bpf_progs/offload.c - platform/system/netd - Git at Google

 /*
  * Copyright (C) 2020 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <linux/if.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/pkt_cls.h>
 #include <linux/tcp.h>

 #include "bpf_helpers.h"
 #include "bpf_net_helpers.h"
 #include "netdbpf/bpf_shared.h"

 DEFINE_BPF_MAP_GRW(tether_ingress_map, HASH, TetherIngressKey, TetherIngressValue, 64,
                    AID_NETWORK_STACK)

 // Tethering stats, indexed by upstream interface.
 DEFINE_BPF_MAP_GRW(tether_stats_map, HASH, uint32_t, TetherStatsValue, IFACE_STATS_MAP_SIZE,
                    AID_NETWORK_STACK)

 static inline __always_inline int do_forward(struct __sk_buff* skb, bool is_ethernet) {
     int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
     void* data = (void*)(long)skb->data;
     const void* data_end = (void*)(long)skb->data_end;
     struct ethhdr* eth = is_ethernet ? data : NULL;  // used iff is_ethernet
     struct ipv6hdr* ip6 = is_ethernet ? (void*)(eth + 1) : data;

     // Must be meta-ethernet IPv6 frame
     if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_OK;

     // Must have (ethernet and) ipv6 header
     if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_OK;

     // Ethertype - if present - must be IPv6
     if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_OK;

     // IP version must be 6
     if (ip6->version != 6) return TC_ACT_OK;

     // Cannot decrement during forward if already zero or would be zero,
     // Let the kernel's stack handle these cases and generate appropriate ICMP errors.
     if (ip6->hop_limit <= 1) return TC_ACT_OK;

     TetherIngressKey k = {
             .iif = skb->ifindex,
             .neigh6 = ip6->daddr,
     };

     TetherIngressValue* v = bpf_tether_ingress_map_lookup_elem(&k);

     // If we don't find any offload information then simply let the core stack handle it...
     if (!v) return TC_ACT_OK;

     uint32_t stat_k = skb->ifindex;

     TetherStatsValue* stat_v = bpf_tether_stats_map_lookup_elem(&stat_k);

     // If we don't have anywhere to put stats, create an empty entry.
     if (!stat_v) {
         TetherStatsValue emptyStats = {};
         bpf_tether_stats_map_update_elem(&stat_k, &emptyStats, BPF_NOEXIST);
         stat_v = bpf_tether_stats_map_lookup_elem(&stat_k);
     }

     // If we *still* don't have anywhere to put stats, then abort...
     if (!stat_v) return TC_ACT_OK;

     // This is approximate handling of tcp/ip overhead for incoming LRO/GRO packets:
     // mtu of 1500 is not necessarily correct, but worst case we simply undercount,
     // which is still better then not accounting for this overhead at all.
     // Note: this really shouldn't be device mtu at all, but rather should be derived
     // from this particular connection's mss - which requires a much newer kernel.
     const int mtu = 1500;
     uint64_t packets = 1;
     uint64_t bytes = skb->len;
     if (bytes > mtu) {
         const bool is_ipv6 = (skb->protocol == htons(ETH_P_IPV6));
         const int ip_overhead = (is_ipv6 ? sizeof(struct ipv6hdr) : sizeof(struct iphdr));
         const int tcp_overhead = ip_overhead + sizeof(struct tcphdr) + 12;
         const int mss = mtu - tcp_overhead;
         const uint64_t payload = bytes - tcp_overhead;
         packets = (payload + mss - 1) / mss;
         bytes = tcp_overhead * packets + payload;
     }

     if (!is_ethernet) {
         is_ethernet = true;
         l2_header_size = sizeof(struct ethhdr);
         // Try to inject an ethernet header, and simply return if we fail
         if (bpf_skb_change_head(skb, l2_header_size, /*flags*/ 0)) {
             __sync_fetch_and_add(&stat_v->rxErrors, 1);
             return TC_ACT_OK;
         }

         // bpf_skb_change_head() invalidates all pointers - reload them
         data = (void*)(long)skb->data;
         data_end = (void*)(long)skb->data_end;
         eth = data;
         ip6 = (void*)(eth + 1);

         // I do not believe this can ever happen, but keep the verifier happy...
         if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_SHOT;
     };

     // CHECKSUM_COMPLETE is a 16-bit one's complement sum,
     // thus corrections for it need to be done in 16-byte chunks at even offsets.
     // IPv6 nexthdr is at offset 6, while hop limit is at offset 7
     uint8_t old_hl = ip6->hop_limit;
     --ip6->hop_limit;
     uint8_t new_hl = ip6->hop_limit;

     // bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
     // (-ENOTSUPP) if it isn't.
     bpf_csum_update(skb, 0xFFFF - ntohs(old_hl) + ntohs(new_hl));

     __sync_fetch_and_add(&stat_v->rxPackets, packets);
     __sync_fetch_and_add(&stat_v->rxBytes, bytes);

     // Overwrite any mac header with the new one
     *eth = v->macHeader;

     // Redirect to forwarded interface.
     //
     // Note that bpf_redirect() cannot fail unless you pass invalid flags.
     // The redirect actually happens after the ebpf program has already terminated,
     // and can fail for example for mtu reasons at that point in time, but there's nothing
     // we can do about it here.
     return bpf_redirect(v->oif, 0 /* this is effectively BPF_F_EGRESS */);
 }

 SEC("schedcls/ingress/tether_ether")
 int sched_cls_ingress_tether_ether(struct __sk_buff* skb) {
     return do_forward(skb, true);
 }

 DEFINE_BPF_PROG_KVER("schedcls/ingress/tether_rawip", AID_ROOT, AID_ROOT,
                      sched_cls_ingress_tether_rawip, KVER(4, 14, 0))
 (struct __sk_buff* skb) {
     return do_forward(skb, false);
 }

 LICENSE("Apache 2.0");
	/*
	* Copyright (C) 2020 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <linux/if.h>
	#include <linux/ip.h>
	#include <linux/ipv6.h>
	#include <linux/pkt_cls.h>
	#include <linux/tcp.h>

	#include "bpf_helpers.h"
	#include "bpf_net_helpers.h"
	#include "netdbpf/bpf_shared.h"

	DEFINE_BPF_MAP_GRW(tether_ingress_map, HASH, TetherIngressKey, TetherIngressValue, 64,
	AID_NETWORK_STACK)

	// Tethering stats, indexed by upstream interface.
	DEFINE_BPF_MAP_GRW(tether_stats_map, HASH, uint32_t, TetherStatsValue, IFACE_STATS_MAP_SIZE,
	AID_NETWORK_STACK)

	static inline __always_inline int do_forward(struct __sk_buff* skb, bool is_ethernet) {
	int l2_header_size = is_ethernet ? sizeof(struct ethhdr) : 0;
	void* data = (void*)(long)skb->data;
	const void* data_end = (void*)(long)skb->data_end;
	struct ethhdr* eth = is_ethernet ? data : NULL; // used iff is_ethernet
	struct ipv6hdr* ip6 = is_ethernet ? (void*)(eth + 1) : data;

	// Must be meta-ethernet IPv6 frame
	if (skb->protocol != htons(ETH_P_IPV6)) return TC_ACT_OK;

	// Must have (ethernet and) ipv6 header
	if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_OK;

	// Ethertype - if present - must be IPv6
	if (is_ethernet && (eth->h_proto != htons(ETH_P_IPV6))) return TC_ACT_OK;

	// IP version must be 6
	if (ip6->version != 6) return TC_ACT_OK;

	// Cannot decrement during forward if already zero or would be zero,
	// Let the kernel's stack handle these cases and generate appropriate ICMP errors.
	if (ip6->hop_limit <= 1) return TC_ACT_OK;

	TetherIngressKey k = {
	.iif = skb->ifindex,
	.neigh6 = ip6->daddr,
	};

	TetherIngressValue* v = bpf_tether_ingress_map_lookup_elem(&k);

	// If we don't find any offload information then simply let the core stack handle it...
	if (!v) return TC_ACT_OK;

	uint32_t stat_k = skb->ifindex;

	TetherStatsValue* stat_v = bpf_tether_stats_map_lookup_elem(&stat_k);

	// If we don't have anywhere to put stats, create an empty entry.
	if (!stat_v) {
	TetherStatsValue emptyStats = {};
	bpf_tether_stats_map_update_elem(&stat_k, &emptyStats, BPF_NOEXIST);
	stat_v = bpf_tether_stats_map_lookup_elem(&stat_k);
	}

	// If we still don't have anywhere to put stats, then abort...
	if (!stat_v) return TC_ACT_OK;

	// This is approximate handling of tcp/ip overhead for incoming LRO/GRO packets:
	// mtu of 1500 is not necessarily correct, but worst case we simply undercount,
	// which is still better then not accounting for this overhead at all.
	// Note: this really shouldn't be device mtu at all, but rather should be derived
	// from this particular connection's mss - which requires a much newer kernel.
	const int mtu = 1500;
	uint64_t packets = 1;
	uint64_t bytes = skb->len;
	if (bytes > mtu) {
	const bool is_ipv6 = (skb->protocol == htons(ETH_P_IPV6));
	const int ip_overhead = (is_ipv6 ? sizeof(struct ipv6hdr) : sizeof(struct iphdr));
	const int tcp_overhead = ip_overhead + sizeof(struct tcphdr) + 12;
	const int mss = mtu - tcp_overhead;
	const uint64_t payload = bytes - tcp_overhead;
	packets = (payload + mss - 1) / mss;
	bytes = tcp_overhead * packets + payload;
	}

	if (!is_ethernet) {
	is_ethernet = true;
	l2_header_size = sizeof(struct ethhdr);
	// Try to inject an ethernet header, and simply return if we fail
	if (bpf_skb_change_head(skb, l2_header_size, /flags/ 0)) {
	__sync_fetch_and_add(&stat_v->rxErrors, 1);
	return TC_ACT_OK;
	}

	// bpf_skb_change_head() invalidates all pointers - reload them
	data = (void*)(long)skb->data;
	data_end = (void*)(long)skb->data_end;
	eth = data;
	ip6 = (void*)(eth + 1);

	// I do not believe this can ever happen, but keep the verifier happy...
	if (data + l2_header_size + sizeof(*ip6) > data_end) return TC_ACT_SHOT;
	};

	// CHECKSUM_COMPLETE is a 16-bit one's complement sum,
	// thus corrections for it need to be done in 16-byte chunks at even offsets.
	// IPv6 nexthdr is at offset 6, while hop limit is at offset 7
	uint8_t old_hl = ip6->hop_limit;
	--ip6->hop_limit;
	uint8_t new_hl = ip6->hop_limit;

	// bpf_csum_update() always succeeds if the skb is CHECKSUM_COMPLETE and returns an error
	// (-ENOTSUPP) if it isn't.
	bpf_csum_update(skb, 0xFFFF - ntohs(old_hl) + ntohs(new_hl));

	__sync_fetch_and_add(&stat_v->rxPackets, packets);
	__sync_fetch_and_add(&stat_v->rxBytes, bytes);

	// Overwrite any mac header with the new one
	*eth = v->macHeader;

	// Redirect to forwarded interface.
	//
	// Note that bpf_redirect() cannot fail unless you pass invalid flags.
	// The redirect actually happens after the ebpf program has already terminated,
	// and can fail for example for mtu reasons at that point in time, but there's nothing
	// we can do about it here.
	return bpf_redirect(v->oif, 0 /* this is effectively BPF_F_EGRESS */);
	}

	SEC("schedcls/ingress/tether_ether")
	int sched_cls_ingress_tether_ether(struct __sk_buff* skb) {
	return do_forward(skb, true);
	}

	DEFINE_BPF_PROG_KVER("schedcls/ingress/tether_rawip", AID_ROOT, AID_ROOT,
	sched_cls_ingress_tether_rawip, KVER(4, 14, 0))
	(struct __sk_buff* skb) {
	return do_forward(skb, false);
	}

	LICENSE("Apache 2.0");