bpf: implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap

Implement BPF_LWT_ENCAP_IP mode in bpf_lwt_push_encap BPF helper.
It enables BPF programs (specifically, BPF_PROG_TYPE_LWT_IN and
BPF_PROG_TYPE_LWT_XMIT prog types) to add IP encapsulation headers
to packets (e.g. IP/GRE, GUE, IPIP).

This is useful when thousands of different short-lived flows should be
encapped, each with different and dynamically determined destination.
Although lwtunnels can be used in some of these scenarios, the ability
to dynamically generate encap headers adds more flexibility, e.g.
when routing depends on the state of the host (reflected in global bpf
maps).

v7 changes:
 - added a call skb_clear_hash();
 - removed calls to skb_set_transport_header();
 - refuse to encap GSO-enabled packets.

v8 changes:
 - fix build errors when LWT is not enabled.

Note: the next patch in the patchset with deal with GSO-enabled packets,
which are currently rejected at encapping attempt.

Signed-off-by: Peter Oskolkov <posk@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h
index 33fd9ba7e0e5a29d5dd1705112a9213f08531612..671113bcb2cc20e2b4ff56f4160a9241cebce477 100644 (file)
--- a/include/net/lwtunnel.h
+++ b/include/net/lwtunnel.h
@@ -126,6 +126,8 @@ int lwtunnel_cmp_encap(struct lwtunnel_state *a, struct lwtunnel_state *b);
 int lwtunnel_output(struct net *net, struct sock *sk, struct sk_buff *skb);
 int lwtunnel_input(struct sk_buff *skb);
 int lwtunnel_xmit(struct sk_buff *skb);
+int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len,
+                         bool ingress);
 
 static inline void lwtunnel_set_redirect(struct dst_entry *dst)
 {

diff --git a/net/core/filter.c b/net/core/filter.c
index 12c88c21b6b8fcee91f72a7e2ddf16ae3e24be20..a78deb2656e172c3a7a97f9f4747b1605fdc06c5 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -73,6 +73,7 @@
 #include <linux/seg6_local.h>
 #include <net/seg6.h>
 #include <net/seg6_local.h>
+#include <net/lwtunnel.h>
 
 /**
  *     sk_filter_trim_cap - run a packet through a socket filter
@@ -4819,7 +4820,7 @@ static int bpf_push_seg6_encap(struct sk_buff *skb, u32 type, void *hdr, u32 len
 static int bpf_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len,
                             bool ingress)
 {
-       return -EINVAL;  /* Implemented in the next patch. */
+       return bpf_lwt_push_ip_encap(skb, hdr, len, ingress);
 }
 #endif
 

diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c
index a648568c5e8fed087769f70c71e9c6300aa8002c..e5a9850d9f4804bd928f7e75cc4e059809636d5b 100644 (file)
--- a/net/core/lwt_bpf.c
+++ b/net/core/lwt_bpf.c
@@ -390,6 +390,71 @@ static const struct lwtunnel_encap_ops bpf_encap_ops = {
        .owner          = THIS_MODULE,
 };
 
+static int handle_gso_encap(struct sk_buff *skb, bool ipv4, int encap_len)
+{
+       /* Handling of GSO-enabled packets is added in the next patch. */
+       return -EOPNOTSUPP;
+}
+
+int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress)
+{
+       struct iphdr *iph;
+       bool ipv4;
+       int err;
+
+       if (unlikely(len < sizeof(struct iphdr) || len > LWT_BPF_MAX_HEADROOM))
+               return -EINVAL;
+
+       /* validate protocol and length */
+       iph = (struct iphdr *)hdr;
+       if (iph->version == 4) {
+               ipv4 = true;
+               if (unlikely(len < iph->ihl * 4))
+                       return -EINVAL;
+       } else if (iph->version == 6) {
+               ipv4 = false;
+               if (unlikely(len < sizeof(struct ipv6hdr)))
+                       return -EINVAL;
+       } else {
+               return -EINVAL;
+       }
+
+       if (ingress)
+               err = skb_cow_head(skb, len + skb->mac_len);
+       else
+               err = skb_cow_head(skb,
+                                  len + LL_RESERVED_SPACE(skb_dst(skb)->dev));
+       if (unlikely(err))
+               return err;
+
+       /* push the encap headers and fix pointers */
+       skb_reset_inner_headers(skb);
+       skb->encapsulation = 1;
+       skb_push(skb, len);
+       if (ingress)
+               skb_postpush_rcsum(skb, iph, len);
+       skb_reset_network_header(skb);
+       memcpy(skb_network_header(skb), hdr, len);
+       bpf_compute_data_pointers(skb);
+       skb_clear_hash(skb);
+
+       if (ipv4) {
+               skb->protocol = htons(ETH_P_IP);
+               iph = ip_hdr(skb);
+
+               if (!iph->check)
+                       iph->check = ip_fast_csum((unsigned char *)iph,
+                                                 iph->ihl);
+       } else {
+               skb->protocol = htons(ETH_P_IPV6);
+       }
+
+       if (skb_is_gso(skb))
+               return handle_gso_encap(skb, ipv4, len);
+
+       return 0;
+}
+
 static int __init bpf_lwt_init(void)
 {
        return lwtunnel_encap_add_ops(&bpf_encap_ops, LWTUNNEL_ENCAP_BPF);