Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp20653578rwd; Thu, 29 Jun 2023 05:27:36 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ43Ibl3hC0ULBG/8ylhnWY96LQ2hfg9u/mKAWJQED0yRouL6jDMnVrnMfgeos44x4b2YGoA X-Received: by 2002:a17:902:6ac3:b0:1b8:d90:d20f with SMTP id i3-20020a1709026ac300b001b80d90d20fmr7433757plt.3.1688041656050; Thu, 29 Jun 2023 05:27:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688041656; cv=none; d=google.com; s=arc-20160816; b=0VsJefxLgw2eGsp5CHgeBdL9Gt/3XOOdx+8ptiY/vov/N/HrCJk2ufTTdmFopyktbm eDK8F/sRkJvMCu2Y6Pv/FtvXDXBQNUX91jiorizWR9Ep1nOcSk6Us9onqxGoUL7QbztX wvwB9nbPuzIch5TBJ+hI5/uzr2C+71NmG29zoqvmFE7nrb7Aykcrie+1g4hCxvyN63Pi 7x7fAh+OdiGozr/7H7W47O4B0TEiSZshY5+CzdN5jAOLey/ut98gyToA8LqTygcglwtn sT02SFtD99KlDjrs2M5u9GdtFyJZcPP2zbJ5OoR4n51OeVCdGexefOUGcQrjAskhDvms lXxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:in-reply-to:subject:cc:to:from :dkim-signature; bh=xRtfZg4SPW/dfExfHKxyTm+z8to08LGorkhnQOIa1Ew=; fh=JfOIpua7wVGqD37WRbch0aRBI9guQ3kXQ7YFn1J04v8=; b=DN4hUj9sqpDeUf8P4baZ20h3agi3+IRVSy4xGJHbgkwa7y0G8qF6UzZjuRpLTYSquJ N+haVEDZbtE0pRUe2QDNKqP3qbdj5mdCFtKYJZXQ7sQF7FcM7Ea32iNfU1SIwDlEbxFw H5TGG7pbGcR2KkVz6mBTUFm8SNu4FqTcwfBIyOW+K4M6/Ph64SDbkvybYYE+PAs+wpiL +0TNi3la2s0AhyI3gI1xbfjMzntMkjDFXmOid+FcoYPVcLM3iq+U2TCNVF8WeQteYCzO h4n12nJUAP8GfZAlZleLCaIBfCetAgC/7IkdfD7AXKlFrHPgqbWFJEq+WUW/AphZZ0I7 2Z/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DcXCcey3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ik14-20020a170902ab0e00b001b837f239c4si2884755plb.651.2023.06.29.05.27.23; Thu, 29 Jun 2023 05:27:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DcXCcey3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231743AbjF2MRG (ORCPT + 99 others); Thu, 29 Jun 2023 08:17:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51472 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbjF2MRE (ORCPT ); Thu, 29 Jun 2023 08:17:04 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8EF4830C5 for ; Thu, 29 Jun 2023 05:16:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688040972; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xRtfZg4SPW/dfExfHKxyTm+z8to08LGorkhnQOIa1Ew=; b=DcXCcey3hZQkbG7IOdhT4/gA367sqKMgOz7kmRT3lXwccO6FcRg1ZyjjL8FOcFsa1XDwhp YUZNvWnJR+bpfUn4EH07EkBEGs4fgJCt53mjC0WgBUETTb/F2m8Q5J8NYi6l30NKssgIE5 fxQ5AjZNxUCJizzbVQfxdcFofdrsetk= Received: from mail-ej1-f71.google.com (mail-ej1-f71.google.com [209.85.218.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-191-eZlL1ox8N6GXeOilWnOmjQ-1; Thu, 29 Jun 2023 08:16:11 -0400 X-MC-Unique: eZlL1ox8N6GXeOilWnOmjQ-1 Received: by mail-ej1-f71.google.com with SMTP id a640c23a62f3a-97542592eb9so42667366b.2 for ; Thu, 29 Jun 2023 05:16:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688040970; x=1690632970; h=content-transfer-encoding:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xRtfZg4SPW/dfExfHKxyTm+z8to08LGorkhnQOIa1Ew=; b=LesOkeKv6rAcbzh5Mj3ogqdJ24JszUTa0E8iyZPk6enBFPByTsPvGWiCJ+RjBrHYvE s9EELd27WZ7tYMCbcen/FQZqrEnTLLl8OvvoatGkNq2gRe8heZhWOQyvbK93P65kBnwB 2XG8HZA3B7GC54aHBD5Zpof0vLd+H8w+2INaSrRaR6x/+MLZ3XeBSA/0AMGtNUxzUpgF ozVkhW6QeNYrsCA4K+8GdoZEzWCnsJ8GZgqT6x3hEMUUSI4mHsh4z8pbr9Hl6lS/dhGs 6Man2RXKZwr5OP0z+5Z719SrXHoK2jICorGl80AUNplcJ1e2mEnnGTZJZ7QELZsmTGKD /t1w== X-Gm-Message-State: AC+VfDw/j4jmFyQ83kjGHOYzEYsHeVhcCjjOZrADVjIVqGsXwunlnlPo ZGZaQCTr+rjc/TMehzFhyGPb8rpsp3oPrwTG1U+7yxHxo1GBLRLUHiWiDBAT0ORGLPS90YAjzY/ PCA/DOEPmLuV5k8daewzeBZLF X-Received: by 2002:a17:907:7ba5:b0:982:9b01:a57c with SMTP id ne37-20020a1709077ba500b009829b01a57cmr35983870ejc.12.1688040970189; Thu, 29 Jun 2023 05:16:10 -0700 (PDT) X-Received: by 2002:a17:907:7ba5:b0:982:9b01:a57c with SMTP id ne37-20020a1709077ba500b009829b01a57cmr35983845ejc.12.1688040969798; Thu, 29 Jun 2023 05:16:09 -0700 (PDT) Received: from alrua-x1.borgediget.toke.dk ([45.145.92.2]) by smtp.gmail.com with ESMTPSA id qq2-20020a17090720c200b00992aea2c55dsm589147ejb.153.2023.06.29.05.16.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jun 2023 05:16:09 -0700 (PDT) Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 940D2BC0450; Thu, 29 Jun 2023 14:16:08 +0200 (CEST) From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= To: Florian Westphal Cc: Daniel Xu , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, fw@strlen.de, daniel@iogearbox.net, dsahern@kernel.org Subject: Re: [PATCH bpf-next 0/7] Support defragmenting IPv(4|6) packets in BPF In-Reply-To: <20230627154439.GA18285@breakpoint.cc> References: <874jmthtiu.fsf@toke.dk> <20230627154439.GA18285@breakpoint.cc> X-Clacks-Overhead: GNU Terry Pratchett Date: Thu, 29 Jun 2023 14:16:08 +0200 Message-ID: <87o7kyfoqf.fsf@toke.dk> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Florian Westphal writes: > Toke H=C3=B8iland-J=C3=B8rgensen wrote: >> > The basic idea is we bump a refcnt on the netfilter defrag module and >> > then run the bpf prog after the defrag module runs. This allows bpf >> > progs to transparently see full, reassembled packets. The nice thing >> > about this is that progs don't have to carry around logic to detect >> > fragments. >>=20 >> One high-level comment after glancing through the series: Instead of >> allocating a flag specifically for the defrag module, why not support >> loading (and holding) arbitrary netfilter modules in the UAPI? > > How would that work/look like? > > defrag (and conntrack) need special handling because loading these > modules has no effect on the datapath. > > Traditionally, yes, loading was enough, but now with netns being > ubiquitous we don't want these to get enabled unless needed. > > Ignoring bpf, this happens when user adds nftables/iptables rules > that check for conntrack state, use some form of NAT or use e.g. tproxy. > > For bpf a flag during link attachment seemed like the best way > to go. Right, I wasn't disputing that having a flag to load a module was a good idea. On the contrary, I was thinking we'd need many more of these if/when BPF wants to take advantage of more netfilter code. Say, if a BPF module wants to call into TPROXY, that module would also need go be loaded and kept around, no? I was thinking something along the lines of just having a field 'netfilter_modules[]' where userspace could put an arbitrary number of module names into, and we'd load all of them and put a ref into the bpf_link. In principle, we could just have that be a string array of module names, but that's probably a bit cumbersome (and, well, building a generic module loader interface into the bpf_like API is not desirable either). But maybe with an explicit ENUM? > At the moment I only see two flags for this, namely > "need defrag" and "need conntrack". > > For conntrack, we MIGHT be able to not need a flag but > maybe verifier could "guess" based on kfuncs used. If the verifier can just identify the modules from the kfuncs and do the whole thing automatically, that would of course be even better from an ease-of-use PoV. Not sure what that would take, though? I seem to recall having discussions around these lines before that fell down on various points. > But for defrag, I don't think its good to add a dummy do-nothing > kfunc just for expressing the dependency on bpf prog side. Agreed. -Toke