Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 674A0C74A44 for ; Tue, 7 Mar 2023 20:12:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231739AbjCGUMG (ORCPT ); Tue, 7 Mar 2023 15:12:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231290AbjCGUME (ORCPT ); Tue, 7 Mar 2023 15:12:04 -0500 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FBA29DE0D; Tue, 7 Mar 2023 12:11:59 -0800 (PST) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1pZdfA-0003Ur-M0; Tue, 07 Mar 2023 21:11:56 +0100 Date: Tue, 7 Mar 2023 21:11:56 +0100 From: Florian Westphal To: Daniel Xu Cc: Alexei Starovoitov , bpf , "open list:KERNEL SELFTEST FRAMEWORK" , Network Development , "open list:DOCUMENTATION" , LKML , pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, daniel@iogearbox.net Subject: Re: [PATCH bpf-next v2 0/8] Support defragmenting IPv(4|6) packets in BPF Message-ID: <20230307201156.GF13059@breakpoint.cc> References: <20230227230338.awdzw57e4uzh4u7n@MacBook-Pro-6.local> <20230228015712.clq6kyrsd7rrklbz@kashmir.localdomain> <20230228231716.a5uwc4tdo3kjlkg7@aviatrix-fedora.tail1b9c7.ts.net> <20230307194801.mopwvidrkrybm7h5@kashmir.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230307194801.mopwvidrkrybm7h5@kashmir.localdomain> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Daniel Xu wrote: > From my reading (I'll run some tests later) it looks like netfilter > will defrag all ipv4/ipv6 packets in any netns with conntrack enabled. > It appears to do so in NF_INET_PRE_ROUTING. Yes, and output. > One thing we would need though are (probably kfunc) wrappers around > nf_defrag_ipv4_enable() and nf_defrag_ipv6_enable() to ensure BPF progs > are not transitively depending on defrag support from other netfilter > modules. > > The exact mechanism would probably need some thinking, as the above > functions kinda rely on module_init() and module_exit() semantics. We > cannot make the prog bump the refcnt every time it runs -- it would > overflow. And it would be nice to automatically free the refcnt when > prog is unloaded. Probably add a flag attribute that is evaluated at BPF_LINK time, so progs can say they need defrag enabled. Same could be used to request conntrack enablement. Will need some glue on netfilter side to handle DEFRAG=m, but we already have plenty of those.