-
Notifications
You must be signed in to change notification settings - Fork 241
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design proposal for multi-attach support in netebpfext
#3764
base: main
Are you sure you want to change the base?
Design proposal for multi-attach support in netebpfext
#3764
Conversation
multiple legacy apps using older libbpf APIs to attach programs can still attach to the same hook, with the programs | ||
being "appended" in the invoke list in the order they are attached. | ||
|
||
# Current Design |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the current design section can be deleted unless in the new design section you refer to some of these. In any ways, for better readability you can significantly shorten this section.
required data structures changes are described below. | ||
|
||
Even though multiple programs will attach with same "attach params", there will be a single instance of the | ||
corresponding WFP filters added. This means there will be one-to-many mapping from filter context to client context. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the benefit of the reader please establish that the client to the hook is an eBPF program. So program and client are used interchangeably in this doc.
being attached / detached. Client / attach operations are expected to be much less frequent than program invocations. | ||
This approach eliminates any need for rundown reference for the client context. Since the list of client contexts for a | ||
filter context is synchronized via a lock, it is always guaranteed that in the client detach flow, if the dispatch level | ||
lock is acquired, there is no program invocation in progress for that program. Also, once the client context is removed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"if the dispatch level write lock is acquired" ....
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 89-90 and 114 don't use the term "read" or "write" lock, they use "exclusive" or "shared".
5. Create filter context and client context. | ||
6. Configure WFP filters --> We are not holding any dispatch level lock. IRQL is PASSIVE_LEVEL. | ||
7. Acquire dispatch lock (exclusive) --> Synchronizes access to the client and filter context lists. | ||
8. Insert the new filter context and client context in the corresponding queues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if WFP API fails?
1. Acquire passive lock --> Serializes multiple attach / detach calls to the same hook provider. | ||
2. Acquire dispatch lock (exclusive). --> Synchronizes access to the client and filter context lists. | ||
3. Check if a matching filter context already exists. If it exists, insert the new client context, and return. | ||
4. If no matching filter context exists, release dispatch lock. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the state changes after this lock is released? Won't this permit multiple callers to create the WFP context?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The passive lock (acquired in step 1) still serializes attach / detach calls to this provider.
@@ -0,0 +1,126 @@ | |||
# Introduction | |||
|
|||
Multi-attach support allows multiple eBPF programs to be attached to the same attach point (aka "hook") with the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The filename implies this proposal is only for netebpfext and not other extensions.
The title of the document (line 1) and first paragraph are generic though.
Assuming this is really just about netebpfext and won't work in general, please update the doc title.
# Introduction | ||
|
||
Multi-attach support allows multiple eBPF programs to be attached to the same attach point (aka "hook") with the | ||
same attach parameters. For example, for `BPF_CGROUP_INET4_CONNECT` attach type, the attach parameter is the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same attach parameters. For example, for `BPF_CGROUP_INET4_CONNECT` attach type, the attach parameter is the | |
same attach parameters. For example, for the `BPF_CGROUP_INET4_CONNECT` attach type, the attach parameter is the |
compartment ID. With this feature, multiple eBPF programs can be attached to the same compartment ID. | ||
|
||
This document describes the design changes required in `netebpfext` to support multiple attach of eBPF programs in | ||
`netebpfext`. This is independent of the platform changes needed in BPF runtime to add support for new multi-attach |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`netebpfext`. This is independent of the platform changes needed in BPF runtime to add support for new multi-attach | |
`netebpfext`. This is independent of the platform changes needed in the BPF runtime to add support for new multi-attach |
|
||
This document describes the design changes required in `netebpfext` to support multiple attach of eBPF programs in | ||
`netebpfext`. This is independent of the platform changes needed in BPF runtime to add support for new multi-attach | ||
APIs and flags. These changes in netebpfext also help enable the "default" behavior of multi-attach feature where the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
APIs and flags. These changes in netebpfext also help enable the "default" behavior of multi-attach feature where the | |
APIs and flags. These changes in netebpfext also help enable the "default" behavior of the multi-attach feature where |
`netebpfext`. This is independent of the platform changes needed in BPF runtime to add support for new multi-attach | ||
APIs and flags. These changes in netebpfext also help enable the "default" behavior of multi-attach feature where the | ||
multiple legacy apps using older libbpf APIs to attach programs can still attach to the same hook, with the programs | ||
being "appended" in the invoke list in the order they are attached. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
being "appended" in the invoke list in the order they are attached. | |
being "appended" to the invoke list in the order they are attached. |
|
||
To provide synchronization, the hook provider will maintain a *dispatch* level RW lock to synchronize access to these | ||
lists. (A dispatch level lock is chosen here as the WFP callouts can be invoked at either PASSIVE_LEVEL or DISPATCH_LEVEL). | ||
1. Attach and detach callbacks flow will acquire this lock in exclusive mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1. Attach and detach callbacks flow will acquire this lock in exclusive mode. | |
1. Attach and detach callback flows will acquire this lock in exclusive mode. |
being attached / detached. Client / attach operations are expected to be much less frequent than program invocations. | ||
This approach eliminates any need for rundown reference for the client context. Since the list of client contexts for a | ||
filter context is synchronized via a lock, it is always guaranteed that in the client detach flow, if the dispatch level | ||
lock is acquired, there is no program invocation in progress for that program. Also, once the client context is removed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Lines 89-90 and 114 don't use the term "read" or "write" lock, they use "exclusive" or "shared".
new invocation can also happen. | ||
|
||
Along with the above synchronization, there is also a need to **serialize multiple attach and detach operations callbacks**, | ||
as the whole flow of creating filter context, adding filter context to the provider list, and configuring WFP filters |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as the whole flow of creating filter context, adding filter context to the provider list, and configuring WFP filters | |
as the whole flow of creating filter context, adding the filter context to the provider list, and configuring WFP filters |
|
||
Along with the above synchronization, there is also a need to **serialize multiple attach and detach operations callbacks**, | ||
as the whole flow of creating filter context, adding filter context to the provider list, and configuring WFP filters | ||
needs to happen atomically (as mentioned in the current design section, there is bug currently where a lock is not held |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to happen atomically (as mentioned in the current design section, there is bug currently where a lock is not held | |
needs to happen atomically (as mentioned in the current design section, there is a bug currently where a lock is not held |
Please add the issue # of the current bug.
|
||
As the above mentioned dispatch level RW already serializes attach / detach callbacks for a hook provider, it could have | ||
solved this serialization problem also. But there is a problem with using dispatch level locks: WFP APIs for adding | ||
filters require PASSIVE_LEVEL, hence same DISPATCH_LEVEL lock cannot be used to serialize the attach and detach |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
filters require PASSIVE_LEVEL, hence same DISPATCH_LEVEL lock cannot be used to serialize the attach and detach | |
filters require PASSIVE_LEVEL, hence the same DISPATCH_LEVEL lock cannot be used to serialize the attach and detach |
Description
This PR adds design proposal for adding multi-attach support for hooks in
netebpfext
.Testing
NA
Documentation
This PR adds documentation.
Installation
No.