On Fri, Apr 22, 2022 at 10:25 AM Maxim Mikityanskiy <maximmi@xxxxxxxxxx> wrote:
>
> This commits allows the new BPF helpers to work in SKB context (in TC
> BPF programs): bpf_tcp_raw_{gen,check}_syncookie_ipv{4,6}.
>
> The sample application and selftest are updated to support the TC mode.
> It's not the recommended mode of operation, because the SKB is already
> created at this point, and it's unlikely that the BPF program will
> provide any substantional speedup compared to regular SYN cookies or
> synproxy.
>
> Signed-off-by: Maxim Mikityanskiy <maximmi@xxxxxxxxxx>
> Reviewed-by: Tariq Toukan <tariqt@xxxxxxxxxx>
> ---
> net/core/filter.c | 10 ++
> .../selftests/bpf/prog_tests/xdp_synproxy.c | 53 +++++--
> .../selftests/bpf/progs/xdp_synproxy_kern.c | 141 +++++++++++++-----
> tools/testing/selftests/bpf/xdp_synproxy.c | 94 +++++++++---
> 4 files changed, 230 insertions(+), 68 deletions(-)
>
[...]
>
> - return hdr.tcp->syn ? syncookie_handle_syn(&hdr, ctx, data, data_end) :
> - syncookie_handle_ack(&hdr);
> + return hdr->tcp->syn ? syncookie_handle_syn(hdr, ctx, data, data_end, xdp) :
> + syncookie_handle_ack(hdr);
> +}
> +
> +SEC("xdp/syncookie")
SEC("xdp")? libbpf will reject SEC("xdp/syncookie") in strict libbpf 1.0 mode
> +int syncookie_xdp(struct xdp_md *ctx)
> +{
> + void *data_end = (void *)(long)ctx->data_end;
> + void *data = (void *)(long)ctx->data;
> + struct header_pointers hdr;
> + int ret;
> +
> + ret = syncookie_part1(ctx, data, data_end, &hdr, true);
> + if (ret != XDP_TX)
> + return ret;
> +
> + data_end = (void *)(long)ctx->data_end;
> + data = (void *)(long)ctx->data;
> +
> + return syncookie_part2(ctx, data, data_end, &hdr, true);
> +}
[...]
