bpf: BPF for lightweight tunnel infrastructure

Registers new BPF program types which correspond to the LWT hooks:
  - BPF_PROG_TYPE_LWT_IN   => dst_input()
  - BPF_PROG_TYPE_LWT_OUT  => dst_output()
  - BPF_PROG_TYPE_LWT_XMIT => lwtunnel_xmit()

The separate program types are required to differentiate between the
capabilities each LWT hook allows:

 * Programs attached to dst_input() or dst_output() are restricted and
   may only read the data of an skb. This prevent modification and
   possible invalidation of already validated packet headers on receive
   and the construction of illegal headers while the IP headers are
   still being assembled.

 * Programs attached to lwtunnel_xmit() are allowed to modify packet
   content as well as prepending an L2 header via a newly introduced
   helper bpf_skb_change_head(). This is safe as lwtunnel_xmit() is
   invoked after the IP header has been assembled completely.

All BPF programs receive an skb with L3 headers attached and may return
one of the following error codes:

 BPF_OK - Continue routing as per nexthop
 BPF_DROP - Drop skb and return EPERM
 BPF_REDIRECT - Redirect skb to device as per redirect() helper.
                (Only valid in lwtunnel_xmit() context)

The return codes are binary compatible with their TC_ACT_
relatives to ease compatibility.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 11 insertions, 3 deletions

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8740c5fa02fc..8135cb1077ee 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -633,12 +633,19 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
 #define MAX_PACKET_OFF 0xffff
 
 static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,
-                                       const struct bpf_call_arg_meta *meta)
+                                       const struct bpf_call_arg_meta *meta,
+                                       enum bpf_access_type t)
 {
         switch (env->prog->type) {
+        case BPF_PROG_TYPE_LWT_IN:
+        case BPF_PROG_TYPE_LWT_OUT:
+                /* dst_input() and dst_output() can't write for now */
+                if (t == BPF_WRITE)
+                        return false;
         case BPF_PROG_TYPE_SCHED_CLS:
         case BPF_PROG_TYPE_SCHED_ACT:
         case BPF_PROG_TYPE_XDP:
+        case BPF_PROG_TYPE_LWT_XMIT:
                 if (meta)
                         return meta->pkt_access;
 
@@ -837,7 +844,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
                         err = check_stack_read(state, off, size, value_regno);
                 }
         } else if (state->regs[regno].type == PTR_TO_PACKET) {
-                if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL)) {
+                if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) {
                         verbose("cannot write into packet\n");
                         return -EACCES;
                 }
@@ -970,7 +977,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
                 return 0;
         }
 
-        if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta)) {
+        if (type == PTR_TO_PACKET &&
+            !may_access_direct_pkt_data(env, meta, BPF_READ)) {
                 verbose("helper access to the packet is not allowed\n");
                 return -EACCES;
         }