diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index a83bf85e289b5e1e5ae567dbdfdb0b9389c7ad83..7547c26698b626bc20061757678e963132213f7b 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -1835,6 +1835,7 @@ CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y +CONFIG_EULER_SOCKETMAP=y CONFIG_NET_FLOW_LIMIT=y # diff --git a/arch/x86/configs/openeuler_defconfig b/arch/x86/configs/openeuler_defconfig index 9a570231e72ac10bbf88230921ec6292d77ca2ff..d5087a9bd0da3a5d7ff7a7f35e1a90c18beb4b2f 100644 --- a/arch/x86/configs/openeuler_defconfig +++ b/arch/x86/configs/openeuler_defconfig @@ -1769,6 +1769,7 @@ CONFIG_NET_RX_BUSY_POLL=y CONFIG_BQL=y CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y +CONFIG_EULER_SOCKETMAP=y CONFIG_NET_FLOW_LIMIT=y # diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 2b2d9deed9071c2ed89ee958a32759cacb5c3504..d4b6283177816c87c5272f902eb104730ed32dbd 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -342,8 +342,10 @@ nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info) #define MODULE_ALIAS_NFCT_HELPER(helper) \ MODULE_ALIAS("nfct-helper-" helper) +#ifdef CONFIG_EULER_SOCKETMAP typedef int (*bpf_getorigdst_opt_func)(struct sock *sk, int optname, void *optval, int *optlen, int dir); extern bpf_getorigdst_opt_func bpf_getorigdst_opt; +#endif #endif /* _NF_CONNTRACK_H */ diff --git a/include/net/sock.h b/include/net/sock.h index 7078c98f972629b8247065052999f66350de52ef..eb05a34499cfee5c1f20cf13d96ec641dbded9cf 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -525,7 +525,7 @@ struct sock { #endif struct rcu_head sk_rcu; -#ifndef __GENKSYMS__ +#if defined(CONFIG_EULER_SOCKETMAP) && !defined(__GENKSYMS__) union { kgid_t sk_gid; u64 sk_gid_padding; @@ -1985,7 +1985,9 @@ static inline void sock_graft(struct sock *sk, struct socket *parent) parent->sk = sk; sk_set_socket(sk, parent); sk->sk_uid = SOCK_INODE(parent)->i_uid; +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = SOCK_INODE(parent)->i_gid; +#endif security_sock_graft(sk, parent); write_unlock_bh(&sk->sk_callback_lock); } @@ -1999,10 +2001,12 @@ static inline kuid_t sock_net_uid(const struct net *net, const struct sock *sk) return sk ? sk->sk_uid : make_kuid(net->user_ns, 0); } +#ifdef CONFIG_EULER_SOCKETMAP static inline kgid_t sock_net_gid(const struct net *net, const struct sock *sk) { return sk ? sk->sk_gid : make_kgid(net->user_ns, 0); } +#endif static inline u32 net_tx_rndhash(void) { diff --git a/net/Kconfig b/net/Kconfig index 6186e9ad88a34255dd61489620a6c451cbc9a5f6..51a934426f9fb5674bf083fd506ec4afb61e02d0 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -318,6 +318,16 @@ config BPF_STREAM_PARSER It can be used to enforce socket policy, implement socket redirects, etc. +config EULER_SOCKETMAP + bool "enable EulerOS SOCKETMAP" + depends on INET + depends on BPF_SYSCALL + depends on CGROUP_BPF + select NET_SOCK_MSG + default n + help + Enabling this support socket map in EulerOS. + config NET_FLOW_LIMIT bool depends on RPS diff --git a/net/core/filter.c b/net/core/filter.c index 4f4e832f3e9f398b4de64afd7b59a55f0d93cf6d..838813229564d71d242681fc2138080c83ac7fd5 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -5095,6 +5095,7 @@ static const struct bpf_func_proto bpf_sock_addr_setsockopt_proto = { .arg5_type = ARG_CONST_SIZE, }; +#ifdef CONFIG_EULER_SOCKETMAP BPF_CALL_1(bpf_get_sockops_uid_gid, struct bpf_sock_ops_kern *, bpf_sock) { struct sock *sk = bpf_sock->sk; @@ -5107,7 +5108,8 @@ BPF_CALL_1(bpf_get_sockops_uid_gid, struct bpf_sock_ops_kern *, bpf_sock) uid = sock_net_uid(sock_net(sk), sk); gid = sock_net_gid(sock_net(sk), sk); - return ((u64)from_kgid_munged(sock_net(sk)->user_ns, gid)) << 32 | + return ((u64)from_kgid_munged(sock_net(sk)->user_ns, gid)) << + (BITS_PER_BYTE * sizeof(u32)) | from_kuid_munged(sock_net(sk)->user_ns, uid); } @@ -5164,6 +5166,7 @@ static const struct bpf_func_proto bpf_sk_original_addr_proto = { .arg3_type = ARG_PTR_TO_UNINIT_MEM, .arg4_type = ARG_CONST_SIZE, }; +#endif BPF_CALL_5(bpf_sock_addr_getsockopt, struct bpf_sock_addr_kern *, ctx, int, level, int, optname, char *, optval, int, optlen) @@ -7469,10 +7472,12 @@ sock_ops_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog) return &bpf_sk_storage_delete_proto; case BPF_FUNC_get_netns_cookie: return &bpf_get_netns_cookie_sock_ops_proto; +#ifdef CONFIG_EULER_SOCKETMAP case BPF_FUNC_get_sockops_uid_gid: return &bpf_get_sockops_uid_gid_proto; case BPF_FUNC_sk_original_addr: return &bpf_sk_original_addr_proto; +#endif #ifdef CONFIG_INET case BPF_FUNC_load_hdr_opt: return &bpf_sock_ops_load_hdr_opt_proto; @@ -7869,7 +7874,9 @@ static bool __sock_filter_check_attach_type(int off, case bpf_ctx_range(struct bpf_sock, src_ip4): switch (attach_type) { case BPF_CGROUP_INET4_POST_BIND: +#ifdef CONFIG_EULER_SOCKETMAP case BPF_CGROUP_INET_SOCK_RELEASE: +#endif goto read_only; default: return false; @@ -7885,7 +7892,9 @@ static bool __sock_filter_check_attach_type(int off, switch (attach_type) { case BPF_CGROUP_INET4_POST_BIND: case BPF_CGROUP_INET6_POST_BIND: +#ifdef CONFIG_EULER_SOCKETMAP case BPF_CGROUP_INET_SOCK_RELEASE: +#endif goto read_only; default: return false; diff --git a/net/core/sock.c b/net/core/sock.c index da0c980ad238a616f2237df21e71ee417bdebc78..a64ad3aeea8e3efc137577efd8677ea0cf8013eb 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -3029,10 +3029,14 @@ void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid) sk->sk_type = sock->type; RCU_INIT_POINTER(sk->sk_wq, &sock->wq); sock->sk = sk; +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = SOCK_INODE(sock)->i_gid; +#endif } else { RCU_INIT_POINTER(sk->sk_wq, NULL); +#ifdef CONFIG_EULER_SOCKETMAP sk->sk_gid = make_kgid(sock_net(sk)->user_ns, 0); +#endif } sk->sk_uid = uid; diff --git a/net/ipv4/Kconfig b/net/ipv4/Kconfig index 847a5ac757ec9e21d3bde7eaabd80d4055f6a29d..23ffacbf1cba22ad03d53f0a7e0aca6604131109 100644 --- a/net/ipv4/Kconfig +++ b/net/ipv4/Kconfig @@ -757,6 +757,7 @@ config TCP_COMP bool "TCP: Transport Layer Compression support" depends on CRYPTO_ZSTD=y select STREAM_PARSER + default n help Enable kernel payload compression support for TCP protocol. This allows payload compression handling of the TCP protocol to be done in-kernel. diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index dd1fff72c736d163876ab915f83b230e549995e4..f4d62fced6dda31f6e0a7db27f56709a8206465e 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -292,8 +292,9 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) return -ENOENT; } -static int -bpf_getorigdst_impl(struct sock *sk, int optval, void *user, int *len, int dir) +#ifdef CONFIG_EULER_SOCKETMAP +static int bpf_getorigdst_impl(struct sock *sk, int optval, void *user, + int *len, int dir) { const struct inet_sock *inet = inet_sk(sk); const struct nf_conntrack_tuple_hash *h; @@ -340,18 +341,19 @@ bpf_getorigdst_impl(struct sock *sk, int optval, void *user, int *len, int dir) } memset(sin.sin_zero, 0, sizeof(sin.sin_zero)); - pr_debug("SO_ORIGINAL_DST: %pI4 %u\n", + pr_debug("SO_ORIGINAL_DST: %pI4 %hu\n", &sin.sin_addr.s_addr, ntohs(sin.sin_port)); nf_ct_put(ct); - memcpy(user, &sin, sizeof(sin)); + memcpy(user, (void *)&sin, sizeof(sin)); return 0; } - pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n", + pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%hu-%pI4/%hu.\n", &tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port), &tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port)); return -ENOENT; } +#endif static struct nf_sockopt_ops so_getorigdst = { .pf = PF_INET, @@ -717,7 +719,9 @@ int nf_conntrack_proto_init(void) goto cleanup_sockopt; #endif +#ifdef CONFIG_EULER_SOCKETMAP bpf_getorigdst_opt = bpf_getorigdst_impl; +#endif return ret; @@ -730,7 +734,9 @@ int nf_conntrack_proto_init(void) void nf_conntrack_proto_fini(void) { +#ifdef CONFIG_EULER_SOCKETMAP bpf_getorigdst_opt = NULL; +#endif nf_unregister_sockopt(&so_getorigdst); #if IS_ENABLED(CONFIG_IPV6) diff --git a/net/socket.c b/net/socket.c index 32136e9bebdb47fba3230beb3748e65cb36cc5f7..a72baac5074e8ebd5e1135db71704f8d73e0a310 100644 --- a/net/socket.c +++ b/net/socket.c @@ -545,7 +545,9 @@ static int sockfs_setattr(struct dentry *dentry, struct iattr *iattr) if (sock->sk) { sock->sk->sk_uid = iattr->ia_uid; +#ifdef CONFIG_EULER_SOCKETMAP sock->sk->sk_gid = iattr->ia_gid; +#endif } else { err = -ENOENT; } diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 8ec9c893a7eaad3fb5c2e16c5b51fb51908f1b1c..92803d2a882803d868b0f9f229bc86a9fe8355aa 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -850,7 +850,7 @@ static void xfrm_policy_inexact_list_reinsert(struct net *net, struct hlist_node *newpos = NULL; bool matches_s, matches_d; - if (!policy->bydst_reinsert) + if (policy->walk.dead || !policy->bydst_reinsert) continue; WARN_ON_ONCE(policy->family != family); @@ -1255,8 +1255,11 @@ static void xfrm_hash_rebuild(struct work_struct *work) struct xfrm_pol_inexact_bin *bin; u8 dbits, sbits; + if (policy->walk.dead) + continue; + dir = xfrm_policy_id2dir(policy->index); - if (policy->walk.dead || dir >= XFRM_POLICY_MAX) + if (dir >= XFRM_POLICY_MAX) continue; if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) { @@ -1790,9 +1793,11 @@ int xfrm_policy_flush(struct net *net, u8 type, bool task_valid) again: list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) { + if (pol->walk.dead) + continue; + dir = xfrm_policy_id2dir(pol->index); - if (pol->walk.dead || - dir >= XFRM_POLICY_MAX || + if (dir >= XFRM_POLICY_MAX || pol->type != type) continue;