summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/uapi/linux/bpf.h35
-rw-r--r--net/core/filter.c11
-rw-r--r--tools/include/uapi/linux/bpf.h39
-rw-r--r--tools/testing/selftests/bpf/bpf_helpers.h4
-rw-r--r--tools/testing/selftests/bpf/test_sk_lookup_kern.c18
5 files changed, 63 insertions, 44 deletions
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
index 426b5c8a245b..cba518c57229 100644
--- a/include/uapi/linux/bpf.h
+++ b/include/uapi/linux/bpf.h
@@ -2170,7 +2170,7 @@ union bpf_attr {
2170 * Return 2170 * Return
2171 * 0 on success, or a negative error in case of failure. 2171 * 0 on success, or a negative error in case of failure.
2172 * 2172 *
2173 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags) 2173 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)
2174 * Description 2174 * Description
2175 * Look for TCP socket matching *tuple*, optionally in a child 2175 * Look for TCP socket matching *tuple*, optionally in a child
2176 * network namespace *netns*. The return value must be checked, 2176 * network namespace *netns*. The return value must be checked,
@@ -2187,12 +2187,14 @@ union bpf_attr {
2187 * **sizeof**\ (*tuple*\ **->ipv6**) 2187 * **sizeof**\ (*tuple*\ **->ipv6**)
2188 * Look for an IPv6 socket. 2188 * Look for an IPv6 socket.
2189 * 2189 *
2190 * If the *netns* is zero, then the socket lookup table in the 2190 * If the *netns* is a negative signed 32-bit integer, then the
2191 * netns associated with the *ctx* will be used. For the TC hooks, 2191 * socket lookup table in the netns associated with the *ctx* will
2192 * this in the netns of the device in the skb. For socket hooks, 2192 * will be used. For the TC hooks, this is the netns of the device
2193 * this in the netns of the socket. If *netns* is non-zero, then 2193 * in the skb. For socket hooks, this is the netns of the socket.
2194 * it specifies the ID of the netns relative to the netns 2194 * If *netns* is any other signed 32-bit value greater than or
2195 * associated with the *ctx*. 2195 * equal to zero then it specifies the ID of the netns relative to
2196 * the netns associated with the *ctx*. *netns* values beyond the
2197 * range of 32-bit integers are reserved for future use.
2196 * 2198 *
2197 * All values for *flags* are reserved for future usage, and must 2199 * All values for *flags* are reserved for future usage, and must
2198 * be left at zero. 2200 * be left at zero.
@@ -2202,7 +2204,7 @@ union bpf_attr {
2202 * Return 2204 * Return
2203 * Pointer to *struct bpf_sock*, or NULL in case of failure. 2205 * Pointer to *struct bpf_sock*, or NULL in case of failure.
2204 * 2206 *
2205 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags) 2207 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)
2206 * Description 2208 * Description
2207 * Look for UDP socket matching *tuple*, optionally in a child 2209 * Look for UDP socket matching *tuple*, optionally in a child
2208 * network namespace *netns*. The return value must be checked, 2210 * network namespace *netns*. The return value must be checked,
@@ -2219,12 +2221,14 @@ union bpf_attr {
2219 * **sizeof**\ (*tuple*\ **->ipv6**) 2221 * **sizeof**\ (*tuple*\ **->ipv6**)
2220 * Look for an IPv6 socket. 2222 * Look for an IPv6 socket.
2221 * 2223 *
2222 * If the *netns* is zero, then the socket lookup table in the 2224 * If the *netns* is a negative signed 32-bit integer, then the
2223 * netns associated with the *ctx* will be used. For the TC hooks, 2225 * socket lookup table in the netns associated with the *ctx* will
2224 * this in the netns of the device in the skb. For socket hooks, 2226 * will be used. For the TC hooks, this is the netns of the device
2225 * this in the netns of the socket. If *netns* is non-zero, then 2227 * in the skb. For socket hooks, this is the netns of the socket.
2226 * it specifies the ID of the netns relative to the netns 2228 * If *netns* is any other signed 32-bit value greater than or
2227 * associated with the *ctx*. 2229 * equal to zero then it specifies the ID of the netns relative to
2230 * the netns associated with the *ctx*. *netns* values beyond the
2231 * range of 32-bit integers are reserved for future use.
2228 * 2232 *
2229 * All values for *flags* are reserved for future usage, and must 2233 * All values for *flags* are reserved for future usage, and must
2230 * be left at zero. 2234 * be left at zero.
@@ -2405,6 +2409,9 @@ enum bpf_func_id {
2405/* BPF_FUNC_perf_event_output for sk_buff input context. */ 2409/* BPF_FUNC_perf_event_output for sk_buff input context. */
2406#define BPF_F_CTXLEN_MASK (0xfffffULL << 32) 2410#define BPF_F_CTXLEN_MASK (0xfffffULL << 32)
2407 2411
2412/* Current network namespace */
2413#define BPF_F_CURRENT_NETNS (-1L)
2414
2408/* Mode for BPF_FUNC_skb_adjust_room helper. */ 2415/* Mode for BPF_FUNC_skb_adjust_room helper. */
2409enum bpf_adj_room_mode { 2416enum bpf_adj_room_mode {
2410 BPF_ADJ_ROOM_NET, 2417 BPF_ADJ_ROOM_NET,
diff --git a/net/core/filter.c b/net/core/filter.c
index 6ee605da990f..8d2c629501e2 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -4890,22 +4890,23 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
4890 struct net *net; 4890 struct net *net;
4891 4891
4892 family = len == sizeof(tuple->ipv4) ? AF_INET : AF_INET6; 4892 family = len == sizeof(tuple->ipv4) ? AF_INET : AF_INET6;
4893 if (unlikely(family == AF_UNSPEC || netns_id > U32_MAX || flags)) 4893 if (unlikely(family == AF_UNSPEC || flags ||
4894 !((s32)netns_id < 0 || netns_id <= S32_MAX)))
4894 goto out; 4895 goto out;
4895 4896
4896 if (skb->dev) 4897 if (skb->dev)
4897 caller_net = dev_net(skb->dev); 4898 caller_net = dev_net(skb->dev);
4898 else 4899 else
4899 caller_net = sock_net(skb->sk); 4900 caller_net = sock_net(skb->sk);
4900 if (netns_id) { 4901 if ((s32)netns_id < 0) {
4902 net = caller_net;
4903 sk = sk_lookup(net, tuple, skb, family, proto);
4904 } else {
4901 net = get_net_ns_by_id(caller_net, netns_id); 4905 net = get_net_ns_by_id(caller_net, netns_id);
4902 if (unlikely(!net)) 4906 if (unlikely(!net))
4903 goto out; 4907 goto out;
4904 sk = sk_lookup(net, tuple, skb, family, proto); 4908 sk = sk_lookup(net, tuple, skb, family, proto);
4905 put_net(net); 4909 put_net(net);
4906 } else {
4907 net = caller_net;
4908 sk = sk_lookup(net, tuple, skb, family, proto);
4909 } 4910 }
4910 4911
4911 if (sk) 4912 if (sk)
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index 426b5c8a245b..76b265c7d93e 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -2170,7 +2170,7 @@ union bpf_attr {
2170 * Return 2170 * Return
2171 * 0 on success, or a negative error in case of failure. 2171 * 0 on success, or a negative error in case of failure.
2172 * 2172 *
2173 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags) 2173 * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)
2174 * Description 2174 * Description
2175 * Look for TCP socket matching *tuple*, optionally in a child 2175 * Look for TCP socket matching *tuple*, optionally in a child
2176 * network namespace *netns*. The return value must be checked, 2176 * network namespace *netns*. The return value must be checked,
@@ -2187,12 +2187,14 @@ union bpf_attr {
2187 * **sizeof**\ (*tuple*\ **->ipv6**) 2187 * **sizeof**\ (*tuple*\ **->ipv6**)
2188 * Look for an IPv6 socket. 2188 * Look for an IPv6 socket.
2189 * 2189 *
2190 * If the *netns* is zero, then the socket lookup table in the 2190 * If the *netns* is a negative signed 32-bit integer, then the
2191 * netns associated with the *ctx* will be used. For the TC hooks, 2191 * socket lookup table in the netns associated with the *ctx* will
2192 * this in the netns of the device in the skb. For socket hooks, 2192 * will be used. For the TC hooks, this is the netns of the device
2193 * this in the netns of the socket. If *netns* is non-zero, then 2193 * in the skb. For socket hooks, this is the netns of the socket.
2194 * it specifies the ID of the netns relative to the netns 2194 * If *netns* is any other signed 32-bit value greater than or
2195 * associated with the *ctx*. 2195 * equal to zero then it specifies the ID of the netns relative to
2196 * the netns associated with the *ctx*. *netns* values beyond the
2197 * range of 32-bit integers are reserved for future use.
2196 * 2198 *
2197 * All values for *flags* are reserved for future usage, and must 2199 * All values for *flags* are reserved for future usage, and must
2198 * be left at zero. 2200 * be left at zero.
@@ -2201,8 +2203,10 @@ union bpf_attr {
2201 * **CONFIG_NET** configuration option. 2203 * **CONFIG_NET** configuration option.
2202 * Return 2204 * Return
2203 * Pointer to *struct bpf_sock*, or NULL in case of failure. 2205 * Pointer to *struct bpf_sock*, or NULL in case of failure.
2206 * For sockets with reuseport option, *struct bpf_sock*
2207 * return is from reuse->socks[] using hash of the packet.
2204 * 2208 *
2205 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags) 2209 * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u64 netns, u64 flags)
2206 * Description 2210 * Description
2207 * Look for UDP socket matching *tuple*, optionally in a child 2211 * Look for UDP socket matching *tuple*, optionally in a child
2208 * network namespace *netns*. The return value must be checked, 2212 * network namespace *netns*. The return value must be checked,
@@ -2219,12 +2223,14 @@ union bpf_attr {
2219 * **sizeof**\ (*tuple*\ **->ipv6**) 2223 * **sizeof**\ (*tuple*\ **->ipv6**)
2220 * Look for an IPv6 socket. 2224 * Look for an IPv6 socket.
2221 * 2225 *
2222 * If the *netns* is zero, then the socket lookup table in the 2226 * If the *netns* is a negative signed 32-bit integer, then the
2223 * netns associated with the *ctx* will be used. For the TC hooks, 2227 * socket lookup table in the netns associated with the *ctx* will
2224 * this in the netns of the device in the skb. For socket hooks, 2228 * will be used. For the TC hooks, this is the netns of the device
2225 * this in the netns of the socket. If *netns* is non-zero, then 2229 * in the skb. For socket hooks, this is the netns of the socket.
2226 * it specifies the ID of the netns relative to the netns 2230 * If *netns* is any other signed 32-bit value greater than or
2227 * associated with the *ctx*. 2231 * equal to zero then it specifies the ID of the netns relative to
2232 * the netns associated with the *ctx*. *netns* values beyond the
2233 * range of 32-bit integers are reserved for future use.
2228 * 2234 *
2229 * All values for *flags* are reserved for future usage, and must 2235 * All values for *flags* are reserved for future usage, and must
2230 * be left at zero. 2236 * be left at zero.
@@ -2233,6 +2239,8 @@ union bpf_attr {
2233 * **CONFIG_NET** configuration option. 2239 * **CONFIG_NET** configuration option.
2234 * Return 2240 * Return
2235 * Pointer to *struct bpf_sock*, or NULL in case of failure. 2241 * Pointer to *struct bpf_sock*, or NULL in case of failure.
2242 * For sockets with reuseport option, *struct bpf_sock*
2243 * return is from reuse->socks[] using hash of the packet.
2236 * 2244 *
2237 * int bpf_sk_release(struct bpf_sock *sk) 2245 * int bpf_sk_release(struct bpf_sock *sk)
2238 * Description 2246 * Description
@@ -2405,6 +2413,9 @@ enum bpf_func_id {
2405/* BPF_FUNC_perf_event_output for sk_buff input context. */ 2413/* BPF_FUNC_perf_event_output for sk_buff input context. */
2406#define BPF_F_CTXLEN_MASK (0xfffffULL << 32) 2414#define BPF_F_CTXLEN_MASK (0xfffffULL << 32)
2407 2415
2416/* Current network namespace */
2417#define BPF_F_CURRENT_NETNS (-1L)
2418
2408/* Mode for BPF_FUNC_skb_adjust_room helper. */ 2419/* Mode for BPF_FUNC_skb_adjust_room helper. */
2409enum bpf_adj_room_mode { 2420enum bpf_adj_room_mode {
2410 BPF_ADJ_ROOM_NET, 2421 BPF_ADJ_ROOM_NET,
diff --git a/tools/testing/selftests/bpf/bpf_helpers.h b/tools/testing/selftests/bpf/bpf_helpers.h
index 686e57ce40f4..efb6c13ab0de 100644
--- a/tools/testing/selftests/bpf/bpf_helpers.h
+++ b/tools/testing/selftests/bpf/bpf_helpers.h
@@ -154,12 +154,12 @@ static unsigned long long (*bpf_skb_ancestor_cgroup_id)(void *ctx, int level) =
154 (void *) BPF_FUNC_skb_ancestor_cgroup_id; 154 (void *) BPF_FUNC_skb_ancestor_cgroup_id;
155static struct bpf_sock *(*bpf_sk_lookup_tcp)(void *ctx, 155static struct bpf_sock *(*bpf_sk_lookup_tcp)(void *ctx,
156 struct bpf_sock_tuple *tuple, 156 struct bpf_sock_tuple *tuple,
157 int size, unsigned int netns_id, 157 int size, unsigned long long netns_id,
158 unsigned long long flags) = 158 unsigned long long flags) =
159 (void *) BPF_FUNC_sk_lookup_tcp; 159 (void *) BPF_FUNC_sk_lookup_tcp;
160static struct bpf_sock *(*bpf_sk_lookup_udp)(void *ctx, 160static struct bpf_sock *(*bpf_sk_lookup_udp)(void *ctx,
161 struct bpf_sock_tuple *tuple, 161 struct bpf_sock_tuple *tuple,
162 int size, unsigned int netns_id, 162 int size, unsigned long long netns_id,
163 unsigned long long flags) = 163 unsigned long long flags) =
164 (void *) BPF_FUNC_sk_lookup_udp; 164 (void *) BPF_FUNC_sk_lookup_udp;
165static int (*bpf_sk_release)(struct bpf_sock *sk) = 165static int (*bpf_sk_release)(struct bpf_sock *sk) =
diff --git a/tools/testing/selftests/bpf/test_sk_lookup_kern.c b/tools/testing/selftests/bpf/test_sk_lookup_kern.c
index b745bdc08c2b..e21cd736c196 100644
--- a/tools/testing/selftests/bpf/test_sk_lookup_kern.c
+++ b/tools/testing/selftests/bpf/test_sk_lookup_kern.c
@@ -72,7 +72,7 @@ int bpf_sk_lookup_test0(struct __sk_buff *skb)
72 return TC_ACT_SHOT; 72 return TC_ACT_SHOT;
73 73
74 tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6); 74 tuple_len = ipv4 ? sizeof(tuple->ipv4) : sizeof(tuple->ipv6);
75 sk = bpf_sk_lookup_tcp(skb, tuple, tuple_len, 0, 0); 75 sk = bpf_sk_lookup_tcp(skb, tuple, tuple_len, BPF_F_CURRENT_NETNS, 0);
76 if (sk) 76 if (sk)
77 bpf_sk_release(sk); 77 bpf_sk_release(sk);
78 return sk ? TC_ACT_OK : TC_ACT_UNSPEC; 78 return sk ? TC_ACT_OK : TC_ACT_UNSPEC;
@@ -84,7 +84,7 @@ int bpf_sk_lookup_test1(struct __sk_buff *skb)
84 struct bpf_sock_tuple tuple = {}; 84 struct bpf_sock_tuple tuple = {};
85 struct bpf_sock *sk; 85 struct bpf_sock *sk;
86 86
87 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 87 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
88 if (sk) 88 if (sk)
89 bpf_sk_release(sk); 89 bpf_sk_release(sk);
90 return 0; 90 return 0;
@@ -97,7 +97,7 @@ int bpf_sk_lookup_uaf(struct __sk_buff *skb)
97 struct bpf_sock *sk; 97 struct bpf_sock *sk;
98 __u32 family = 0; 98 __u32 family = 0;
99 99
100 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 100 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
101 if (sk) { 101 if (sk) {
102 bpf_sk_release(sk); 102 bpf_sk_release(sk);
103 family = sk->family; 103 family = sk->family;
@@ -112,7 +112,7 @@ int bpf_sk_lookup_modptr(struct __sk_buff *skb)
112 struct bpf_sock *sk; 112 struct bpf_sock *sk;
113 __u32 family; 113 __u32 family;
114 114
115 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 115 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
116 if (sk) { 116 if (sk) {
117 sk += 1; 117 sk += 1;
118 bpf_sk_release(sk); 118 bpf_sk_release(sk);
@@ -127,7 +127,7 @@ int bpf_sk_lookup_modptr_or_null(struct __sk_buff *skb)
127 struct bpf_sock *sk; 127 struct bpf_sock *sk;
128 __u32 family; 128 __u32 family;
129 129
130 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 130 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
131 sk += 1; 131 sk += 1;
132 if (sk) 132 if (sk)
133 bpf_sk_release(sk); 133 bpf_sk_release(sk);
@@ -139,7 +139,7 @@ int bpf_sk_lookup_test2(struct __sk_buff *skb)
139{ 139{
140 struct bpf_sock_tuple tuple = {}; 140 struct bpf_sock_tuple tuple = {};
141 141
142 bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 142 bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
143 return 0; 143 return 0;
144} 144}
145 145
@@ -149,7 +149,7 @@ int bpf_sk_lookup_test3(struct __sk_buff *skb)
149 struct bpf_sock_tuple tuple = {}; 149 struct bpf_sock_tuple tuple = {};
150 struct bpf_sock *sk; 150 struct bpf_sock *sk;
151 151
152 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 152 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
153 bpf_sk_release(sk); 153 bpf_sk_release(sk);
154 bpf_sk_release(sk); 154 bpf_sk_release(sk);
155 return 0; 155 return 0;
@@ -161,7 +161,7 @@ int bpf_sk_lookup_test4(struct __sk_buff *skb)
161 struct bpf_sock_tuple tuple = {}; 161 struct bpf_sock_tuple tuple = {};
162 struct bpf_sock *sk; 162 struct bpf_sock *sk;
163 163
164 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 164 sk = bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
165 bpf_sk_release(sk); 165 bpf_sk_release(sk);
166 return 0; 166 return 0;
167} 167}
@@ -169,7 +169,7 @@ int bpf_sk_lookup_test4(struct __sk_buff *skb)
169void lookup_no_release(struct __sk_buff *skb) 169void lookup_no_release(struct __sk_buff *skb)
170{ 170{
171 struct bpf_sock_tuple tuple = {}; 171 struct bpf_sock_tuple tuple = {};
172 bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), 0, 0); 172 bpf_sk_lookup_tcp(skb, &tuple, sizeof(tuple), BPF_F_CURRENT_NETNS, 0);
173} 173}
174 174
175SEC("fail_no_release_subcall") 175SEC("fail_no_release_subcall")
generated by cgit v1.2.2 (git 2.25.0) at 2025-09-24 10:21:08 -0400