On Mon, Mar 30, 2020 at 6:53 AM Toke Høiland-Jørgensen [off-list ref] wrote:

Andrii Nakryiko [off-list ref] writes:

quoted

On Sat, Mar 28, 2020 at 12:34 PM Toke Høiland-Jørgensen [off-list ref] wrote:

quoted

Alexei Starovoitov [off-list ref] writes:

quoted

On Sat, Mar 28, 2020 at 02:43:18AM +0100, Toke Høiland-Jørgensen wrote:

quoted

No, I was certainly not planning to use that to teach libxdp to just
nuke any bpf_link it finds attached to an interface. Quite the contrary,
the point of this series is to allow libxdp to *avoid* replacing
something on the interface that it didn't put there itself.

Exactly! "that it didn't put there itself".
How are you going to do that?
I really hope you thought it through and came up with magic.
Because I tried and couldn't figure out how to do that with IFLA_XDP*
Please walk me step by step how do you think it's possible.

I'm inspecting the BPF program itself to make sure it's compatible.
Specifically, I'm embedding a piece of metadata into the program BTF,
using Andrii's encoding trick that we also use for defining maps. So
xdp-dispatcher.c contains this[0]:

__uint(dispatcher_version, XDP_DISPATCHER_VERSION) SEC(XDP_METADATA_SECTION);

and libxdp will refuse to touch any program that it finds loaded on an

But you can't say the same about other XDP applications that do not
use libxdp. So will your library come with a huge warning, e.g.:

WARNING! ANY XDP APPLICATION YOU INSTALL ON YOUR MACHINE THAT DOESN'T
USE LIBXDP WILL BREAK YOUR FIREWALLS/ROUTERS/OTHER LIBXDP
APPLICATIONS. USE AT YOUR OWN RISK.

So you install your libxdp-based firewalls and are happy. Then you
decide to install this awesome packet analyzer, which doesn't know
about libxdp yet. Suddenly, you get all packets analyzer, but no more
firewall, until users somehow notices that it's gone. Or firewall
periodically checks that it's still runinng. Both not great, IMO, but
might be acceptable for some users, I guess. But imagine all the
confusion for user, especially if he doesn't give a damn about XDP and
other buzzwords, but only needs a reliable firewall :)

Yes, whereas if the firewall is using bpf_link, then the packet analyser
will be locked out and can't do its thing. Either way you end up with a
broken application; it's just moving the breakage. In the case of

Hm... In one case firewall installation reported success and stopped
working afterwards with no notification and user having no clue. In
another, packet analyzer refused to start and reported error to user.
Let's agree to disagree that those are not at all equivalent. To me
silent failure is so much worse, than application failing to start in
the first place.

firewall vs packet analyser it's probably clear what the right
precedence is, but what if it's firewall vs IDS? Or two different
firewall-type applications?

This is the reason I don't believe the problem bpf_link solves is such a
big deal: Since multi-prog is implemented in userspace it *fundamentally
requires* applications to coordinate. So all the kernel needs to provide,
is a way to help well-behaved applications do this coordination, for
which REPLACE_FD is sufficient.

Now, this picture changes a bit if you have a more-privileged
application managing things - such as the "xdp daemon" I believe you're
using, right? In that case it becomes obvious which application should
have precedence, and the "lock-out" feature makes sense (assuming you
can't just use capabilities to enforce the access restriction). This is
why I keep saying that I understand why you want bpf_link for you use
case, I just don't think it'll help mine much... :)

-Toke