bpf: Add helper to retrieve socket in BPF

This patch adds new BPF helper functions, bpf_sk_lookup_tcp() and bpf_sk_lookup_udp() which allows BPF programs to find out if there is a socket listening on this host, and returns a socket pointer which the BPF program can then access to determine, for instance, whether to forward or drop traffic. bpf_sk_lookup_xxx() may take a reference on the socket, so when a BPF program makes use of this function, it must subsequently pass the returned pointer into the newly added sk_release() to return the reference. By way of example, the following pseudocode would filter inbound connections at XDP if there is no corresponding service listening for the traffic: struct bpf_sock_tuple tuple; struct bpf_sock_ops *sk; populate_tuple(ctx, &tuple); // Extract the 5tuple from the packet sk = bpf_sk_lookup_tcp(ctx, &tuple, sizeof tuple, netns, 0); if (!sk) { // Couldn't find a socket listening for this traffic. Drop. return TC_ACT_SHOT; } bpf_sk_release(sk, 0); return TC_ACT_OK; Signed-off-by: Joe Stringer <joe@wand.net.nz> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Joe Stringer <joe@wand.net.nz> 2018-10-02 16:35:36 -0400
committer: Daniel Borkmann <daniel@iogearbox.net> 2018-10-02 20:53:47 -0400
commit: 6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 (patch)
tree: 1b5ac6b607e8d88a815c8b88d795e71a18260f31 /tools/include
parent: fd978bf7fd312581a7ca454a991f0ffb34c4204b (diff)
1 files changed, 92 insertions, 1 deletions
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
index e2070d819e04..f9187b41dff6 100644
--- a/tools/include/uapi/linux/bpf.h
+++ b/tools/include/uapi/linux/bpf.h
@@ -2144,6 +2144,77 @@ union bpf_attr {
 *              request in the skb.
 *      Return
 *              0 on success, or a negative error in case of failure.
+ *
+ * struct bpf_sock *bpf_sk_lookup_tcp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)
+ *      Description
+ *              Look for TCP socket matching *tuple*, optionally in a child
+ *              network namespace *netns*. The return value must be checked,
+ *              and if non-NULL, released via **bpf_sk_release**\ ().
+ *
+ *              The *ctx* should point to the context of the program, such as
+ *              the skb or socket (depending on the hook in use). This is used
+ *              to determine the base network namespace for the lookup.
+ *
+ *              *tuple_size* must be one of:
+ *
+ *              **sizeof**\ (*tuple*\ **->ipv4**)
+ *                      Look for an IPv4 socket.
+ *              **sizeof**\ (*tuple*\ **->ipv6**)
+ *                      Look for an IPv6 socket.
+ *
+ *              If the *netns* is zero, then the socket lookup table in the
+ *              netns associated with the *ctx* will be used. For the TC hooks,
+ *              this in the netns of the device in the skb. For socket hooks,
+ *              this in the netns of the socket. If *netns* is non-zero, then
+ *              it specifies the ID of the netns relative to the netns
+ *              associated with the *ctx*.
+ *
+ *              All values for *flags* are reserved for future usage, and must
+ *              be left at zero.
+ *
+ *              This helper is available only if the kernel was compiled with
+ *              **CONFIG_NET** configuration option.
+ *      Return
+ *              Pointer to *struct bpf_sock*, or NULL in case of failure.
+ *
+ * struct bpf_sock *bpf_sk_lookup_udp(void *ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)
+ *      Description
+ *              Look for UDP socket matching *tuple*, optionally in a child
+ *              network namespace *netns*. The return value must be checked,
+ *              and if non-NULL, released via **bpf_sk_release**\ ().
+ *
+ *              The *ctx* should point to the context of the program, such as
+ *              the skb or socket (depending on the hook in use). This is used
+ *              to determine the base network namespace for the lookup.
+ *
+ *              *tuple_size* must be one of:
+ *
+ *              **sizeof**\ (*tuple*\ **->ipv4**)
+ *                      Look for an IPv4 socket.
+ *              **sizeof**\ (*tuple*\ **->ipv6**)
+ *                      Look for an IPv6 socket.
+ *
+ *              If the *netns* is zero, then the socket lookup table in the
+ *              netns associated with the *ctx* will be used. For the TC hooks,
+ *              this in the netns of the device in the skb. For socket hooks,
+ *              this in the netns of the socket. If *netns* is non-zero, then
+ *              it specifies the ID of the netns relative to the netns
+ *              associated with the *ctx*.
+ *
+ *              All values for *flags* are reserved for future usage, and must
+ *              be left at zero.
+ *
+ *              This helper is available only if the kernel was compiled with
+ *              **CONFIG_NET** configuration option.
+ *      Return
+ *              Pointer to *struct bpf_sock*, or NULL in case of failure.
+ *
+ * int bpf_sk_release(struct bpf_sock *sk)
+ *      Description
+ *              Release the reference held by *sock*. *sock* must be a non-NULL
+ *              pointer that was returned from bpf_sk_lookup_xxx\ ().
+ *      Return
+ *              0 on success, or a negative error in case of failure.
 */
 #define __BPF_FUNC_MAPPER(FN)           \
        FN(unspec),                     \
@@ -2229,7 +2300,10 @@ union bpf_attr {
        FN(get_current_cgroup_id),      \
        FN(get_local_storage),          \
        FN(sk_select_reuseport),        \
-        FN(skb_ancestor_cgroup_id),
+        FN(skb_ancestor_cgroup_id),     \
+        FN(sk_lookup_tcp),              \
+        FN(sk_lookup_udp),              \
+        FN(sk_release),
 /* integer value in 'imm' field of BPF_CALL instruction selects which helper
 * function eBPF program intends to call
@@ -2399,6 +2473,23 @@ struct bpf_sock {
                                 */
 };
+struct bpf_sock_tuple {
+        union {
+                struct {
+                        __be32 saddr;
+                        __be32 daddr;
+                        __be16 sport;
+                        __be16 dport;
+                } ipv4;
+                struct {
+                        __be32 saddr[4];
+                        __be32 daddr[4];
+                        __be16 sport;
+                        __be16 dport;
+                } ipv6;
+        };
+};
 #define XDP_PACKET_HEADROOM 256
 /* User return codes for XDP prog type.
author	Joe Stringer <joe@wand.net.nz>	2018-10-02 16:35:36 -0400
committer	Daniel Borkmann <daniel@iogearbox.net>	2018-10-02 20:53:47 -0400
commit	6acc9b432e6714d72d7d77ec7c27f6f8358d0c71 (patch)
tree	1b5ac6b607e8d88a815c8b88d795e71a18260f31 /tools/include
parent	fd978bf7fd312581a7ca454a991f0ffb34c4204b (diff)

diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h index e2070d819e04..f9187b41dff6 100644 --- a/tools/include/uapi/linux/bpf.h +++ b/tools/include/uapi/linux/bpf.h
@@ -2144,6 +2144,77 @@ union bpf_attr {
2144	* request in the skb.	2144	* request in the skb.
2145	* Return	2145	* Return
2146	* 0 on success, or a negative error in case of failure.	2146	* 0 on success, or a negative error in case of failure.
		2147	*
		2148	* struct bpf_sock bpf_sk_lookup_tcp(void ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)
		2149	* Description
		2150	* Look for TCP socket matching tuple, optionally in a child
		2151	* network namespace netns. The return value must be checked,
		2152	* and if non-NULL, released via bpf_sk_release\ ().
		2153	*
		2154	* The ctx should point to the context of the program, such as
		2155	* the skb or socket (depending on the hook in use). This is used
		2156	* to determine the base network namespace for the lookup.
		2157	*
		2158	* tuple_size must be one of:
		2159	*
		2160	* sizeof\ (tuple\ ->ipv4)
		2161	* Look for an IPv4 socket.
		2162	* sizeof\ (tuple\ ->ipv6)
		2163	* Look for an IPv6 socket.
		2164	*
		2165	* If the netns is zero, then the socket lookup table in the
		2166	* netns associated with the ctx will be used. For the TC hooks,
		2167	* this in the netns of the device in the skb. For socket hooks,
		2168	* this in the netns of the socket. If netns is non-zero, then
		2169	* it specifies the ID of the netns relative to the netns
		2170	* associated with the ctx.
		2171	*
		2172	* All values for flags are reserved for future usage, and must
		2173	* be left at zero.
		2174	*
		2175	* This helper is available only if the kernel was compiled with
		2176	* CONFIG_NET configuration option.
		2177	* Return
		2178	* Pointer to struct bpf_sock, or NULL in case of failure.
		2179	*
		2180	* struct bpf_sock bpf_sk_lookup_udp(void ctx, struct bpf_sock_tuple *tuple, u32 tuple_size, u32 netns, u64 flags)
		2181	* Description
		2182	* Look for UDP socket matching tuple, optionally in a child
		2183	* network namespace netns. The return value must be checked,
		2184	* and if non-NULL, released via bpf_sk_release\ ().
		2185	*
		2186	* The ctx should point to the context of the program, such as
		2187	* the skb or socket (depending on the hook in use). This is used
		2188	* to determine the base network namespace for the lookup.
		2189	*
		2190	* tuple_size must be one of:
		2191	*
		2192	* sizeof\ (tuple\ ->ipv4)
		2193	* Look for an IPv4 socket.
		2194	* sizeof\ (tuple\ ->ipv6)
		2195	* Look for an IPv6 socket.
		2196	*
		2197	* If the netns is zero, then the socket lookup table in the
		2198	* netns associated with the ctx will be used. For the TC hooks,
		2199	* this in the netns of the device in the skb. For socket hooks,
		2200	* this in the netns of the socket. If netns is non-zero, then
		2201	* it specifies the ID of the netns relative to the netns
		2202	* associated with the ctx.
		2203	*
		2204	* All values for flags are reserved for future usage, and must
		2205	* be left at zero.
		2206	*
		2207	* This helper is available only if the kernel was compiled with
		2208	* CONFIG_NET configuration option.
		2209	* Return
		2210	* Pointer to struct bpf_sock, or NULL in case of failure.
		2211	*
		2212	* int bpf_sk_release(struct bpf_sock *sk)
		2213	* Description
		2214	* Release the reference held by sock. sock must be a non-NULL
		2215	* pointer that was returned from bpf_sk_lookup_xxx\ ().
		2216	* Return
		2217	* 0 on success, or a negative error in case of failure.
2147	*/	2218	*/
2148	#define __BPF_FUNC_MAPPER(FN) \	2219	#define __BPF_FUNC_MAPPER(FN) \
2149	FN(unspec), \	2220	FN(unspec), \
@@ -2229,7 +2300,10 @@ union bpf_attr {
2229	FN(get_current_cgroup_id), \	2300	FN(get_current_cgroup_id), \
2230	FN(get_local_storage), \	2301	FN(get_local_storage), \
2231	FN(sk_select_reuseport), \	2302	FN(sk_select_reuseport), \
2232	FN(skb_ancestor_cgroup_id),	2303	FN(skb_ancestor_cgroup_id), \
		2304	FN(sk_lookup_tcp), \
		2305	FN(sk_lookup_udp), \
		2306	FN(sk_release),
2233		2307
2234	/* integer value in 'imm' field of BPF_CALL instruction selects which helper	2308	/* integer value in 'imm' field of BPF_CALL instruction selects which helper
2235	* function eBPF program intends to call	2309	* function eBPF program intends to call
@@ -2399,6 +2473,23 @@ struct bpf_sock {
2399	*/	2473	*/
2400	};	2474	};
2401		2475
		2476	struct bpf_sock_tuple {
		2477	union {
		2478	struct {
		2479	__be32 saddr;
		2480	__be32 daddr;
		2481	__be16 sport;
		2482	__be16 dport;
		2483	} ipv4;
		2484	struct {
		2485	__be32 saddr[4];
		2486	__be32 daddr[4];
		2487	__be16 sport;
		2488	__be16 dport;
		2489	} ipv6;
		2490	};
		2491	};
		2492
2402	#define XDP_PACKET_HEADROOM 256	2493	#define XDP_PACKET_HEADROOM 256
2403		2494
2404	/* User return codes for XDP prog type.	2495	/* User return codes for XDP prog type.