On Mon, Sep 2, 2024 at 3:20 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote: > > Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx> writes: > > > On Tue, Aug 27, 2024 at 5:48 AM Leon Hwang <leon.hwang@xxxxxxxxx> wrote: > >> > >> > I wonder if disallowing to freplace programs when > >> > replacement.tail_call_reachable != replaced.tail_call_reachable > >> > would be a better option? > >> > > >> > >> This idea is wonderful. > >> > >> We can disallow attaching tail_call_reachable freplace prog to > >> not-tail_call_reachable bpf prog. So, the following 3 cases are allowed. > >> > >> 1. attach tail_call_reachable freplace prog to tail_call_reachable bpf prog. > >> 2. attach not-tail_call_reachable freplace prog to tail_call_reachable > >> bpf prog. > >> 3. attach not-tail_call_reachable freplace prog to > >> not-tail_call_reachable bpf prog. > > > > I think it's fine to disable freplace and tail_call combination > > altogether. > > In the libxdp dispatcher we rely on the fact that an freplace program is > equivalent to a directly attached XDP program. And we've definitely seen > people using tail calls along with the libxdp dispatcher (e.g., > https://github.com/xdp-project/xdp-tools/issues/377), so I don't think > it's a good idea to disable it entirely. > Thanks Toke to mention this use case, I have xdp-loader to load DNS XDP program with tail calls to do DNS ratelimit and DNS cookie verification see here https://github.com/vincentmli/xdp-tools/blob/vli-xdp-synproxy/xdp-dnsrrl/xdp_dnsrrl.bpf.c#L635-L644 and I have it as part of XDP DDoS in an open source firewall project https://github.com/vincentmli/BPFire. I hope this is continued to be supported in future :) > I think restricting the combinations should be fine, though - the libxdp > dispatcher will not end up in a tail call map unless someone is going > out of their way to do weird things :) > > -Toke > >
