Commit 94151f5a authored by Eyal Birger's avatar Eyal Birger Committed by Martin KaFai Lau
Browse files

xfrm: interface: Add unstable helpers for setting/getting XFRM metadata from TC-BPF 



This change adds xfrm metadata helpers using the unstable kfunc call
interface for the TC-BPF hooks. This allows steering traffic towards
different IPsec connections based on logic implemented in bpf programs.

This object is built based on the availability of BTF debug info.

When setting the xfrm metadata, percpu metadata dsts are used in order
to avoid allocating a metadata dst per packet.

In order to guarantee safe module unload, the percpu dsts are allocated
on first use and never freed. The percpu pointer is stored in
net/core/filter.c so that it can be reused on module reload.

The metadata percpu dsts take ownership of the original skb dsts so
that they may be used as part of the xfrm transmission logic - e.g.
for MTU calculations.

Signed-off-by: default avatarEyal Birger <eyal.birger@gmail.com>
Link: https://lore.kernel.org/r/20221203084659.1837829-3-eyal.birger@gmail.com


Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
parent ee9a113a

include/net/dst_metadata.h

+1 −0
Original line number Diff line number Diff line
@@ -26,6 +26,7 @@ struct macsec_info { 
struct xfrm_md_info {

	u32 if_id;

	int link;

	struct dst_entry *dst_orig;

};



struct metadata_dst {

include/net/xfrm.h

+17 −0
Original line number Diff line number Diff line
@@ -2086,4 +2086,21 @@ static inline bool xfrm6_local_dontfrag(const struct sock *sk) 
	return false;

}

#endif



#if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \

    (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))



extern struct metadata_dst __percpu *xfrm_bpf_md_dst;



int register_xfrm_interface_bpf(void);



#else



static inline int register_xfrm_interface_bpf(void)

{

	return 0;

}



#endif



#endif	/* _NET_XFRM_H */

net/core/dst.c

+6 −2
Original line number Diff line number Diff line
@@ -316,6 +316,8 @@ void metadata_dst_free(struct metadata_dst *md_dst) 
	if (md_dst->type == METADATA_IP_TUNNEL)

		dst_cache_destroy(&md_dst->u.tun_info.dst_cache);

#endif

	if (md_dst->type == METADATA_XFRM)

		dst_release(md_dst->u.xfrm_info.dst_orig);

	kfree(md_dst);

}

EXPORT_SYMBOL_GPL(metadata_dst_free);
@@ -340,16 +342,18 @@ EXPORT_SYMBOL_GPL(metadata_dst_alloc_percpu); 


void metadata_dst_free_percpu(struct metadata_dst __percpu *md_dst)

{

#ifdef CONFIG_DST_CACHE

	int cpu;



	for_each_possible_cpu(cpu) {

		struct metadata_dst *one_md_dst = per_cpu_ptr(md_dst, cpu);



#ifdef CONFIG_DST_CACHE

		if (one_md_dst->type == METADATA_IP_TUNNEL)

			dst_cache_destroy(&one_md_dst->u.tun_info.dst_cache);

	}

#endif

		if (one_md_dst->type == METADATA_XFRM)

			dst_release(one_md_dst->u.xfrm_info.dst_orig);

	}

	free_percpu(md_dst);

}

EXPORT_SYMBOL_GPL(metadata_dst_free_percpu);

net/core/filter.c

+9 −0
Original line number Diff line number Diff line
@@ -5631,6 +5631,15 @@ static const struct bpf_func_proto bpf_bind_proto = { 
};



#ifdef CONFIG_XFRM



#if (IS_BUILTIN(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \

    (IS_MODULE(CONFIG_XFRM_INTERFACE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES))



struct metadata_dst __percpu *xfrm_bpf_md_dst;

EXPORT_SYMBOL_GPL(xfrm_bpf_md_dst);



#endif



BPF_CALL_5(bpf_skb_get_xfrm_state, struct sk_buff *, skb, u32, index,

	   struct bpf_xfrm_state *, to, u32, size, u64, flags)

{

net/xfrm/Makefile

+6 −0
Original line number Diff line number Diff line
@@ -5,6 +5,12 @@ 


xfrm_interface-$(CONFIG_XFRM_INTERFACE) += xfrm_interface_core.o



ifeq ($(CONFIG_XFRM_INTERFACE),m)

xfrm_interface-$(CONFIG_DEBUG_INFO_BTF_MODULES) += xfrm_interface_bpf.o

else ifeq ($(CONFIG_XFRM_INTERFACE),y)

xfrm_interface-$(CONFIG_DEBUG_INFO_BTF) += xfrm_interface_bpf.o

endif



obj-$(CONFIG_XFRM) := xfrm_policy.o xfrm_state.o xfrm_hash.o \

		      xfrm_input.o xfrm_output.o \

		      xfrm_sysctl.o xfrm_replay.o xfrm_device.o