From 59fb9b62fb6c929a756563152a89f39b07cf8893 Mon Sep 17 00:00:00 2001 From: Yoshiki Komachi Date: Fri, 17 Jan 2020 16:05:32 +0900 Subject: [PATCH 1/2] flow_dissector: Fix to use new variables for port ranges in bpf hook This patch applies new flag (FLOW_DISSECTOR_KEY_PORTS_RANGE) and field (tp_range) to BPF flow dissector to generate appropriate flow keys when classified by specified port ranges. Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload") Signed-off-by: Yoshiki Komachi Signed-off-by: Daniel Borkmann Acked-by: Petar Penkov Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20200117070533.402240-2-komachi.yoshiki@gmail.com --- net/core/flow_dissector.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index f560b4902060..a1670dff0629 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -834,10 +834,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, struct flow_dissector *flow_dissector, void *target_container) { + struct flow_dissector_key_ports *key_ports = NULL; struct flow_dissector_key_control *key_control; struct flow_dissector_key_basic *key_basic; struct flow_dissector_key_addrs *key_addrs; - struct flow_dissector_key_ports *key_ports; struct flow_dissector_key_tags *key_tags; key_control = skb_flow_dissector_target(flow_dissector, @@ -876,10 +876,17 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys, key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS; } - if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) { + if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) key_ports = skb_flow_dissector_target(flow_dissector, FLOW_DISSECTOR_KEY_PORTS, target_container); + else if (dissector_uses_key(flow_dissector, + FLOW_DISSECTOR_KEY_PORTS_RANGE)) + key_ports = skb_flow_dissector_target(flow_dissector, + FLOW_DISSECTOR_KEY_PORTS_RANGE, + target_container); + + if (key_ports) { key_ports->src = flow_keys->sport; key_ports->dst = flow_keys->dport; } From 265bb359061db6ef825dec3912f341a604966371 Mon Sep 17 00:00:00 2001 From: Yoshiki Komachi Date: Fri, 17 Jan 2020 16:05:33 +0900 Subject: [PATCH 2/2] selftests/bpf: Add test based on port range for BPF flow dissector Add a simple test to make sure that a filter based on specified port range classifies packets correctly. Signed-off-by: Yoshiki Komachi Signed-off-by: Daniel Borkmann Acked-by: Petar Penkov Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20200117070533.402240-3-komachi.yoshiki@gmail.com --- tools/testing/selftests/bpf/test_flow_dissector.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tools/testing/selftests/bpf/test_flow_dissector.sh b/tools/testing/selftests/bpf/test_flow_dissector.sh index a8485ae103d1..174b72a64a4c 100755 --- a/tools/testing/selftests/bpf/test_flow_dissector.sh +++ b/tools/testing/selftests/bpf/test_flow_dissector.sh @@ -139,6 +139,20 @@ echo "Testing IPv4 + GRE..." tc filter del dev lo ingress pref 1337 +echo "Testing port range..." +# Drops all IP/UDP packets coming from port 8-10 +tc filter add dev lo parent ffff: protocol ip pref 1337 flower ip_proto \ + udp src_port 8-10 action drop + +# Send 10 IPv4/UDP packets from port 7. Filter should not drop any. +./test_flow_dissector -i 4 -f 7 +# Send 10 IPv4/UDP packets from port 9. Filter should drop all. +./test_flow_dissector -i 4 -f 9 -F +# Send 10 IPv4/UDP packets from port 11. Filter should not drop any. +./test_flow_dissector -i 4 -f 11 + +tc filter del dev lo ingress pref 1337 + echo "Testing IPv6..." # Drops all IPv6/UDP packets coming from port 9 tc filter add dev lo parent ffff: protocol ipv6 pref 1337 flower ip_proto \