bpf: rename sk_actions to align with bpf infrastructure

jrfastab · davem330 · commit bfa640757e93 · 2017-10-29T11:18:48.000+09:00
Recent additions to support multiple programs in cgroups impose
a strict requirement, "all yes is yes, any no is no". To enforce
this the infrastructure requires the 'no' return code, SK_DROP in
this case, to be 0.

To apply these rules to SK_SKB program types the sk_actions return
codes need to be adjusted.

This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove
SK_ABORTED to remove any chance that the API may allow aborted
program flows to be passed up the stack. This would be incorrect
behavior and allow programs to break existing policies.

Signed-off-by: John Fastabend &lt;john.fastabend@gmail.com&gt;
Acked-by: Alexei Starovoitov &lt;ast@kernel.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
@@ -575,7 +575,7 @@ union bpf_attr {
  *     @map: pointer to sockmap
  *     @key: key to lookup sock in map
  *     @flags: reserved for future use
- *     Return: SK_REDIRECT
+ *     Return: SK_PASS
  *
  * int bpf_sock_map_update(skops, map, key, flags)
  *	@skops: pointer to bpf_sock_ops
@@ -786,8 +786,8 @@ struct xdp_md {
 };
 
 enum sk_action {
-	SK_ABORTED = 0,
-	SK_DROP,
+	SK_DROP = 0,
+	SK_PASS,
 	SK_REDIRECT,
 };
 
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
@@ -122,7 +122,8 @@ static int smap_verdict_func(struct smap_psock *psock, struct sk_buff *skb)
 	preempt_enable();
 	skb->sk = NULL;
 
-	return rc;
+	return rc == SK_PASS ?
+		(TCP_SKB_CB(skb)->bpf.map ? SK_REDIRECT : SK_PASS) : SK_DROP;
 }
 
 static void smap_do_verdict(struct smap_psock *psock, struct sk_buff *skb)
diff --git a/net/core/filter.c b/net/core/filter.c
@@ -1844,14 +1844,15 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,
 {
 	struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);
 
+	/* If user passes invalid input drop the packet. */
 	if (unlikely(flags))
-		return SK_ABORTED;
+		return SK_DROP;
 
 	tcb->bpf.key = key;
 	tcb->bpf.flags = flags;
 	tcb->bpf.map = map;
 
-	return SK_REDIRECT;
+	return SK_PASS;
 }
 
 struct sock *do_sk_redirect_map(struct sk_buff *skb)
diff --git a/tools/include/uapi/linux/bpf.h b/tools/include/uapi/linux/bpf.h
@@ -787,8 +787,8 @@ struct xdp_md {
 };
 
 enum sk_action {
-	SK_ABORTED = 0,
-	SK_DROP,
+	SK_DROP = 0,
+	SK_PASS,
 	SK_REDIRECT,
 };
 

Original file line number	Diff line number	Diff line change
`@@ -122,7 +122,8 @@ static int smap_verdict_func(struct smap_psock psock, struct sk_buff skb)`
`122`	`122`	`preempt_enable();`
`123`	`123`	`skb->sk = NULL;`
`124`	`124`
`125`		`- return rc;`
	`125`	`+ return rc == SK_PASS ?`
	`126`	`+ (TCP_SKB_CB(skb)->bpf.map ? SK_REDIRECT : SK_PASS) : SK_DROP;`
`126`	`127`	`}`
`127`	`128`
`128`	`129`	`static void smap_do_verdict(struct smap_psock psock, struct sk_buff skb)`
Original file line number	Diff line number	Diff line change
`@@ -1844,14 +1844,15 @@ BPF_CALL_4(bpf_sk_redirect_map, struct sk_buff *, skb,`
`1844`	`1844`	`{`
`1845`	`1845`	`struct tcp_skb_cb *tcb = TCP_SKB_CB(skb);`
`1846`	`1846`
	`1847`	`+ /* If user passes invalid input drop the packet. */`
`1847`	`1848`	`if (unlikely(flags))`
`1848`		`- return SK_ABORTED;`
	`1849`	`+ return SK_DROP;`
`1849`	`1850`
`1850`	`1851`	`tcb->bpf.key = key;`
`1851`	`1852`	`tcb->bpf.flags = flags;`
`1852`	`1853`	`tcb->bpf.map = map;`
`1853`	`1854`
`1854`		`- return SK_REDIRECT;`
	`1855`	`+ return SK_PASS;`
`1855`	`1856`	`}`
`1856`	`1857`
`1857`	`1858`	`struct sock do_sk_redirect_map(struct sk_buff skb)`