Commit 8086fbaf authored by Stanislav Fomichev's avatar Stanislav Fomichev Committed by Daniel Borkmann
Browse files

bpf: Allow any port in bpf_bind helper 



We want to have a tighter control on what ports we bind to in
the BPF_CGROUP_INET{4,6}_CONNECT hooks even if it means
connect() becomes slightly more expensive. The expensive part
comes from the fact that we now need to call inet_csk_get_port()
that verifies that the port is not used and allocates an entry
in the hash table for it.

Since we can't rely on "snum || !bind_address_no_port" to prevent
us from calling POST_BIND hook anymore, let's add another bind flag
to indicate that the call site is BPF program.

v5:
* fix wrong AF_INET (should be AF_INET6) in the bpf program for v6

v3:
* More bpf_bind documentation refinements (Martin KaFai Lau)
* Add UDP tests as well (Martin KaFai Lau)
* Don't start the thread, just do socket+bind+listen (Martin KaFai Lau)

v2:
* Update documentation (Andrey Ignatov)
* Pass BIND_FORCE_ADDRESS_NO_PORT conditionally (Andrey Ignatov)

Signed-off-by: default avatarStanislav Fomichev <sdf@google.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAndrey Ignatov <rdna@fb.com>
Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20200508174611.228805-5-sdf@google.com
parent cb0721c7

include/net/inet_common.h

+2 −0
Original line number Diff line number Diff line
@@ -39,6 +39,8 @@ int inet_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len); 
#define BIND_FORCE_ADDRESS_NO_PORT	(1 << 0)

/* Grab and release socket lock. */

#define BIND_WITH_LOCK			(1 << 1)

/* Called from BPF program. */

#define BIND_FROM_BPF			(1 << 2)

int __inet_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len,

		u32 flags);

int inet_getname(struct socket *sock, struct sockaddr *uaddr,

include/uapi/linux/bpf.h

+5 −4
Original line number Diff line number Diff line
@@ -1994,10 +1994,11 @@ union bpf_attr { 
 *

 * 		This helper works for IPv4 and IPv6, TCP and UDP sockets. The

 * 		domain (*addr*\ **->sa_family**) must be **AF_INET** (or

 * 		**AF_INET6**). Looking for a free port to bind to can be

 * 		expensive, therefore binding to port is not permitted by the

 * 		helper: *addr*\ **->sin_port** (or **sin6_port**, respectively)

 * 		must be set to zero.

 * 		**AF_INET6**). It's advised to pass zero port (**sin_port**

 * 		or **sin6_port**) which triggers IP_BIND_ADDRESS_NO_PORT-like

 * 		behavior and lets the kernel efficiently pick up an unused

 * 		port as long as 4-tuple is unique. Passing non-zero port might

 * 		lead to degraded performance.

 * 	Return

 * 		0 on success, or a negative error in case of failure.

 *

net/core/filter.c

+7 −11
Original line number Diff line number Diff line
@@ -4525,32 +4525,28 @@ BPF_CALL_3(bpf_bind, struct bpf_sock_addr_kern *, ctx, struct sockaddr *, addr, 
{

#ifdef CONFIG_INET

	struct sock *sk = ctx->sk;

	u32 flags = BIND_FROM_BPF;

	int err;



	/* Binding to port can be expensive so it's prohibited in the helper.

	 * Only binding to IP is supported.

	 */

	err = -EINVAL;

	if (addr_len < offsetofend(struct sockaddr, sa_family))

		return err;

	if (addr->sa_family == AF_INET) {

		if (addr_len < sizeof(struct sockaddr_in))

			return err;

		if (((struct sockaddr_in *)addr)->sin_port != htons(0))

			return err;

		return __inet_bind(sk, addr, addr_len,

				   BIND_FORCE_ADDRESS_NO_PORT);

		if (((struct sockaddr_in *)addr)->sin_port == htons(0))

			flags |= BIND_FORCE_ADDRESS_NO_PORT;

		return __inet_bind(sk, addr, addr_len, flags);

#if IS_ENABLED(CONFIG_IPV6)

	} else if (addr->sa_family == AF_INET6) {

		if (addr_len < SIN6_LEN_RFC2133)

			return err;

		if (((struct sockaddr_in6 *)addr)->sin6_port != htons(0))

			return err;

		if (((struct sockaddr_in6 *)addr)->sin6_port == htons(0))

			flags |= BIND_FORCE_ADDRESS_NO_PORT;

		/* ipv6_bpf_stub cannot be NULL, since it's called from

		 * bpf_cgroup_inet6_connect hook and ipv6 is already loaded

		 */

		return ipv6_bpf_stub->inet6_bind(sk, addr, addr_len,

						 BIND_FORCE_ADDRESS_NO_PORT);

		return ipv6_bpf_stub->inet6_bind(sk, addr, addr_len, flags);

#endif /* CONFIG_IPV6 */

	}

#endif /* CONFIG_INET */

net/ipv4/af_inet.c

+6 −4
Original line number Diff line number Diff line
@@ -526,12 +526,14 @@ int __inet_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, 
			err = -EADDRINUSE;

			goto out_release_sock;

		}

		if (!(flags & BIND_FROM_BPF)) {

			err = BPF_CGROUP_RUN_PROG_INET4_POST_BIND(sk);

			if (err) {

				inet->inet_saddr = inet->inet_rcv_saddr = 0;

				goto out_release_sock;

			}

		}

	}



	if (inet->inet_rcv_saddr)

		sk->sk_userlocks |= SOCK_BINDADDR_LOCK;

net/ipv6/af_inet6.c

+7 −5
Original line number Diff line number Diff line
@@ -407,6 +407,7 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, 
			err = -EADDRINUSE;

			goto out;

		}

		if (!(flags & BIND_FROM_BPF)) {

			err = BPF_CGROUP_RUN_PROG_INET6_POST_BIND(sk);

			if (err) {

				sk->sk_ipv6only = saved_ipv6only;
@@ -414,6 +415,7 @@ static int __inet6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len, 
				goto out;

			}

		}

	}



	if (addr_type != IPV6_ADDR_ANY)

		sk->sk_userlocks |= SOCK_BINDADDR_LOCK;

CRA Git | Maintained and supported by SUSTech CRA and CCSE