bpf: Change bpf_fib_lookup to return lookup status
For ACLs implemented using either FIB rules or FIB entries, the BPF program needs the FIB lookup status to be able to drop the packet. Since the bpf_fib_lookup API has not reached a released kernel yet, change the return code to contain an encoding of the FIB lookup result and return the nexthop device index in the params struct. In addition, inform the BPF program of any post FIB lookup reason as to why the packet needs to go up the stack. The fib result for unicast routes must have an egress device, so remove the check that it is non-NULL. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
This commit is contained in:
David Ahern
committed by
Daniel Borkmann
Daniel Borkmann
parent
3203c90100
commit
4c79579b44
@@ -1857,7 +1857,8 @@ union bpf_attr {
|
||||
* is resolved), the nexthop address is returned in ipv4_dst
|
||||
* or ipv6_dst based on family, smac is set to mac address of
|
||||
* egress device, dmac is set to nexthop mac address, rt_metric
|
||||
* is set to metric from route (IPv4/IPv6 only).
|
||||
* is set to metric from route (IPv4/IPv6 only), and ifindex
|
||||
* is set to the device index of the nexthop from the FIB lookup.
|
||||
*
|
||||
* *plen* argument is the size of the passed in struct.
|
||||
* *flags* argument can be a combination of one or more of the
|
||||
@@ -1873,9 +1874,10 @@ union bpf_attr {
|
||||
* *ctx* is either **struct xdp_md** for XDP programs or
|
||||
* **struct sk_buff** tc cls_act programs.
|
||||
* Return
|
||||
* Egress device index on success, 0 if packet needs to continue
|
||||
* up the stack for further processing or a negative error in case
|
||||
* of failure.
|
||||
* * < 0 if any input argument is invalid
|
||||
* * 0 on success (packet is forwarded, nexthop neighbor exists)
|
||||
* * > 0 one of **BPF_FIB_LKUP_RET_** codes explaining why the
|
||||
* * packet is not forwarded or needs assist from full stack
|
||||
*
|
||||
* int bpf_sock_hash_update(struct bpf_sock_ops_kern *skops, struct bpf_map *map, void *key, u64 flags)
|
||||
* Description
|
||||
@@ -2612,6 +2614,18 @@ struct bpf_raw_tracepoint_args {
|
||||
#define BPF_FIB_LOOKUP_DIRECT BIT(0)
|
||||
#define BPF_FIB_LOOKUP_OUTPUT BIT(1)
|
||||
|
||||
enum {
|
||||
BPF_FIB_LKUP_RET_SUCCESS, /* lookup successful */
|
||||
BPF_FIB_LKUP_RET_BLACKHOLE, /* dest is blackholed; can be dropped */
|
||||
BPF_FIB_LKUP_RET_UNREACHABLE, /* dest is unreachable; can be dropped */
|
||||
BPF_FIB_LKUP_RET_PROHIBIT, /* dest not allowed; can be dropped */
|
||||
BPF_FIB_LKUP_RET_NOT_FWDED, /* packet is not forwarded */
|
||||
BPF_FIB_LKUP_RET_FWD_DISABLED, /* fwding is not enabled on ingress */
|
||||
BPF_FIB_LKUP_RET_UNSUPP_LWT, /* fwd requires encapsulation */
|
||||
BPF_FIB_LKUP_RET_NO_NEIGH, /* no neighbor entry for nh */
|
||||
BPF_FIB_LKUP_RET_FRAG_NEEDED, /* fragmentation required to fwd */
|
||||
};
|
||||
|
||||
struct bpf_fib_lookup {
|
||||
/* input: network family for lookup (AF_INET, AF_INET6)
|
||||
* output: network family of egress nexthop
|
||||
@@ -2625,7 +2639,11 @@ struct bpf_fib_lookup {
|
||||
|
||||
/* total length of packet from network header - used for MTU check */
|
||||
__u16 tot_len;
|
||||
__u32 ifindex; /* L3 device index for lookup */
|
||||
|
||||
/* input: L3 device index for lookup
|
||||
* output: device index from FIB lookup
|
||||
*/
|
||||
__u32 ifindex;
|
||||
|
||||
union {
|
||||
/* inputs to lookup */
|
||||
|
||||
Reference in New Issue
Block a user