mbox series

[RFC,nf-next,v5,0/2] netfilter: bpf: support prog update

Message ID 1704175877-28298-1-git-send-email-alibuda@linux.alibaba.com (mailing list archive)
Headers show
Series netfilter: bpf: support prog update | expand

Message

D. Wythe Jan. 2, 2024, 6:11 a.m. UTC
From: "D. Wythe" <alibuda@linux.alibaba.com>

This patches attempt to implements updating of progs within
bpf netfilter link, allowing user update their ebpf netfilter
prog in hot update manner.

Besides, a corresponding test case has been added to verify
whether the update works.
--
v1:
1. remove unnecessary context, access the prog directly via rcu.
2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
3. check the dead flag during the update.
--
v1->v2:
1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
--
v2->v3:
1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
--
v3->v4:
1. remove mutex for link update, as it is unnecessary and can be replaced
by atomic operations.
--
v4->v5:
1. fix error retval check on cmpxhcg

D. Wythe (2):
  netfilter: bpf: support prog update
  selftests/bpf: Add netfilter link prog update test

 net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
 .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
 .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
 3 files changed, 141 insertions(+), 16 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c

Comments

D. Wythe Jan. 16, 2024, 1:46 p.m. UTC | #1
Just a reminder to avoid forgetting this patch by everyone. 
Quentin Deslandes Feb. 14, 2024, 4:10 p.m. UTC | #2
On 2024-01-02 07:11, D. Wythe wrote:
> From: "D. Wythe" <alibuda@linux.alibaba.com>
> 
> This patches attempt to implements updating of progs within
> bpf netfilter link, allowing user update their ebpf netfilter
> prog in hot update manner.
> 
> Besides, a corresponding test case has been added to verify
> whether the update works.
> --
> v1:
> 1. remove unnecessary context, access the prog directly via rcu.
> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
> 3. check the dead flag during the update.
> --
> v1->v2:
> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
> --
> v2->v3:
> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
> --
> v3->v4:
> 1. remove mutex for link update, as it is unnecessary and can be replaced
> by atomic operations.
> --
> v4->v5:
> 1. fix error retval check on cmpxhcg
> 
> D. Wythe (2):
>   netfilter: bpf: support prog update
>   selftests/bpf: Add netfilter link prog update test
> 
>  net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>  .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>  .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>  3 files changed, 141 insertions(+), 16 deletions(-)
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>  create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
> 

It seems this patch has been forgotten, hopefully this answer
will give it more visibility.

I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
with bpfilter and everything seems alright.

Thanks,
Quentin
Pablo Neira Ayuso Feb. 14, 2024, 4:41 p.m. UTC | #3
On Wed, Feb 14, 2024 at 05:10:46PM +0100, Quentin Deslandes wrote:
> On 2024-01-02 07:11, D. Wythe wrote:
> > From: "D. Wythe" <alibuda@linux.alibaba.com>
> > 
> > This patches attempt to implements updating of progs within
> > bpf netfilter link, allowing user update their ebpf netfilter
> > prog in hot update manner.
> > 
> > Besides, a corresponding test case has been added to verify
> > whether the update works.
> > --
> > v1:
> > 1. remove unnecessary context, access the prog directly via rcu.
> > 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
> > 3. check the dead flag during the update.
> > --
> > v1->v2:
> > 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
> > --
> > v2->v3:
> > 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
> > --
> > v3->v4:
> > 1. remove mutex for link update, as it is unnecessary and can be replaced
> > by atomic operations.
> > --
> > v4->v5:
> > 1. fix error retval check on cmpxhcg
> > 
> > D. Wythe (2):
> >   netfilter: bpf: support prog update
> >   selftests/bpf: Add netfilter link prog update test
> > 
> >  net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
> >  .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
> >  .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
> >  3 files changed, 141 insertions(+), 16 deletions(-)
> >  create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
> >  create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
> > 
> 
> It seems this patch has been forgotten, hopefully this answer
> will give it more visibility.
> 
> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
> with bpfilter and everything seems alright.

Just post it without RFC tag.
D. Wythe Feb. 20, 2024, 7:16 a.m. UTC | #4
On 2/15/24 12:41 AM, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2024 at 05:10:46PM +0100, Quentin Deslandes wrote:
>> On 2024-01-02 07:11, D. Wythe wrote:
>>> From: "D. Wythe" <alibuda@linux.alibaba.com>
>>>
>>> This patches attempt to implements updating of progs within
>>> bpf netfilter link, allowing user update their ebpf netfilter
>>> prog in hot update manner.
>>>
>>> Besides, a corresponding test case has been added to verify
>>> whether the update works.
>>> --
>>> v1:
>>> 1. remove unnecessary context, access the prog directly via rcu.
>>> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
>>> 3. check the dead flag during the update.
>>> --
>>> v1->v2:
>>> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
>>> --
>>> v2->v3:
>>> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
>>> --
>>> v3->v4:
>>> 1. remove mutex for link update, as it is unnecessary and can be replaced
>>> by atomic operations.
>>> --
>>> v4->v5:
>>> 1. fix error retval check on cmpxhcg
>>>
>>> D. Wythe (2):
>>>    netfilter: bpf: support prog update
>>>    selftests/bpf: Add netfilter link prog update test
>>>
>>>   net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>>>   .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>>>   .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>>>   3 files changed, 141 insertions(+), 16 deletions(-)
>>>   create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>>>   create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
>>>
>> It seems this patch has been forgotten, hopefully this answer
>> will give it more visibility.
>>
>> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
>> with bpfilter and everything seems alright.
> Just post it without RFC tag.

Glad to know that, I will send a formal version soon.

D. Wythe
D. Wythe Feb. 20, 2024, 7:19 a.m. UTC | #5
On 2/15/24 12:10 AM, Quentin Deslandes wrote:
> On 2024-01-02 07:11, D. Wythe wrote:
>> From: "D. Wythe" <alibuda@linux.alibaba.com>
>>
>> This patches attempt to implements updating of progs within
>> bpf netfilter link, allowing user update their ebpf netfilter
>> prog in hot update manner.
>>
>> Besides, a corresponding test case has been added to verify
>> whether the update works.
>> --
>> v1:
>> 1. remove unnecessary context, access the prog directly via rcu.
>> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
>> 3. check the dead flag during the update.
>> --
>> v1->v2:
>> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
>> --
>> v2->v3:
>> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
>> --
>> v3->v4:
>> 1. remove mutex for link update, as it is unnecessary and can be replaced
>> by atomic operations.
>> --
>> v4->v5:
>> 1. fix error retval check on cmpxhcg
>>
>> D. Wythe (2):
>>    netfilter: bpf: support prog update
>>    selftests/bpf: Add netfilter link prog update test
>>
>>   net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>>   .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>>   .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>>   3 files changed, 141 insertions(+), 16 deletions(-)
>>   create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>>   create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
>>
> It seems this patch has been forgotten, hopefully this answer
> will give it more visibility.
>
> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
> with bpfilter and everything seems alright.
>
> Thanks,
> Quentin

Thanks for your testing. I will send  out a formal version soon.

Best wishes,
D. Wythe