proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-17 00:05:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
35dfaad718
mirror_ubuntu-kernels/tools/include/uapi/linux
History
Daniel Borkmann 35dfaad718 netkit, bpf: Add bpf programmable net device 
This work adds a new, minimal BPF-programmable device called "netkit"
(former PoC code-name "meta") we recently presented at LSF/MM/BPF. The
core idea is that BPF programs are executed within the drivers xmit routine
and therefore e.g. in case of containers/Pods moving BPF processing closer
to the source.

One of the goals was that in case of Pod egress traffic, this allows to
move BPF programs from hostns tcx ingress into the device itself, providing
earlier drop or forward mechanisms, for example, if the BPF program
determines that the skb must be sent out of the node, then a redirect to
the physical device can take place directly without going through per-CPU
backlog queue. This helps to shift processing for such traffic from softirq
to process context, leading to better scheduling decisions/performance (see
measurements in the slides).

In this initial version, the netkit device ships as a pair, but we plan to
extend this further so it can also operate in single device mode. The pair
comes with a primary and a peer device. Only the primary device, typically
residing in hostns, can manage BPF programs for itself and its peer. The
peer device is designated for containers/Pods and cannot attach/detach
BPF programs. Upon the device creation, the user can set the default policy
to 'pass' or 'drop' for the case when no BPF program is attached.

Additionally, the device can be operated in L3 (default) or L2 mode. The
management of BPF programs is done via bpf_mprog, so that multi-attach is
supported right from the beginning with similar API and dependency controls
as tcx. For details on the latter see commit 053c8e1f23 ("bpf: Add generic
attach/detach/query API for multi-progs"). tc BPF compatibility is provided,
so that existing programs can be easily migrated.

Going forward, we plan to use netkit devices in Cilium as the main device
type for connecting Pods. They will be operated in L3 mode in order to
simplify a Pod's neighbor management and the peer will operate in default
drop mode, so that no traffic is leaving between the time when a Pod is
brought up by the CNI plugin and programs attached by the agent.
Additionally, the programs we attach via tcx on the physical devices are
using bpf_redirect_peer() for inbound traffic into netkit device, hence the
latter is also supporting the ndo_get_peer_dev callback. Similarly, we use
bpf_redirect_neigh() for the way out, pushing from netkit peer to phys device
directly. Also, BIG TCP is supported on netkit device. For the follow-up
work in single device mode, we plan to convert Cilium's cilium_host/_net
devices into a single one.

An extensive test suite for checking device operations and the BPF program
and link management API comes as BPF selftests in this series.

Co-developed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Acked-by: Stanislav Fomichev <sdf@google.com>
Acked-by: Martin KaFai Lau <martin.lau@kernel.org>
Link: https://github.com/borkmann/iproute2/tree/pr/netkit
Link: http://vger.kernel.org/bpfconf2023_material/tcx_meta_netdev_borkmann.pdf (24ff.)
Link: https://lore.kernel.org/r/20231024214904.29825-2-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
2023-10-24 16:06:03 -07:00
..
tc_act headers: Remove some left-over license text 2022-09-27 07:48:01 -07:00
bpf_common.h
bpf_perf_event.h tools, headers: Sync struct bpf_perf_event_data 2021-01-26 00:15:03 +01:00
bpf.h netkit, bpf: Add bpf programmable net device 2023-10-24 16:06:03 -07:00
btf.h bpf: Add btf enum64 support 2022-06-07 10:20:42 -07:00
const.h tools headers UAPI: Sync the linux/const.h with the kernel headers 2023-05-10 14:19:20 -03:00
erspan.h
ethtool.h tools: include: Add ethtool_drvinfo definition to UAPI header 2021-08-24 14:48:40 -07:00
fadvise.h
fcntl.h tools headers uapi: Sync linux/fcntl.h with the kernel sources 2023-07-11 12:29:23 -03:00
filter.h tools: bpf: Use local copy of headers including uapi/linux/filter.h 2020-07-21 10:50:35 +01:00
fs.h treewide: uapi: Replace zero-length arrays with flexible-array members 2022-06-28 21:26:05 +02:00
fscrypt.h tools headers UAPI: Sync linux/fscrypt.h with the kernel sources 2022-12-19 12:46:36 -03:00
hw_breakpoint.h Move bp_type_idx to include/linux/hw_breakpoint.h 2023-03-10 21:05:16 +01:00
if_link.h macvlan: Add netlink attribute for broadcast cutoff 2023-03-29 09:03:32 +01:00
if_tun.h treewide: uapi: Replace zero-length arrays with flexible-array members 2022-06-28 21:26:05 +02:00
if_xdp.h selftests/xsk: add basic multi-buffer test 2023-07-19 09:56:50 -07:00
in.h tools headers UAPI: Sync the linux/in.h with the kernel sources 2023-05-26 16:03:27 -03:00
kcmp.h
kvm.h tools headers UAPI: Sync linux/kvm.h with the kernel sources 2023-07-11 12:36:38 -03:00
mman.h tools headers UAPI: Sync files changed by new cachestat syscall with the kernel sources 2023-07-11 11:41:15 -03:00
mount.h tools include UAPI: Sync linux/mount.h copy with the kernel sources 2023-07-11 13:01:23 -03:00
netdev.h bpf: expose information about supported xdp metadata kfunc 2023-09-15 11:26:58 -07:00
netlink.h
openat2.h tools headers UAPI: Sync openat2.h with the kernel sources 2021-03-06 16:54:22 -03:00
perf_event.h tools include UAPI: Sync uapi/linux/perf_event.h with the kernel sources 2023-04-10 19:25:12 -03:00
pkt_cls.h treewide: uapi: Replace zero-length arrays with flexible-array members 2022-06-28 21:26:05 +02:00
pkt_sched.h sch_htb: Hierarchical QoS hardware offload 2021-01-22 20:41:29 -08:00
prctl.h tools headers UAPI: Sync linux/prctl.h with the kernel sources 2023-07-11 13:30:40 -03:00
sched.h tools headers UAPI: Sync sched.h with the kernel 2020-04-14 09:01:08 -03:00
seccomp.h tools headers UAPI: Copy seccomp.h to be able to build 'perf bench' in older systems 2023-09-13 08:48:48 -03:00
seg6_local.h
seg6.h treewide: uapi: Replace zero-length arrays with flexible-array members 2022-06-28 21:26:05 +02:00
stat.h tools headers uapi: Sync linux/stat.h with the kernel sources 2022-10-25 17:40:48 -03:00
stddef.h tools/headers: Pull in stddef.h to uapi to fix BPF selftests build in CI 2022-11-03 13:45:21 +01:00
tcp.h bpf: Remove extra lock_sock for TCP_ZEROCOPY_RECEIVE 2021-01-20 14:23:00 -08:00
tls.h
types.h tools/bpf: Move linux/types.h for selftests and bpftool 2020-03-13 20:56:34 +01:00
usbdevice_fs.h treewide: uapi: Replace zero-length arrays with flexible-array members 2022-06-28 21:26:05 +02:00
vhost.h tools include UAPI: Sync linux/vhost.h with the kernel sources 2023-07-14 10:16:03 -03:00