mirror of
https://github.com/torvalds/linux.git
synced 2024-12-02 17:11:33 +00:00
b530e9e106
This adds support for running XDP programs through BPF_PROG_RUN in a mode that enables live packet processing of the resulting frames. Previous uses of BPF_PROG_RUN for XDP returned the XDP program return code and the modified packet data to userspace, which is useful for unit testing of XDP programs. The existing BPF_PROG_RUN for XDP allows userspace to set the ingress ifindex and RXQ number as part of the context object being passed to the kernel. This patch reuses that code, but adds a new mode with different semantics, which can be selected with the new BPF_F_TEST_XDP_LIVE_FRAMES flag. When running BPF_PROG_RUN in this mode, the XDP program return codes will be honoured: returning XDP_PASS will result in the frame being injected into the networking stack as if it came from the selected networking interface, while returning XDP_TX and XDP_REDIRECT will result in the frame being transmitted out that interface. XDP_TX is translated into an XDP_REDIRECT operation to the same interface, since the real XDP_TX action is only possible from within the network drivers themselves, not from the process context where BPF_PROG_RUN is executed. Internally, this new mode of operation creates a page pool instance while setting up the test run, and feeds pages from that into the XDP program. The setup cost of this is amortised over the number of repetitions specified by userspace. To support the performance testing use case, we further optimise the setup step so that all pages in the pool are pre-initialised with the packet data, and pre-computed context and xdp_frame objects stored at the start of each page. This makes it possible to entirely avoid touching the page content on each XDP program invocation, and enables sending up to 9 Mpps/core on my test box. Because the data pages are recycled by the page pool, and the test runner doesn't re-initialise them for each run, subsequent invocations of the XDP program will see the packet data in the state it was after the last time it ran on that particular page. This means that an XDP program that modifies the packet before redirecting it has to be careful about which assumptions it makes about the packet content, but that is only an issue for the most naively written programs. Enabling the new flag is only allowed when not setting ctx_out and data_out in the test specification, since using it means frames will be redirected somewhere else, so they can't be returned. Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Martin KaFai Lau <kafai@fb.com> Link: https://lore.kernel.org/bpf/20220309105346.100053-2-toke@redhat.com
102 lines
3.0 KiB
Plaintext
102 lines
3.0 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
# BPF interpreter that, for example, classic socket filters depend on.
|
|
config BPF
|
|
bool
|
|
|
|
# Used by archs to tell that they support BPF JIT compiler plus which
|
|
# flavour. Only one of the two can be selected for a specific arch since
|
|
# eBPF JIT supersedes the cBPF JIT.
|
|
|
|
# Classic BPF JIT (cBPF)
|
|
config HAVE_CBPF_JIT
|
|
bool
|
|
|
|
# Extended BPF JIT (eBPF)
|
|
config HAVE_EBPF_JIT
|
|
bool
|
|
|
|
# Used by archs to tell that they want the BPF JIT compiler enabled by
|
|
# default for kernels that were compiled with BPF JIT support.
|
|
config ARCH_WANT_DEFAULT_BPF_JIT
|
|
bool
|
|
|
|
menu "BPF subsystem"
|
|
|
|
config BPF_SYSCALL
|
|
bool "Enable bpf() system call"
|
|
select BPF
|
|
select IRQ_WORK
|
|
select TASKS_TRACE_RCU
|
|
select BINARY_PRINTF
|
|
select NET_SOCK_MSG if NET
|
|
select PAGE_POOL if NET
|
|
default n
|
|
help
|
|
Enable the bpf() system call that allows to manipulate BPF programs
|
|
and maps via file descriptors.
|
|
|
|
config BPF_JIT
|
|
bool "Enable BPF Just In Time compiler"
|
|
depends on BPF
|
|
depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
|
|
depends on MODULES
|
|
help
|
|
BPF programs are normally handled by a BPF interpreter. This option
|
|
allows the kernel to generate native code when a program is loaded
|
|
into the kernel. This will significantly speed-up processing of BPF
|
|
programs.
|
|
|
|
Note, an admin should enable this feature changing:
|
|
/proc/sys/net/core/bpf_jit_enable
|
|
/proc/sys/net/core/bpf_jit_harden (optional)
|
|
/proc/sys/net/core/bpf_jit_kallsyms (optional)
|
|
|
|
config BPF_JIT_ALWAYS_ON
|
|
bool "Permanently enable BPF JIT and remove BPF interpreter"
|
|
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
|
|
help
|
|
Enables BPF JIT and removes BPF interpreter to avoid speculative
|
|
execution of BPF instructions by the interpreter.
|
|
|
|
When CONFIG_BPF_JIT_ALWAYS_ON is enabled, /proc/sys/net/core/bpf_jit_enable
|
|
is permanently set to 1 and setting any other value than that will
|
|
return failure.
|
|
|
|
config BPF_JIT_DEFAULT_ON
|
|
def_bool ARCH_WANT_DEFAULT_BPF_JIT || BPF_JIT_ALWAYS_ON
|
|
depends on HAVE_EBPF_JIT && BPF_JIT
|
|
|
|
config BPF_UNPRIV_DEFAULT_OFF
|
|
bool "Disable unprivileged BPF by default"
|
|
default y
|
|
depends on BPF_SYSCALL
|
|
help
|
|
Disables unprivileged BPF by default by setting the corresponding
|
|
/proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
|
|
still reenable it by setting it to 0 later on, or permanently
|
|
disable it by setting it to 1 (from which no other transition to
|
|
0 is possible anymore).
|
|
|
|
Unprivileged BPF could be used to exploit certain potential
|
|
speculative execution side-channel vulnerabilities on unmitigated
|
|
affected hardware.
|
|
|
|
If you are unsure how to answer this question, answer Y.
|
|
|
|
source "kernel/bpf/preload/Kconfig"
|
|
|
|
config BPF_LSM
|
|
bool "Enable BPF LSM Instrumentation"
|
|
depends on BPF_EVENTS
|
|
depends on BPF_SYSCALL
|
|
depends on SECURITY
|
|
depends on BPF_JIT
|
|
help
|
|
Enables instrumentation of the security hooks with BPF programs for
|
|
implementing dynamic MAC and Audit Policies.
|
|
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
endmenu # "BPF subsystem"
|