Merge pull request #123 from xdp-project/tailgrow02.public

netoptimizer · web-flow · commit b13cfb8e6bef · 2020-05-06T10:57:46.000+02:00
Examples on howto access XDP packet data at packet end
diff --git a/experiment01-tailgrow/Makefile b/experiment01-tailgrow/Makefile
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+XDP_TARGETS  := xdp_prog_kern xdp_prog_kern2
+XDP_TARGETS  += xdp_prog_fail1
+XDP_TARGETS  += xdp_prog_fail2
+
+# USER_TARGETS :=
+
+LIBBPF_DIR = ../libbpf/src/
+COMMON_DIR = ../common
+
+COPY_LOADER := xdp_loader
+COPY_STATS  := xdp_stats
+EXTRA_DEPS := $(COMMON_DIR)/parsing_helpers.h
+
+include $(COMMON_DIR)/common.mk
diff --git a/experiment01-tailgrow/README.org b/experiment01-tailgrow/README.org
@@ -0,0 +1,77 @@
+# -*- fill-column: 76; -*-
+#+TITLE: Experiment01 - Accessing data at packet end
+#+OPTIONS: ^:nil
+
+This example shows how to access BPF packet data at XDP =data_end=.
+Examples like this are needed, as the programmer needs to convince the
+BPF verifier that access bounds are safe.
+
+* Use-case: tail-grow timestamping
+
+The BPF helper =bpf_xdp_adjust_tail= is being extended with
+capabilites to grow the packet size at tail.  To use this for
+anything, we need to demo how to access packet data at XDP =data_end=.
+
+One use-case is to *add timestamps in extended tailroom* at XDP
+processing time, which will survive when packet is processed by
+network-stack (via XDP_PASS).  One way to capture this timestamp is to
+use =tcpdump=, which could use this to determine the time spend in
+network-stack (on NIC without hardware timestamps).
+
+In main example [[file:xdp_prog_kern.c]], the =xdp_tailgrow_parse= code
+implements this by parsing up-to the IP-layer, and using the
+IP-headers total-length field ([[https://elixir.bootlin.com/linux/v5.6.10/source/include/uapi/linux/ip.h#L97][iphdr->tot_len]]).  See the code for the
+strange bounding checks needed to convince the verifier.  Notice, this
+is limited to IPv4 ICMP packets for testing purposes.
+
+** Side-note: extra programs
+
+Side-note: [[file:xdp_prog_kern.c]] also contains some other smaller
+programs to test =bpf_xdp_adjust_tail= grow works, and to benchmark
+the overhead when doing =XDP_TX=.  Selecting others BPF programs via
+=xdp_loader= option =--prog== like this:
+
+#+begin_src sh
+ sudo ./xdp_loader --dev mlx5p1 --force --prog xdp_tailgrow
+ sudo ./xdp_loader --dev mlx5p1 --force --prog xdp_tailgrow_tx
+#+end_src
+
+* Alternative methods
+
+** Works: Use loop to access data_end
+
+Code in [[file:xdp_prog_kern2.c]] shows howto find the =data_end=,
+*without parsing packet contents*, but by advancing a =data= position
+pointer one-byte at the time in a bounded loop.  The bounded loop with
+max number of iterations allows the verifier to see the bound.  (This
+obviously depend on the bounded loop support that was added in kernel
+[[https://git.kernel.org/torvalds/c/v5.3-rc1~140^2~179^2^2~5][v5.3]]).
+This is not very effecient, but it works.
+
+* Methods that fail
+
+Methods for accessing access BPF packet data at XDP =data_end=.
+
+** Fail#1: Using packet length
+
+In example [[file:xdp_prog_fail1.c]], we try to use the packet length
+(calculated as =data_end - data=) to access the last byte as an offset
+added to =data=.  The verifier rejects this, as the dynamic length
+calculation cannot be used for static analysis.
+
+#+begin_src sh
+ sudo ./xdp_loader --dev mlx5p1 --force --file xdp_prog_fail1.o
+#+end_src
+
+** Fail#2: Use data_end directly
+
+In example [[file:xdp_prog_fail2.c]], we try to use the =data_end= pointer
+more or less directy to find the last byte in the packet.  The packet
+data [[https://www.mathwords.com/i/interval_notation.htm][interval]] is defined as =[data, data_end)=, meaning that the byte
+=data_end= is pointing is *excluded*.  The example tries to access
+2nd-last byte (to have a code if-construct that doesn't get removed by
+compiler optimizations).
+
+#+begin_src sh
+ sudo ./xdp_loader --dev mlx5p1 --force --file xdp_prog_fail2.o
+#+end_src
diff --git a/experiment01-tailgrow/xdp_prog_fail1.c b/experiment01-tailgrow/xdp_prog_fail1.c
@@ -0,0 +1,46 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+/*
+ * This BPF-prog will FAIL, due to verifier rejecting it.
+ *
+ * General idea: Use packet length to find and access last byte in
+ * packet.  The verifier cannot see this is safe, as it cannot deduce
+ * the packet length at verification time.
+ */
+
+SEC("xdp_fail1")
+int _xdp_fail1(struct xdp_md *ctx)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data = (void *)(long)ctx->data;
+	unsigned char *ptr;
+	void *pos;
+
+	/* (Correct me if I'm wrong)
+	 *
+	 * The verifier cannot use this packet length calculation as
+	 * part of its static analysis.  It chooses to use zero as the
+	 * offset value static value.
+	 */
+	unsigned int offset = data_end - data;
+
+	pos = data;
+
+	if (pos + offset > data_end)
+		goto out;
+
+	/* Fails at this line with:
+	 *   "invalid access to packet, off=-1 size=1, R1(id=2,off=0,r=0)"
+	 *   "R1 offset is outside of the packet"
+	 *
+	 * Because verifer used offset==0 it thinks that we are trying
+	 * to access (data - 1), which is not within [data,data_end)
+	 */
+	ptr = pos + (offset - sizeof(*ptr));
+	if (*ptr == 0xFF)
+		return XDP_ABORTED;
+out:
+	return XDP_PASS;
+}
diff --git a/experiment01-tailgrow/xdp_prog_fail2.c b/experiment01-tailgrow/xdp_prog_fail2.c
@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+/*
+ * This BPF-prog will FAIL, due to verifier rejecting it.
+ *
+ * General idea: Use data_end point to access last (2nd-last) byte in
+ * packet.  That is not allowed by verifier, as pointer arithmetic on
+ * pkt_end is prohibited.
+ */
+
+SEC("xdp_fail2")
+int _xdp_fail2(struct xdp_md *ctx)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	volatile unsigned char *ptr;
+	volatile void *pos;
+
+	pos = data_end;
+
+#pragma clang optimize off
+	if (pos - 1 > data_end)
+		goto out;
+#pragma clang optimize on
+
+	/* Verifier fails with: "pointer arithmetic on pkt_end prohibited"
+	 */
+	ptr = pos - 2;
+	if (*ptr == 0xFF)
+		return XDP_ABORTED;
+out:
+	return XDP_PASS;
+}
diff --git a/experiment01-tailgrow/xdp_prog_kern.c b/experiment01-tailgrow/xdp_prog_kern.c
@@ -0,0 +1,129 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <linux/in.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+// The parsing helper functions from the packet01 lesson have moved here
+#include "../common/parsing_helpers.h"
+#include "../common/rewrite_helpers.h"
+
+/* Defines xdp_stats_map */
+#include "../common/xdp_stats_kern_user.h"
+#include "../common/xdp_stats_kern.h"
+
+struct my_timestamp {
+	__u16 magic;
+	__u64 time;
+} __attribute__((packed));
+
+SEC("xdp_tailgrow_parse")
+int grow_parse(struct xdp_md *ctx)
+{
+	void *data_end;
+	void *data;
+	int action = XDP_PASS;
+	int eth_type, ip_type;
+	struct hdr_cursor nh;
+	struct iphdr *iphdr;
+	struct ethhdr *eth;
+	__u16 ip_tot_len;
+
+	struct my_timestamp *ts;
+
+	/* Increase packet size (at tail) and reload data pointers */
+	__u8 offset = sizeof(*ts);
+	if (bpf_xdp_adjust_tail(ctx, offset))
+		goto out;
+	data_end = (void *)(long)ctx->data_end;
+	data = (void *)(long)ctx->data;
+
+	/* These keep track of the next header type and iterator pointer */
+	nh.pos = data;
+
+	eth_type = parse_ethhdr(&nh, data_end, &eth);
+	if (eth_type < 0) {
+		action = XDP_ABORTED;
+		goto out;
+	}
+
+	if (eth_type == bpf_htons(ETH_P_IP)) {
+		ip_type = parse_iphdr(&nh, data_end, &iphdr);
+	} else {
+		action = XDP_PASS;
+		goto out;
+	}
+
+	/* Demo use-case: Add timestamp in extended tailroom to ICMP packets,
+	 * before sending to network-stack via XDP_PASS.  This can be
+	 * captured via tcpdump, and provide earlier (XDP layer) timestamp.
+	 */
+	if (ip_type == IPPROTO_ICMP) {
+
+		/* Packet size in bytes, including IP header and data */
+		ip_tot_len = bpf_ntohs(iphdr->tot_len);
+
+		/*
+		 * Tricks to get pass the verifier. Being allowed to use
+		 * packet value iphdr->tot_len, involves bounding possible
+		 * values to please verifier.
+		 */
+		if (ip_tot_len < 2) {
+			/* This check seems strange on unsigned ip_tot_len,
+			 * but is needed, else verifier complains:
+			 * "unbounded min value is not allowed"
+			 */
+			goto out;
+		}
+		ip_tot_len &= 0xFFF; /* Max 4095 */
+
+		/* Finding end of packet + offset, and bound access */
+		if ((void *)iphdr + ip_tot_len + offset > data_end) {
+			action = XDP_ABORTED;
+			goto out;
+		}
+
+		/* Point ts to end-of-packet, that have been offset extended */
+		ts = (void *)iphdr + ip_tot_len;
+		ts->magic = 0x5354; /* String "TS" in network-byte-order */
+		ts->time  = bpf_ktime_get_ns();
+	}
+out:
+	return xdp_stats_record_action(ctx, action);
+}
+
+SEC("xdp_tailgrow")
+int tailgrow_pass(struct xdp_md *ctx)
+{
+	int offset;
+
+	offset = 10;
+	bpf_xdp_adjust_tail(ctx, offset);
+	return xdp_stats_record_action(ctx, XDP_PASS);
+}
+
+SEC("xdp_pass")
+int xdp_pass_func(struct xdp_md *ctx)
+{
+	return xdp_stats_record_action(ctx, XDP_PASS);
+}
+
+/* For benchmarking tail grow overhead (does a memset)*/
+SEC("xdp_tailgrow_tx")
+int tailgrow_tx(struct xdp_md *ctx)
+{
+	int offset;
+
+	offset = 32;
+	bpf_xdp_adjust_tail(ctx, offset);
+	return xdp_stats_record_action(ctx, XDP_TX);
+}
+
+/* Baseline benchmark of XDP_TX */
+SEC("xdp_tx")
+int xdp_tx_rec(struct xdp_md *ctx)
+{
+	return xdp_stats_record_action(ctx, XDP_TX);
+}
+
+char _license[] SEC("license") = "GPL";
diff --git a/experiment01-tailgrow/xdp_prog_kern2.c b/experiment01-tailgrow/xdp_prog_kern2.c
@@ -0,0 +1,63 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+#define MTU 1536
+#define MIN_LEN 14
+
+/*
+ * This example show howto access packet last byte in XDP packet,
+ * without parsing packet contents.
+ *
+ * It is not very effecient, as it advance the data pointer one-byte in a
+ * loop until reaching data_end.  This is needed as the verifier only allows
+ * accessing data via advancing the position of the data pointer. The bounded
+ * loop with a max number of iterations allows the verifier to see the bound.
+ */
+
+SEC("xdp_end_loop")
+int _xdp_end_loop(struct xdp_md *ctx)
+{
+	void *data_end = (void *)(long)ctx->data_end;
+	void *data     = (void *)(long)ctx->data;
+	unsigned char *ptr;
+	unsigned int i;
+	void *pos;
+
+	/* Assume minimum length to reduce loops needed a bit */
+	unsigned int offset = MIN_LEN;
+
+	pos = data;
+
+	/* Verifier can handle this bounded 'basic-loop' construct */
+	for (i = 0; i < (MTU - MIN_LEN); i++ ) {
+		if (pos + offset > data_end) {
+			/* Promise verifier no access beyond data_end */
+			goto out;
+		}
+		if (pos + offset == data_end) {
+			/* Found data_end, exit for-loop and read data.
+			 *
+			 * It seems strange, that finding data_end via
+			 * moving pos (data) pointer forward is needed.
+			 * This is because pointer arithmetic on pkt_end is
+			 * prohibited by verifer.
+			 *
+			 * In principle data_end points to byte that is not
+			 * accessible. Thus, accessing last readable byte
+			 * via (data_end - 1) is prohibited by verifer.
+			 */
+			goto read;
+		}
+		offset++;
+	}
+	/* Show verifier all other cases exit program */
+	goto out;
+
+read:
+	ptr = pos + (offset - sizeof(*ptr)); /* Parentheses needed */
+	if (*ptr == 0xFF)
+		return XDP_ABORTED;
+out:
+	return XDP_PASS;
+}
