mirror of https://github.com/torvalds/linux.git
e9ddbb7707
Add a new program type BPF_PROG_TYPE_SK_LOOKUP with a dedicated attach type
BPF_SK_LOOKUP. The new program kind is to be invoked by the transport layer
when looking up a listening socket for a new connection request for
connection oriented protocols, or when looking up an unconnected socket for
a packet for connection-less protocols.
When called, SK_LOOKUP BPF program can select a socket that will receive
the packet. This serves as a mechanism to overcome the limits of what
bind() API allows to express. Two use-cases driving this work are:
(1) steer packets destined to an IP range, on fixed port to a socket
192.0.2.0/24, port 80 -> NGINX socket
(2) steer packets destined to an IP address, on any port to a socket
198.51.100.1, any port -> L7 proxy socket
In its run-time context program receives information about the packet that
triggered the socket lookup. Namely IP version, L4 protocol identifier, and
address 4-tuple. Context can be further extended to include ingress
interface identifier.
To select a socket BPF program fetches it from a map holding socket
references, like SOCKMAP or SOCKHASH, and calls bpf_sk_assign(ctx, sk, ...)
helper to record the selection. Transport layer then uses the selected
socket as a result of socket lookup.
In its basic form, SK_LOOKUP acts as a filter and hence must return either
SK_PASS or SK_DROP. If the program returns with SK_PASS, transport should
look for a socket to receive the packet, or use the one selected by the
program if available, while SK_DROP informs the transport layer that the
lookup should fail.
This patch only enables the user to attach an SK_LOOKUP program to a
network namespace. Subsequent patches hook it up to run on local delivery
path in ipv4 and ipv6 stacks.
Suggested-by: Marek Majkowski <marek@cloudflare.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200717103536.397595-3-jakub@cloudflare.com
|
||
|---|---|---|
| .. | ||
| atomic | ||
| basic | ||
| coccinelle | ||
| dtc | ||
| dummy-tools | ||
| gcc-plugins | ||
| gdb | ||
| genksyms | ||
| kconfig | ||
| ksymoops | ||
| mod | ||
| package | ||
| selinux | ||
| tracing | ||
| .gitignore | ||
| Kbuild.include | ||
| Kconfig.include | ||
| Lindent | ||
| Makefile | ||
| Makefile.asm-generic | ||
| Makefile.build | ||
| Makefile.clean | ||
| Makefile.dtbinst | ||
| Makefile.extrawarn | ||
| Makefile.gcc-plugins | ||
| Makefile.headersinst | ||
| Makefile.host | ||
| Makefile.kasan | ||
| Makefile.kcov | ||
| Makefile.kcsan | ||
| Makefile.lib | ||
| Makefile.modfinal | ||
| Makefile.modinst | ||
| Makefile.modpost | ||
| Makefile.modsign | ||
| Makefile.package | ||
| Makefile.ubsan | ||
| Makefile.userprogs | ||
| adjust_autoksyms.sh | ||
| asn1_compiler.c | ||
| bin2c.c | ||
| bloat-o-meter | ||
| bootgraph.pl | ||
| bpf_helpers_doc.py | ||
| cc-can-link.sh | ||
| check-sysctl-docs | ||
| check_extable.sh | ||
| checkincludes.pl | ||
| checkkconfigsymbols.py | ||
| checkpatch.pl | ||
| checkstack.pl | ||
| checksyscalls.sh | ||
| checkversion.pl | ||
| clang-version.sh | ||
| cleanfile | ||
| cleanpatch | ||
| coccicheck | ||
| config | ||
| const_structs.checkpatch | ||
| decode_stacktrace.sh | ||
| decodecode | ||
| depmod.sh | ||
| diffconfig | ||
| documentation-file-ref-check | ||
| export_report.pl | ||
| extract-cert.c | ||
| extract-ikconfig | ||
| extract-module-sig.pl | ||
| extract-sys-certs.pl | ||
| extract-vmlinux | ||
| extract_xc3028.pl | ||
| faddr2line | ||
| file-size.sh | ||
| find-unused-docs.sh | ||
| gcc-goto.sh | ||
| gcc-ld | ||
| gcc-plugin.sh | ||
| gcc-version.sh | ||
| gcc-x86_32-has-stack-protector.sh | ||
| gcc-x86_64-has-stack-protector.sh | ||
| gen_autoksyms.sh | ||
| gen_compile_commands.py | ||
| gen_ksymdeps.sh | ||
| get_abi.pl | ||
| get_dvb_firmware | ||
| get_maintainer.pl | ||
| gfp-translate | ||
| headerdep.pl | ||
| headers_check.pl | ||
| headers_install.sh | ||
| insert-sys-cert.c | ||
| jobserver-exec | ||
| kallsyms.c | ||
| kernel-doc | ||
| ld-version.sh | ||
| leaking_addresses.pl | ||
| link-vmlinux.sh | ||
| makelst | ||
| markup_oops.pl | ||
| mkcompile_h | ||
| mkmakefile | ||
| mksysmap | ||
| mkuboot.sh | ||
| module-common.lds | ||
| modules-check.sh | ||
| namespace.pl | ||
| nsdeps | ||
| objdiff | ||
| parse-maintainers.pl | ||
| patch-kernel | ||
| profile2linkerlist.pl | ||
| prune-kernel | ||
| recordmcount.c | ||
| recordmcount.h | ||
| recordmcount.pl | ||
| setlocalversion | ||
| show_delta | ||
| sign-file.c | ||
| sorttable.c | ||
| sorttable.h | ||
| spdxcheck-test.sh | ||
| spdxcheck.py | ||
| spelling.txt | ||
| sphinx-pre-install | ||
| split-man.pl | ||
| stackdelta | ||
| stackusage | ||
| subarch.include | ||
| tags.sh | ||
| tools-support-relr.sh | ||
| unifdef.c | ||
| ver_linux | ||
| xen-hypercalls.sh | ||
| xz_wrap.sh | ||