| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Sep 2020 15:13:31 -0700
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Song Liu <song@...nel.org>
Cc: Nicolas Rybowski <nicolas.rybowski@...sares.net>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...omium.org>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Matthieu Baerts <matthieu.baerts@...sares.net>,
Mat Martineau <mathew.j.martineau@...ux.intel.com>,
Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH bpf-next v2 1/5] bpf: expose is_mptcp flag to bpf_tcp_sock
On Mon, Sep 14, 2020 at 11:21 AM Song Liu <song@...nel.org> wrote:
>
> On Fri, Sep 11, 2020 at 8:07 AM Nicolas Rybowski
> <nicolas.rybowski@...sares.net> wrote:
> >
> > is_mptcp is a field from struct tcp_sock used to indicate that the
> > current tcp_sock is part of the MPTCP protocol.
> >
> > In this protocol, a first socket (mptcp_sock) is created with
> > sk_protocol set to IPPROTO_MPTCP (=262) for control purpose but it
> > isn't directly on the wire. This is the role of the subflow (kernel)
> > sockets which are classical tcp_sock with sk_protocol set to
> > IPPROTO_TCP. The only way to differentiate such sockets from plain TCP
> > sockets is the is_mptcp field from tcp_sock.
> >
> > Such an exposure in BPF is thus required to be able to differentiate
> > plain TCP sockets from MPTCP subflow sockets in BPF_PROG_TYPE_SOCK_OPS
> > programs.
> >
> > The choice has been made to silently pass the case when CONFIG_MPTCP is
> > unset by defaulting is_mptcp to 0 in order to make BPF independent of
> > the MPTCP configuration. Another solution is to make the verifier fail
> > in 'bpf_tcp_sock_is_valid_ctx_access' but this will add an additional
> > '#ifdef CONFIG_MPTCP' in the BPF code and a same injected BPF program
> > will not run if MPTCP is not set.
> >
> > An example use-case is provided in
> > https://github.com/multipath-tcp/mptcp_net-next/tree/scripts/bpf/examples
> >
> > Suggested-by: Matthieu Baerts <matthieu.baerts@...sares.net>
> > Acked-by: Matthieu Baerts <matthieu.baerts@...sares.net>
> > Acked-by: Mat Martineau <mathew.j.martineau@...ux.intel.com>
> > Signed-off-by: Nicolas Rybowski <nicolas.rybowski@...sares.net>
> > ---
> > include/uapi/linux/bpf.h | 1 +
> > net/core/filter.c | 9 ++++++++-
> > tools/include/uapi/linux/bpf.h | 1 +
> > 3 files changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > index 7dd314176df7..7d179eada1c3 100644
> > --- a/include/uapi/linux/bpf.h
> > +++ b/include/uapi/linux/bpf.h
> > @@ -4060,6 +4060,7 @@ struct bpf_tcp_sock {
> > __u32 delivered; /* Total data packets delivered incl. rexmits */
> > __u32 delivered_ce; /* Like the above but only ECE marked packets */
> > __u32 icsk_retransmits; /* Number of unrecovered [RTO] timeouts */
> > + __u32 is_mptcp; /* Is MPTCP subflow? */
>
> Shall we have an __u32 flags, and make is_mptcp a bit of it?
>
Bitfields are slow and more annoying to rewrite in verifier, so having
an __u32 field is actually good.
> Thanks,
> Song
> [...]
Powered by blists - more mailing lists