|author||Thomas Graf <firstname.lastname@example.org>||2016-11-30 17:10:10 +0100|
|committer||David S. Miller <email@example.com>||2016-12-02 10:51:49 -0500|
|parent||route: Set lwtstate for local traffic and cached input dsts (diff)|
bpf: BPF for lightweight tunnel infrastructure
Registers new BPF program types which correspond to the LWT hooks: - BPF_PROG_TYPE_LWT_IN => dst_input() - BPF_PROG_TYPE_LWT_OUT => dst_output() - BPF_PROG_TYPE_LWT_XMIT => lwtunnel_xmit() The separate program types are required to differentiate between the capabilities each LWT hook allows: * Programs attached to dst_input() or dst_output() are restricted and may only read the data of an skb. This prevent modification and possible invalidation of already validated packet headers on receive and the construction of illegal headers while the IP headers are still being assembled. * Programs attached to lwtunnel_xmit() are allowed to modify packet content as well as prepending an L2 header via a newly introduced helper bpf_skb_change_head(). This is safe as lwtunnel_xmit() is invoked after the IP header has been assembled completely. All BPF programs receive an skb with L3 headers attached and may return one of the following error codes: BPF_OK - Continue routing as per nexthop BPF_DROP - Drop skb and return EPERM BPF_REDIRECT - Redirect skb to device as per redirect() helper. (Only valid in lwtunnel_xmit() context) The return codes are binary compatible with their TC_ACT_ relatives to ease compatibility. Signed-off-by: Thomas Graf <firstname.lastname@example.org> Acked-by: Alexei Starovoitov <email@example.com> Acked-by: Daniel Borkmann <firstname.lastname@example.org> Signed-off-by: David S. Miller <email@example.com>
Diffstat (limited to 'net/Kconfig')
1 files changed, 8 insertions, 0 deletions
diff --git a/net/Kconfig b/net/Kconfig
index 7b6cd340b72b..a1005007224c 100644
@@ -402,6 +402,14 @@ config LWTUNNEL
weight tunnel endpoint. Tunnel encapsulation parameters are stored
with light weight tunnel state associated with fib routes.
+ bool "Execute BPF program as route nexthop action"
+ depends on LWTUNNEL
+ default y if LWTUNNEL=y
+ Allows to run BPF programs as a nexthop action following a route
+ lookup for incoming and outgoing packets.