From bf007d1c75aceb4e8a407f325d42ee9958049a31 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 23 Sep 2015 21:56:46 +0200 Subject: cls_bpf: also dump TCA_BPF_FLAGS In commit 43388da42a49 ("cls_bpf: introduce integrated actions") we have added TCA_BPF_FLAGS. We can also retrieve this information from the prog, dump it back to user space as well. It's useful in tc when displaying/dumping filter info. Also, remove tp from cls_bpf_prog_from_efd(), came in as a conflict from a rebase and it's unused here (later work may add it along with a real user). Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller --- net/sched/cls_bpf.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index 0590816ab7b0..7d9241545188 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -265,8 +265,7 @@ static int cls_bpf_prog_from_ops(struct nlattr **tb, struct cls_bpf_prog *prog) return 0; } -static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog, - const struct tcf_proto *tp) +static int cls_bpf_prog_from_efd(struct nlattr **tb, struct cls_bpf_prog *prog) { struct bpf_prog *fp; char *name = NULL; @@ -339,7 +338,7 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, prog->exts_integrated = have_exts; ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : - cls_bpf_prog_from_efd(tb, prog, tp); + cls_bpf_prog_from_efd(tb, prog); if (ret < 0) { tcf_exts_destroy(&exts); return ret; @@ -468,6 +467,7 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh, { struct cls_bpf_prog *prog = (struct cls_bpf_prog *) fh; struct nlattr *nest; + u32 bpf_flags = 0; int ret; if (prog == NULL) @@ -492,6 +492,11 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh, if (tcf_exts_dump(skb, &prog->exts) < 0) goto nla_put_failure; + if (prog->exts_integrated) + bpf_flags |= TCA_BPF_FLAG_ACT_DIRECT; + if (bpf_flags && nla_put_u32(skb, TCA_BPF_FLAGS, bpf_flags)) + goto nla_put_failure; + nla_nest_end(skb, nest); if (tcf_exts_dump_stats(skb, &prog->exts) < 0) -- cgit v1.2.3 From ef146fa40cc3af1dcb13688f41cc06a9c0deb01c Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 23 Sep 2015 21:56:47 +0200 Subject: cls_bpf: make binding to classid optional The binding to a particular classid was so far always mandatory for cls_bpf, but it doesn't need to be. Therefore, lift this restriction as similarly done in other classifiers. Only a couple of qdiscs make use of class from the tcf_result, others don't strictly care, so let the user choose his needs (those that read out class can handle situations where it could be NULL). An explicit check for tcf_unbind_filter() is also not needed here, as the previous r->class was 0, so the xchg() will return that and therefore a callback to the qdisc's unbind_tcf() is skipped. Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller --- net/sched/cls_bpf.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index 7d9241545188..d6c0a0b44afb 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -307,14 +307,11 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, { bool is_bpf, is_ebpf, have_exts = false; struct tcf_exts exts; - u32 classid; int ret; is_bpf = tb[TCA_BPF_OPS_LEN] && tb[TCA_BPF_OPS]; is_ebpf = tb[TCA_BPF_FD]; - - if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf) || - !tb[TCA_BPF_CLASSID]) + if ((!is_bpf && !is_ebpf) || (is_bpf && is_ebpf)) return -EINVAL; tcf_exts_init(&exts, TCA_BPF_ACT, TCA_BPF_POLICE); @@ -322,7 +319,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, if (ret < 0) return ret; - classid = nla_get_u32(tb[TCA_BPF_CLASSID]); if (tb[TCA_BPF_FLAGS]) { u32 bpf_flags = nla_get_u32(tb[TCA_BPF_FLAGS]); @@ -334,7 +330,6 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, have_exts = bpf_flags & TCA_BPF_FLAG_ACT_DIRECT; } - prog->res.classid = classid; prog->exts_integrated = have_exts; ret = is_bpf ? cls_bpf_prog_from_ops(tb, prog) : @@ -344,9 +339,12 @@ static int cls_bpf_modify_existing(struct net *net, struct tcf_proto *tp, return ret; } - tcf_bind_filter(tp, &prog->res, base); - tcf_exts_change(tp, &prog->exts, &exts); + if (tb[TCA_BPF_CLASSID]) { + prog->res.classid = nla_get_u32(tb[TCA_BPF_CLASSID]); + tcf_bind_filter(tp, &prog->res, base); + } + tcf_exts_change(tp, &prog->exts, &exts); return 0; } @@ -479,7 +477,8 @@ static int cls_bpf_dump(struct net *net, struct tcf_proto *tp, unsigned long fh, if (nest == NULL) goto nla_put_failure; - if (nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid)) + if (prog->res.classid && + nla_put_u32(skb, TCA_BPF_CLASSID, prog->res.classid)) goto nla_put_failure; if (cls_bpf_is_ebpf(prog)) -- cgit v1.2.3 From 5cf8ca0e473df01c9b78894d6e62afa2e1d1166f Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Wed, 23 Sep 2015 21:56:48 +0200 Subject: cls_bpf: further limit exec opcodes subset Jamal suggested to further limit the currently allowed subset of opcodes that may be used by a direct action return code as the intention is not to replace the full action engine, but rather to have a minimal set that can be used in the fast-path on things like ingress for some features that cls_bpf supports. Classifiers can, of course, still be chained together that have direct action mode with those that have a full exec pass. For more complex scenarios that go beyond this minimal set here, the full tcf_exts_exec() path must be used. Suggested-by: Jamal Hadi Salim Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller --- net/sched/cls_bpf.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/net/sched/cls_bpf.c b/net/sched/cls_bpf.c index d6c0a0b44afb..7eeffaf69c75 100644 --- a/net/sched/cls_bpf.c +++ b/net/sched/cls_bpf.c @@ -65,11 +65,8 @@ static int cls_bpf_exec_opcode(int code) { switch (code) { case TC_ACT_OK: - case TC_ACT_RECLASSIFY: case TC_ACT_SHOT: - case TC_ACT_PIPE: case TC_ACT_STOLEN: - case TC_ACT_QUEUED: case TC_ACT_REDIRECT: case TC_ACT_UNSPEC: return code; -- cgit v1.2.3