[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46e60759-e095-cb3c-4505-e5632916cd55@fb.com>
Date: Mon, 12 Mar 2018 10:49:02 -0700
From: Alexei Starovoitov <ast@...com>
To: Edward Cree <ecree@...arflare.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Kees Cook <keescook@...omium.org>
CC: David Miller <davem@...emloft.net>,
Andy Lutomirski <luto@...capital.net>,
Alexei Starovoitov <ast@...nel.org>,
Djalal Harouni <tixxdz@...il.com>,
Al Viro <viro@...iv.linux.org.uk>,
Daniel Borkmann <daniel@...earbox.net>,
Greg KH <gregkh@...uxfoundation.org>,
"Luis R. Rodriguez" <mcgrof@...nel.org>,
Network Development <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
kernel-team <kernel-team@...com>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH net-next] modules: allow modprobe load regular elf
binaries
On 3/12/18 5:02 AM, Edward Cree wrote:
> On 09/03/18 18:58, Alexei Starovoitov wrote:
>> It's not waiting for the whole thing, because once bpfilter starts it
>> stays running/sleeping because it's stateful.
> So, this has been bugging me a bit.
> If bpfilter takes a signal and crashes, all that state goes away.
> Does that mean your iptables/netfilter config just got forgotten and next
> time you run iptables it disappears, so you have to re-apply it all again?
>> It needs normal
>> malloc-ed memory to keep the state of iptable->bpf translation that
>> it will use later during subsequent translation calls.
>> Theoretically it can use bpf maps pinned in kernel memory to keep
>> this state, but then it's non-swappable. It's better to keep bpfilter
>> state in its own user memory.
> Perhaps the state should live in swappable kernel memory (e.g. a tmpfs
> thing, which bpfilter could access through a mount). It'd be read-only
> to userspace, listing the existing rules (in untranslated form), and be
> updated to reflect the new rule after bpfilter has supplied the updated
> translation.
> Then bpfilter can cache things if it wants, but the kernel remains the
> ultimate arbiter of the state and maintains it over a bpfilter crash.
seems like overkill.
I consider crashing bpfilter same severity as kernel bug.
Whatever firewall rules already installed will continue to work,
but new ones won't be able to load and current set cannot be queried.
Control plane crashed, dataplane continues to work.
Still a ton better than whole system crash.
We have plenty of work ahead of us without worrying about restarting
that umh and reloading its state from tmpfs.
Something to consider for later phases of the project.
Powered by blists - more mailing lists