lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20230904112922.13882-1-00107082@163.com>
Date:   Mon,  4 Sep 2023 19:29:22 +0800
From:   David Wang <00107082@....com>
To:     fw@...len.de
Cc:     00107082@....com, andrii@...nel.org, ast@...nel.org,
        bpf@...r.kernel.org, daniel@...earbox.net, haoluo@...gle.com,
        john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org,
        linux-kernel@...r.kernel.org, martin.lau@...ux.dev, sdf@...gle.com,
        song@...nel.org, yonghong.song@...ux.dev
Subject: 

At 2023-09-04 18:48:56, "Florian Westphal" <fw@...len.de> wrote:
>David Wang <00107082@....com> wrote:
>> This sample code implements a simple ipv4
>> blacklist via the new bpf type BPF_PROG_TYPE_NETFILTER,
>> which was introduced in 6.4.
>> 
>> The bpf program drops package if destination ip address
>> hits a match in the map of type BPF_MAP_TYPE_LPM_TRIE,
>> 
>> The userspace code would load the bpf program,
>> attach it to netfilter's FORWARD/OUTPUT hook,
>> and then write ip patterns into the bpf map.
>
>Thanks, I think its good to have this.

Thanks for the quick response! Glad to contribute!

>> +
>> +#define NF_DROP 0
>> +#define NF_ACCEPT 1
>
>If you are interested, you could send a patch for nf-next that
>makes the uapi headers expose this as enum, AFAIU that would make
>the verdict nanes available via vmlinux.h.
>

I think I can work on this.


>> +	if (pvalue) {
>> +		/* cat /sys/kernel/debug/tracing/trace_pipe */
>> +		bpf_printk("rule matched with %d...\n", *pvalue);
>
>If you are interested you could send a patch that adds a kfunc to
>nf_bpf_link that exposes nf_log_packet() to bpf.
>
>nf_log_packet has a terrible api, I suggest to have the kfunc take
>'struct nf_hook_state *' instead of 6+ members of that struct as
>argument.
>

Package logging strategy is out of my league, for now, but I will keep eye on this.


David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ