On Fri, Apr 22, 2022 at 10:25 AM Maxim Mikityanskiy maximmi@nvidia.com wrote:
This commits allows the new BPF helpers to work in SKB context (in TC BPF programs): bpf_tcp_raw_{gen,check}_syncookie_ipv{4,6}.
The sample application and selftest are updated to support the TC mode. It's not the recommended mode of operation, because the SKB is already created at this point, and it's unlikely that the BPF program will provide any substantional speedup compared to regular SYN cookies or synproxy.
Signed-off-by: Maxim Mikityanskiy maximmi@nvidia.com Reviewed-by: Tariq Toukan tariqt@nvidia.com
net/core/filter.c | 10 ++ .../selftests/bpf/prog_tests/xdp_synproxy.c | 53 +++++-- .../selftests/bpf/progs/xdp_synproxy_kern.c | 141 +++++++++++++----- tools/testing/selftests/bpf/xdp_synproxy.c | 94 +++++++++--- 4 files changed, 230 insertions(+), 68 deletions(-)
[...]
return hdr.tcp->syn ? syncookie_handle_syn(&hdr, ctx, data, data_end) :syncookie_handle_ack(&hdr);
return hdr->tcp->syn ? syncookie_handle_syn(hdr, ctx, data, data_end, xdp) :syncookie_handle_ack(hdr);+}
+SEC("xdp/syncookie")
SEC("xdp")? libbpf will reject SEC("xdp/syncookie") in strict libbpf 1.0 mode
+int syncookie_xdp(struct xdp_md *ctx) +{
void *data_end = (void *)(long)ctx->data_end;void *data = (void *)(long)ctx->data;struct header_pointers hdr;int ret;ret = syncookie_part1(ctx, data, data_end, &hdr, true);if (ret != XDP_TX)return ret;data_end = (void *)(long)ctx->data_end;data = (void *)(long)ctx->data;return syncookie_part2(ctx, data, data_end, &hdr, true);+}
[...]