num_socks != 1) {
|
|
spin_unlock_bh(&reuseport_lock);
|
|
return -EBUSY;
|
|
}
|
|
|
|
if (reuse->num_socks == reuse->max_socks) {
|
|
reuse = reuseport_grow(reuse);
|
|
if (!reuse) {
|
|
spin_unlock_bh(&reuseport_lock);
|
|
return -ENOMEM;
|
|
}
|
|
}
|
|
|
|
reuse->socks[reuse->num_socks] = sk;
|
|
/* paired with smp_rmb() in reuseport_select_sock() */
|
|
smp_wmb();
|
|
reuse->num_socks++;
|
|
rcu_assign_pointer(sk->sk_reuseport_cb, reuse);
|
|
|
|
spin_unlock_bh(&reuseport_lock);
|
|
|
|
if (old_reuse)
|
|
call_rcu(&old_reuse->rcu, reuseport_free_rcu);
|
|
return 0;
|
|
}
|
|
|
|
void reuseport_detach_sock(struct sock *sk)
|
|
{
|
|
struct sock_reuseport *reuse;
|
|
int i;
|
|
|
|
spin_lock_bh(&reuseport_lock);
|
|
reuse = rcu_dereference_protected(sk->sk_reuseport_cb,
|
|
lockdep_is_held(&reuseport_lock));
|
|
|
|
/* At least one of the sk in this reuseport group is added to
|
|
* a bpf map. Notify the bpf side. The bpf map logic will
|
|
* remove the sk if it is indeed added to a bpf map.
|
|
*/
|
|
if (reuse->reuseport_id)
|
|
bpf_sk_reuseport_detach(sk);
|
|
|
|
rcu_assign_pointer(sk->sk_reuseport_cb, NULL);
|
|
|
|
for (i = 0; i < reuse->num_socks; i++) {
|
|
if (reuse->socks[i] == sk) {
|
|
reuse->socks[i] = reuse->socks[reuse->num_socks - 1];
|
|
reuse->num_socks--;
|
|
if (reuse->num_socks == 0)
|
|
call_rcu(&reuse->rcu, reuseport_free_rcu);
|
|
break;
|
|
}
|
|
}
|
|
spin_unlock_bh(&reuseport_lock);
|
|
}
|
|
EXPORT_SYMBOL(reuseport_detach_sock);
|
|
|
|
static struct sock *run_bpf(struct sock_reuseport *reuse, u16 socks,
|
|
struct bpf_prog *prog, struct sk_buff *skb,
|
|
int hdr_len)
|
|
{
|
|
struct sk_buff *nskb = NULL;
|
|
u32 index;
|
|
|
|
if (skb_shared(skb)) {
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
if (!nskb)
|
|
return NULL;
|
|
skb = nskb;
|
|
}
|
|
|
|
/* temporarily advance data past protocol header */
|
|
if (!pskb_pull(skb, hdr_len)) {
|
|
kfree_skb(nskb);
|
|
return NULL;
|
|
}
|
|
index = bpf_prog_run_save_cb(prog, skb);
|
|
__skb_push(skb, hdr_len);
|
|
|
|
consume_skb(nskb);
|
|
|
|
if (index >= socks)
|
|
return NULL;
|
|
|
|
return reuse->socks[index];
|
|
}
|
|
|
|
/**
|
|
* reuseport_select_sock - Select a socket from an SO_REUSEPORT group.
|
|
* @sk: First socket in the group.
|
|
* @hash: When no BPF filter is available, use this hash to select.
|
|
* @skb: skb to run through BPF filter.
|
|
* @hdr_len: BPF filter expects skb data pointer at payload data. If
|
|
* the skb does not yet point at the payload, this parameter represents
|
|
* how far the pointer needs to advance to reach the payload.
|
|
* Returns a socket that should receive the packet (or NULL on error).
|
|
*/
|
|
struct sock *reuseport_select_sock(struct sock *sk,
|
|
u32 hash,
|
|
struct sk_buff *skb,
|
|
int hdr_len)
|
|
{
|
|
struct sock_reuseport *reuse;
|
|
struct bpf_prog *prog;
|
|
struct sock *sk2 = NULL;
|
|
u16 socks;
|
|
|
|
rcu_read_lock();
|
|
reuse = rcu_dereference(sk->sk_reuseport_cb);
|
|
|
|
/* if memory allocation failed or add call is not yet complete */
|
|
if (!reuse)
|
|
goto out;
|
|
|
|
prog = rcu_dereference(reuse->prog);
|
|
socks = READ_ONCE(reuse->num_socks);
|
|
if (likely(socks)) {
|
|
/* paired with smp_wmb() in reuseport_add_sock() */
|
|
smp_rmb();
|
|
|
|
if (prog && skb)
|
|
sk2 = run_bpf(reuse, socks, prog, skb, hdr_len);
|
|
|
|
/* no bpf or invalid bpf result: fall back to hash usage */
|
|
if (!sk2)
|
|
sk2 = reuse->socks[reciprocal_scale(hash, socks)];
|
|
}
|
|
|
|
out:
|
|
rcu_read_unlock();
|
|
return sk2;
|
|
}
|
|
EXPORT_SYMBOL(reuseport_select_sock);
|
|
|
|
struct bpf_prog *
|
|
reuseport_attach_prog(struct sock *sk, struct bpf_prog *prog)
|
|
{
|
|
struct sock_reuseport *reuse;
|
|
struct bpf_prog *old_prog;
|
|
|
|
spin_lock_bh(&reuseport_lock);
|
|
reuse = rcu_dereference_protected(sk->sk_reuseport_cb,
|
|
lockdep_is_held(&reuseport_lock));
|
|
old_prog = rcu_dereference_protected(reuse->prog,
|
|
lockdep_is_held(&reuseport_lock));
|
|
rcu_assign_pointer(reuse->prog, prog);
|
|
spin_unlock_bh(&reuseport_lock);
|
|
|
|
return old_prog;
|
|
}
|
|
EXPORT_SYMBOL(reuseport_attach_prog);
|