Commit 08388efe authored by Martin KaFai Lau's avatar Martin KaFai Lau
Browse files

Merge branch 'xfrm: interface: Add unstable helpers for XFRM metadata' 



Eyal Birger says:

====================

This patch series adds xfrm metadata helpers using the unstable kfunc
call interface for the TC-BPF hooks.

This allows steering traffic towards different IPsec connections based
on logic implemented in bpf programs.

The helpers are integrated into the xfrm_interface module. For this
purpose the main functionality of this module is moved to
xfrm_interface_core.c.
---

changes in v6: fix sparse warning in patch 2
changes in v5:
  - avoid cleanup of percpu dsts as detailed in patch 2
changes in v3:
  - tag bpf-next tree instead of ipsec-next
  - add IFLA_XFRM_COLLECT_METADATA sync patch
====================

Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
parents ab0350c7 90a3a05e

include/net/dst_metadata.h

+1 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ struct macsec_info { 
struct xfrm_md_info {

	u32 if_id;

	int link;

	struct dst_entry *dst_orig;

};



struct metadata_dst {

include/net/xfrm.h

+17 −0
Original line number Diff line number Diff line
@@ -2086,4 +2086,21 @@ static inline bool xfrm6_local_dontfrag(const struct sock *sk) 
	return false;

}

#endif



#if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \

    (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))



extern struct metadata_dst __percpu *xfrm_bpf_md_dst;



int register_xfrm_interface_bpf(void);



#else



static inline int register_xfrm_interface_bpf(void)

{

	return 0;

}



#endif



#endif	/* _NET_XFRM_H */

net/core/dst.c

+6 −2
Original line number Diff line number Diff line
@@ -316,6 +316,8 @@ void metadata_dst_free(struct metadata_dst *md_dst) 
	if (md_dst->type == METADATA_IP_TUNNEL)

		dst_cache_destroy(&md_dst->u.tun_info.dst_cache);

#endif

	if (md_dst->type == METADATA_XFRM)

		dst_release(md_dst->u.xfrm_info.dst_orig);

	kfree(md_dst);

}

EXPORT_SYMBOL_GPL(metadata_dst_free);
@@ -340,16 +342,18 @@ EXPORT_SYMBOL_GPL(metadata_dst_alloc_percpu); 


void metadata_dst_free_percpu(struct metadata_dst __percpu *md_dst)

{

#ifdef CONFIG_DST_CACHE

	int cpu;



	for_each_possible_cpu(cpu) {

		struct metadata_dst *one_md_dst = per_cpu_ptr(md_dst, cpu);



#ifdef CONFIG_DST_CACHE

		if (one_md_dst->type == METADATA_IP_TUNNEL)

			dst_cache_destroy(&one_md_dst->u.tun_info.dst_cache);

	}

#endif

		if (one_md_dst->type == METADATA_XFRM)

			dst_release(one_md_dst->u.xfrm_info.dst_orig);

	}

	free_percpu(md_dst);

}

EXPORT_SYMBOL_GPL(metadata_dst_free_percpu);

net/core/filter.c

+9 −0
Original line number Diff line number Diff line
@@ -5631,6 +5631,15 @@ static const struct bpf_func_proto bpf_bind_proto = { 
};



#ifdef CONFIG_XFRM



#if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \

    (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))



struct metadata_dst __percpu *xfrm_bpf_md_dst;

EXPORT_SYMBOL_GPL(xfrm_bpf_md_dst);



#endif



BPF_CALL_5(bpf_skb_get_xfrm_state, struct sk_buff *, skb, u32, index,

	   struct bpf_xfrm_state *, to, u32, size, u64, flags)

{

net/xfrm/Makefile

+8 −0
Original line number Diff line number Diff line
@@ -3,6 +3,14 @@ 
# Makefile for the XFRM subsystem.

#



xfrm_interface-$(CONFIG_XFRM_INTERFACE) += xfrm_interface_core.o



ifeq ($(CONFIG_XFRM_INTERFACE),m)

xfrm_interface-$(CONFIG_DEBUG_INFO_BTF_MODULES) += xfrm_interface_bpf.o

else ifeq ($(CONFIG_XFRM_INTERFACE),y)

xfrm_interface-$(CONFIG_DEBUG_INFO_BTF) += xfrm_interface_bpf.o

endif



obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \

		      xfrm_input.o xfrm_output.o \

		      xfrm_sysctl.o xfrm_replay.o xfrm_device.o