From nobody Thu Dec 18 14:47:20 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id EE2D5C4167B for ; Wed, 13 Dec 2023 11:46:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378129AbjLMLqD (ORCPT ); Wed, 13 Dec 2023 06:46:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55710 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235172AbjLMLp7 (ORCPT ); Wed, 13 Dec 2023 06:45:59 -0500 Received: from out30-132.freemail.mail.aliyun.com (out30-132.freemail.mail.aliyun.com [115.124.30.132]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 88F2AF5; Wed, 13 Dec 2023 03:46:04 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R941e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046056;MF=alibuda@linux.alibaba.com;NM=1;PH=DS;RN=14;SR=0;TI=SMTPD_---0VyQzxuB_1702467960; Received: from j66a10360.sqa.eu95.tbsite.net(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VyQzxuB_1702467960) by smtp.aliyun-inc.com; Wed, 13 Dec 2023 19:46:02 +0800 From: "D. Wythe" To: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, "D. Wythe" Subject: [RFC nf-next 1/2] netfilter: bpf: support prog update Date: Wed, 13 Dec 2023 19:45:44 +0800 Message-Id: <1702467945-38866-2-git-send-email-alibuda@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1702467945-38866-1-git-send-email-alibuda@linux.alibaba.com> References: <1702467945-38866-1-git-send-email-alibuda@linux.alibaba.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "D. Wythe" To support the prog update, we need to ensure that the prog seen within the hook is always valid. Considering that hooks are always protected by rcu_read_lock(), which provide us the ability to use a new RCU-protected context to access the prog. Signed-off-by: D. Wythe --- net/netfilter/nf_bpf_link.c | 124 +++++++++++++++++++++++++++++++++++++++-= ---- 1 file changed, 111 insertions(+), 13 deletions(-) diff --git a/net/netfilter/nf_bpf_link.c b/net/netfilter/nf_bpf_link.c index e502ec0..918c470 100644 --- a/net/netfilter/nf_bpf_link.c +++ b/net/netfilter/nf_bpf_link.c @@ -8,17 +8,11 @@ #include #include =20 -static unsigned int nf_hook_run_bpf(void *bpf_prog, struct sk_buff *skb, - const struct nf_hook_state *s) +struct bpf_nf_hook_ctx { - const struct bpf_prog *prog =3D bpf_prog; - struct bpf_nf_ctx ctx =3D { - .state =3D s, - .skb =3D skb, - }; - - return bpf_prog_run(prog, &ctx); -} + struct bpf_prog *prog; + struct rcu_head rcu; +}; =20 struct bpf_nf_link { struct bpf_link link; @@ -26,8 +20,59 @@ struct bpf_nf_link { struct net *net; u32 dead; const struct nf_defrag_hook *defrag_hook; + /* protect link update in parallel */ + struct mutex update_lock; + struct bpf_nf_hook_ctx __rcu *hook_ctx; }; =20 +static struct bpf_nf_hook_ctx * +bpf_nf_hook_ctx_from_prog(struct bpf_prog *prog, gfp_t flags) +{ + struct bpf_nf_hook_ctx *hook_ctx; + + hook_ctx =3D kmalloc(sizeof(*hook_ctx), flags); + if (hook_ctx) { + hook_ctx->prog =3D prog; + bpf_prog_inc(prog); + } + return hook_ctx; +} + +static void bpf_nf_hook_ctx_free(struct bpf_nf_hook_ctx *hook_ctx) +{ + if (!hook_ctx) + return; + if (hook_ctx->prog) + bpf_prog_put(hook_ctx->prog); + kfree(hook_ctx); +} + +static void __bpf_nf_hook_ctx_free_rcu(struct rcu_head *head) +{ + struct bpf_nf_hook_ctx *hook_ctx =3D container_of(head, struct bpf_nf_hoo= k_ctx, rcu); + + bpf_nf_hook_ctx_free(hook_ctx); +} + +static void bpf_nf_hook_ctx_free_rcu(struct bpf_nf_hook_ctx *hook_ctx) +{ + call_rcu(&hook_ctx->rcu, __bpf_nf_hook_ctx_free_rcu); +} + +static unsigned int nf_hook_run_bpf(void *bpf_link, struct sk_buff *skb, + const struct nf_hook_state *s) +{ + const struct bpf_nf_link *link =3D bpf_link; + struct bpf_nf_hook_ctx *hook_ctx; + struct bpf_nf_ctx ctx =3D { + .state =3D s, + .skb =3D skb, + }; + + hook_ctx =3D rcu_dereference(link->hook_ctx); + return bpf_prog_run(hook_ctx->prog, &ctx); +} + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) || IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) static const struct nf_defrag_hook * get_proto_defrag_hook(struct bpf_nf_link *link, @@ -120,6 +165,10 @@ static void bpf_nf_link_release(struct bpf_link *link) if (!cmpxchg(&nf_link->dead, 0, 1)) { nf_unregister_net_hook(nf_link->net, &nf_link->hook_ops); bpf_nf_disable_defrag(nf_link); + /* Wait for outstanding hook to complete before the + * link gets released. + */ + synchronize_rcu(); } } =20 @@ -127,6 +176,7 @@ static void bpf_nf_link_dealloc(struct bpf_link *link) { struct bpf_nf_link *nf_link =3D container_of(link, struct bpf_nf_link, li= nk); =20 + bpf_nf_hook_ctx_free(nf_link->hook_ctx); kfree(nf_link); } =20 @@ -162,7 +212,42 @@ static int bpf_nf_link_fill_link_info(const struct bpf= _link *link, static int bpf_nf_link_update(struct bpf_link *link, struct bpf_prog *new_= prog, struct bpf_prog *old_prog) { - return -EOPNOTSUPP; + struct bpf_nf_link *nf_link =3D container_of(link, struct bpf_nf_link, li= nk); + struct bpf_nf_hook_ctx *hook_ctx; + int err =3D 0; + + mutex_lock(&nf_link->update_lock); + + /* target old_prog mismatch */ + if (old_prog && link->prog !=3D old_prog) { + err =3D -EPERM; + goto out; + } + + old_prog =3D link->prog; + if (old_prog =3D=3D new_prog) { + /* don't need update */ + bpf_prog_put(new_prog); + goto out; + } + + hook_ctx =3D bpf_nf_hook_ctx_from_prog(new_prog, GFP_USER); + if (!hook_ctx) { + err =3D -ENOMEM; + goto out; + } + + /* replace and get the old one */ + hook_ctx =3D rcu_replace_pointer(nf_link->hook_ctx, hook_ctx, + lockdep_is_held(&nf_link->update_lock)); + /* free old hook_ctx */ + bpf_nf_hook_ctx_free_rcu(hook_ctx); + + old_prog =3D xchg(&link->prog, new_prog); + bpf_prog_put(old_prog); +out: + mutex_unlock(&nf_link->update_lock); + return err; } =20 static const struct bpf_link_ops bpf_nf_link_lops =3D { @@ -222,11 +307,22 @@ int bpf_nf_link_attach(const union bpf_attr *attr, st= ruct bpf_prog *prog) if (!link) return -ENOMEM; =20 + link->hook_ctx =3D bpf_nf_hook_ctx_from_prog(prog, GFP_USER); + if (!link->hook_ctx) { + kfree(link); + return -ENOMEM; + } + bpf_link_init(&link->link, BPF_LINK_TYPE_NETFILTER, &bpf_nf_link_lops, pr= og); =20 link->hook_ops.hook =3D nf_hook_run_bpf; link->hook_ops.hook_ops_type =3D NF_HOOK_OP_BPF; - link->hook_ops.priv =3D prog; + + /* bpf_nf_link_release() ensures that after its execution, there will be + * no ongoing or upcoming execution of nf_hook_run_bpf() within any conte= xt. + * Therefore, within nf_hook_run_bpf(), the link remains valid at all tim= es." + */ + link->hook_ops.priv =3D link; =20 link->hook_ops.pf =3D attr->link_create.netfilter.pf; link->hook_ops.priority =3D attr->link_create.netfilter.priority; @@ -236,9 +332,11 @@ int bpf_nf_link_attach(const union bpf_attr *attr, str= uct bpf_prog *prog) link->dead =3D false; link->defrag_hook =3D NULL; =20 + mutex_init(&link->update_lock); + err =3D bpf_link_prime(&link->link, &link_primer); if (err) { - kfree(link); + bpf_nf_link_dealloc(&link->link); return err; } =20 --=20 1.8.3.1 From nobody Thu Dec 18 14:47:20 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 70D17C4332F for ; Wed, 13 Dec 2023 11:46:14 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1378176AbjLMLqF (ORCPT ); Wed, 13 Dec 2023 06:46:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1377447AbjLMLqA (ORCPT ); Wed, 13 Dec 2023 06:46:00 -0500 Received: from out30-113.freemail.mail.aliyun.com (out30-113.freemail.mail.aliyun.com [115.124.30.113]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5427AAF; Wed, 13 Dec 2023 03:46:06 -0800 (PST) X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R161e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=ay29a033018046051;MF=alibuda@linux.alibaba.com;NM=1;PH=DS;RN=14;SR=0;TI=SMTPD_---0VyQzxum_1702467962; Received: from j66a10360.sqa.eu95.tbsite.net(mailfrom:alibuda@linux.alibaba.com fp:SMTPD_---0VyQzxum_1702467962) by smtp.aliyun-inc.com; Wed, 13 Dec 2023 19:46:03 +0800 From: "D. Wythe" To: pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, coreteam@netfilter.org, netfilter-devel@vger.kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ast@kernel.org, "D. Wythe" Subject: [RFC nf-next 2/2] selftests/bpf: Add netfilter link prog update test Date: Wed, 13 Dec 2023 19:45:45 +0800 Message-Id: <1702467945-38866-3-git-send-email-alibuda@linux.alibaba.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1702467945-38866-1-git-send-email-alibuda@linux.alibaba.com> References: <1702467945-38866-1-git-send-email-alibuda@linux.alibaba.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "D. Wythe" Update prog for active link and verify whether the prog has been successfully replaced. Expected output: ./test_progs -t netfilter_link_update_prog Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: D. Wythe --- .../bpf/prog_tests/netfilter_link_update_prog.c | 83 ++++++++++++++++++= ++++ .../bpf/progs/test_netfilter_link_update_prog.c | 24 +++++++ 2 files changed, 107 insertions(+) create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_u= pdate_prog.c create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_u= pdate_prog.c diff --git a/tools/testing/selftests/bpf/prog_tests/netfilter_link_update_p= rog.c b/tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c new file mode 100644 index 00000000..d23b544 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c @@ -0,0 +1,83 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include +#include "test_netfilter_link_update_prog.skel.h" + +#define SERVER_ADDR "127.0.0.1" +#define SERVER_PORT 12345 + +static const char dummy_message[] =3D "A dummy message"; + +static int send_dummy(int client_fd) +{ + struct sockaddr_storage saddr; + struct sockaddr *saddr_p; + socklen_t saddr_len; + int err; + + saddr_p =3D (struct sockaddr *)&saddr; + err =3D make_sockaddr(AF_INET, SERVER_ADDR, SERVER_PORT, &saddr, &saddr_l= en); + if (!ASSERT_OK(err, "make_sockaddr")) + return -1; + + err =3D sendto(client_fd, dummy_message, sizeof(dummy_message) - 1, 0, sa= ddr_p, saddr_len); + if (!ASSERT_GE(err, 0, "sendto")) + return -1; + + return 0; +} + +void test_netfilter_link_update_prog(void) +{ + LIBBPF_OPTS(bpf_netfilter_opts, opts, + .pf =3D NFPROTO_IPV4, + .hooknum =3D NF_INET_LOCAL_OUT, + .priority =3D 100); + struct test_netfilter_link_update_prog *skel; + struct bpf_program *prog; + int server_fd, client_fd; + int err; + + skel =3D test_netfilter_link_update_prog__open_and_load(); + if (!ASSERT_OK_PTR(skel, "test_netfilter_link_update_prog__open_and_load"= )) + goto out; + + prog =3D skel->progs.nf_link_prog; + + if (!ASSERT_OK_PTR(prog, "load program")) + goto out; + + skel->links.nf_link_prog =3D bpf_program__attach_netfilter(prog, &opts); + if (!ASSERT_OK_PTR(skel->links.nf_link_prog, "attach netfilter program")) + goto out; + + server_fd =3D start_server(AF_INET, SOCK_DGRAM, SERVER_ADDR, SERVER_PORT,= 0); + if (!ASSERT_GE(server_fd, 0, "start_server")) + goto out; + + client_fd =3D connect_to_fd(server_fd, 0); + if (!ASSERT_GE(client_fd, 0, "connect_to_fd")) + goto out; + + send_dummy(client_fd); + + ASSERT_EQ(skel->bss->counter, 0, "counter should be zero"); + + err =3D bpf_link__update_program(skel->links.nf_link_prog, skel->progs.nf= _link_prog_new); + if (!ASSERT_OK(err, "bpf_link__update_program")) + goto out; + + send_dummy(client_fd); + ASSERT_GE(skel->bss->counter, 0, "counter should be greater than zero"); +out: + if (client_fd > 0) + close(client_fd); + if (server_fd > 0) + close(server_fd); + + test_netfilter_link_update_prog__destroy(skel); +} + + diff --git a/tools/testing/selftests/bpf/progs/test_netfilter_link_update_p= rog.c b/tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c new file mode 100644 index 00000000..42ae332 --- /dev/null +++ b/tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c @@ -0,0 +1,24 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include "vmlinux.h" +#include + +#define NF_ACCEPT 1 + +SEC("netfilter") +int nf_link_prog(struct bpf_nf_ctx *ctx) +{ + return NF_ACCEPT; +} + +u64 counter =3D 0; + +SEC("netfilter") +int nf_link_prog_new(struct bpf_nf_ctx *ctx) +{ + counter++; + return NF_ACCEPT; +} + +char _license[] SEC("license") =3D "GPL"; + --=20 1.8.3.1