Daniel Borkmann <daniel@xxxxxxxxxxxxx> writes: > We do use cls_bpf heavily in Cilium, but I don't necessarily agree on > the notorious difficult to use aspect (at least for tc + BPF): i) this > is abstracted away from the /user/ entirely to the point that this is an > implementation detail he doesn't need to know about, ii) these days most > access to these hooks is done programmatically, if this is a worry, then > lets simply add a cls_bpf pendant for APIs like bpf_set_link_xdp_fd() we > have in libbpf where you only pass in ifindex, direction (ingress/egress) > and priority of the program so that underneath it sets up cls_act qdisc > with a cls_bpf instance that makes the whole thing foolproof, e.g.: > > int bpf_set_link_tc_fd(int ifindex, int fd, enum bpf_tc_dir dir, > __u32 priority, __u32 flags); Basically, what I'm trying to achieve with XDP chain calls is to be able to do something similar to this, but for XDP programs. Just with the added ability to also select on return code... >> Second, the multiple "independent programs", are actually not >> independent, because the current running program must return >> TC_ACT_UNSPEC to allow next bpf-prog to run. Thus, it is not really >> usable. > > I'd argue that unless the only thing you do in your debugging program is > to introspect (read-only) the packet at the current point, you'd run into > a similar coordination issue, meaning, the "independent programs" works > for simple cases where you only have ACCEPT and DROP policy, such that > you could run through all the programs and have precedence on DROP. > > But once you have conflicting policies with regards to how these programs > mangle and redirect packets, how would you handle these? I imagine that in most relevant cases this can be handled by convention; the most obvious convention being "chain call on XDP_PASS". But still allowing the admin to override this if they know what they are doing. > I'd argue it's a non-trivial task to outsource if /admins/ are > supposed to do manual order adjustments and more importantly to > troubleshoot issues due to them. Potentially debugging hooks would > make that easier to avoid recompilation, but it's more of a developer > task. Sure, in the general case this could become arbitrarily complex; but I think that the feature can still be useful. > Often times orchestration tools i) assume they just own the data path > to reduce complexity in an already complex system and ii) also keep > 'refreshing' their setup. One random example for the latter is k8s' > kube-proxy that reinstalls its iptables rules every x sec, in order to > make sure there was no manual messing around and to keep the data path > eventually consistent with the daemon view (if they got borked). This is actually the reason I want the kernel state to be the source of truth (instead of keeping state in a userspace daemon). If the kernel keeps the state it can enforce consistency, whereas a userspace daemon has to be able to deal with things in the kernel changing underneath it... > How would you make the loader aware of daemons automatically > refreshing/ reconfiguring their BPF progs in the situation where > admins changed the pipeline, adding similar handle as tc so whoever > does the 'chain' assembly know which one to update? My idea for this was to implement atomic updates in the form of a "cmpxchg" type of operation. I.e., we'd add a parameter to the syscall where userspace could say "I want to install this program in place of this one", and if that "old program" value doesn't match the current state of the kernel, it can be rejected, atomically. -Toke
