Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp3539648rwl; Tue, 27 Dec 2022 10:39:32 -0800 (PST) X-Google-Smtp-Source: AMrXdXvMoqdx5piYrN5IXVOMAt+oh+IzlHYfhzznw7poagh66q4ds+2ypJXxaI5LrO+SHiFzvU0a X-Received: by 2002:aa7:9f07:0:b0:575:cce2:cd83 with SMTP id g7-20020aa79f07000000b00575cce2cd83mr26223714pfr.5.1672166371777; Tue, 27 Dec 2022 10:39:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672166371; cv=none; d=google.com; s=arc-20160816; b=HVCQlj+79Bb1xKZo/gXdSa1DJrNcfNVZ8Zx6LfBEJBW70vHxNtvaCVpehgGQ6LzFLv NN5xb6mMo/fJioThlF4nmR0mTLGAppmx7uvHgwEToev0GK/J3roATDnEN+SKCY3jsvya Yi8uvqsJJDbAOtMP3UH1rnnz1Yyc16O/opKQZonBfb9p3gdW4dGUuy6876mKBRcavi6N XHNQMUcEoBV/bM+GbrvjypsslcZDlNX4KNqidOlw0orHoHj21AQB+F+ZXhWGlk94oihc ImiPp6DsnCpy5KuNWrqgnHKDgi2faagGuEJizZCLZjI0EqBZAXjGkywXeOfRkGz0yW6O IcFw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=J8ot+Jdx+D59AwrGMZTmiCuGz/IhA+F0yQn6+KVt1YQ=; b=mgkTEcfU3RdOz+uHO+XhUaMmH3FlVrNxpCR/FtujhZt6BIpw5oxqWu6AkhtYoX2gdz vJ9FhgHLnkiYc9e78gMcsj/em1rrVmVF1bH09hVom4L6H9LV1sphtXbNLQLwHyPPSMey 9MR5R1M7OVTe+pf0vxWlf4Nz1eLn9B2K1iAiUyVdfquMm2Zeo1HSZJXn+OG5JEzMuLuZ Q14TGu7yMAjJE/qukYRt3wGLI64dcsY4CUh+R4veRjnq3m9tvhuoHXDs3vgRkU1Z0m6B GdkZrPd0qbmmn6mBk2nzMZF6BDsaJFbxIdjajJscEBjVVUrHk63dQQxjADrHuR95c9eC t0fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HyF6cB0m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b5-20020a056a000cc500b00572d3b2ed93si609052pfv.139.2022.12.27.10.39.22; Tue, 27 Dec 2022 10:39:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=HyF6cB0m; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229830AbiL0SWy (ORCPT + 66 others); Tue, 27 Dec 2022 13:22:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229488AbiL0SWu (ORCPT ); Tue, 27 Dec 2022 13:22:50 -0500 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A087A479; Tue, 27 Dec 2022 10:22:48 -0800 (PST) Received: by mail-pg1-x52b.google.com with SMTP id 82so9273210pgc.0; Tue, 27 Dec 2022 10:22:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=J8ot+Jdx+D59AwrGMZTmiCuGz/IhA+F0yQn6+KVt1YQ=; b=HyF6cB0mWZ2TSlFW9mAKovRNLXijf3as7pmAi1V95kZSIyWvvBplRhJlE4VVPyNqX7 qtCoQU5sWSbILGXI6CBflgv7SX3FFmM1aVK44WsidwxsaQxJjKX8nTjsZe4rr8Wy++rm nsmuo/2u41S5tYXqYUnEjPhSKMNE/H6UPEyhWJ3+ieuKz20OkVevhpXLdPxu8gCC3wmW nKqdI9MgcKwM6ogbznoCSdmDpaA/EDby71Hq2Rj2fNXUnWiulVxbXeeycVzt4fXpS4On mkYQJoppWDprkpa4Mow+zxHc8zsSaEeO3afXfD0uNU/uVXgMkqrNIUbWJn4bvdAUBuOi Ihdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=J8ot+Jdx+D59AwrGMZTmiCuGz/IhA+F0yQn6+KVt1YQ=; b=VtWDaM73RIINM+NP5tY2J/A4aYNOmI/PWe7uvidCQQvQPYMj1o4SOBPmUTFaOoHliO ZnEHjPqbH/PKXUvLKHN1pluYVgVSzwwilw6b0xRWa/nyfLuU8mO+taNTvAQpJNaYEKd8 OzGprd4LgVsVthLMQtFjheIkBTgADuYSKQrJ5wpPBhLDjk2VpmqZAgJ4gXzeaKCfYuHe rVqqKidLg4v+0FcgETft6feSMF8ErQ6OwDwCXdI/qGAqE5NZOmUThk5c7hsCOsogpGnF H+dJcs8TIJWQW7LxgX5GbXF/s2wwPCRZohqdZyTKorLnJWyVyTrNFweh6uG5xY/o0fZM g2qQ== X-Gm-Message-State: AFqh2krtgEYYF6t7VdXIH8kzvsVc04557A5hNFeB7HNGQISSyPKkMwEq 04Vdi0tp3pYm42vktnfxvKc= X-Received: by 2002:a05:6a00:3217:b0:580:ffa0:bfcf with SMTP id bm23-20020a056a00321700b00580ffa0bfcfmr10572108pfb.6.1672165367602; Tue, 27 Dec 2022 10:22:47 -0800 (PST) Received: from macbook-pro-6.dhcp.thefacebook.com ([2620:10d:c090:400::5:68a7]) by smtp.gmail.com with ESMTPSA id z7-20020a623307000000b00576d4d69909sm8886485pfz.8.2022.12.27.10.22.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 27 Dec 2022 10:22:47 -0800 (PST) Date: Tue, 27 Dec 2022 10:22:42 -0800 From: Alexei Starovoitov To: Quentin Deslandes Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Mykola Lysenko , Shuah Khan , Dmitrii Banshchikov , linux-kernel@vger.kernel.org, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, netdev@vger.kernel.org, Kernel Team , fw@strlen.de Subject: Re: [PATCH bpf-next v3 00/16] bpfilter Message-ID: <20221227182242.ozkc6u2lbwneoi4r@macbook-pro-6.dhcp.thefacebook.com> References: <20221224000402.476079-1-qde@naccy.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221224000402.476079-1-qde@naccy.de> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Dec 24, 2022 at 01:03:46AM +0100, Quentin Deslandes wrote: > > Due to poor hardware availability on my side, I've not been able to > benchmark those changes. I plan to get some numbers for the next iteration. Yeah. Performance numbers would be my main question :) > FORWARD filter chain is now supported, however, it's attached to > TC INGRESS along with INPUT filter chain. This is due to XDP not supporting > multiple programs to be attached. I could generate a single program > out of both INPUT and FORWARD chains, but that would prevent another > BPF program to be attached to the interface anyway. If a solution > exists to attach both those programs to XDP while allowing for other > programs to be attached, it requires more investigation. In the meantime, > INPUT and FORWARD filtering is supported using TC. I think we can ignore XDP chaining for now assuming that Daniel's bpf_link-tc work will be applicable to XDP as well, so we'll have a simple chaining for XDP eventually. As far as attaching to TC... I think it would be great to combine bpfilter codegen and attach to Florian's bpf hooks exactly at netfilter. See https://git.breakpoint.cc/cgit/fw/nf-next.git/commit/?h=nf_hook_jit_bpf_29&id=0c1ec06503cb8a142d3ad9f760b72d94ea0091fa With nf_hook_ingress() calling either into classic iptable or into bpf_prog_run_nf which is either generated by Florian's optimizer of nf chains or into bpfilter generated code would be ideal.