lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 27 Apr 2015 16:41:44 -0700
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	Daniel Borkmann <daniel@...earbox.net>
Cc:	hannes@...essinduktion.org, ast@...mgrid.com,
	netdev@...r.kernel.org
Subject: Re: [PATCH iproute2 -next v2] tc: built-in eBPF exec proxy

On Thu, 16 Apr 2015 21:20:06 +0200
Daniel Borkmann <daniel@...earbox.net> wrote:

> This work follows upon commit 6256f8c9e45f ("tc, bpf: finalize eBPF
> support for cls and act front-end") and takes up the idea proposed by
> Hannes Frederic Sowa to spawn a shell (or any other command) that holds
> generated eBPF map file descriptors.
> 
> File descriptors, based on their id, are being fetched from the same
> unix domain socket as demonstrated in the bpf_agent, the shell spawned
> via execvpe(2) and the map fds passed over the environment, and thus
> are made available to applications in the fashion of std{in,out,err}
> for read/write access, for example in case of iproute2's examples/bpf/:
> 
>   # env | grep BPF
>   BPF_NUM_MAPS=3
>   BPF_MAP1=6        <- BPF_MAP_ID_QUEUE (id 1)
>   BPF_MAP0=5        <- BPF_MAP_ID_PROTO (id 0)
>   BPF_MAP2=7        <- BPF_MAP_ID_DROPS (id 2)
> 
>   # ls -la /proc/self/fd
>   [...]
>   lrwx------. 1 root root 64 Apr 14 16:46 0 -> /dev/pts/4
>   lrwx------. 1 root root 64 Apr 14 16:46 1 -> /dev/pts/4
>   lrwx------. 1 root root 64 Apr 14 16:46 2 -> /dev/pts/4
>   [...]
>   lrwx------. 1 root root 64 Apr 14 16:46 5 -> anon_inode:bpf-map
>   lrwx------. 1 root root 64 Apr 14 16:46 6 -> anon_inode:bpf-map
>   lrwx------. 1 root root 64 Apr 14 16:46 7 -> anon_inode:bpf-map
> 
> The advantage (as opposed to the direct/native usage) is that now the
> shell is map fd owner and applications can terminate and easily reattach
> to descriptors w/o any kernel changes. Moreover, multiple applications
> can easily read/write eBPF maps simultaneously.
> 
> To further allow users for experimenting with that, next step is to add
> a small helper that can get along with simple data types, so that also
> shell scripts can make use of bpf syscall, f.e to read/write into maps.
> 
> Generally, this allows for prepopulating maps, or any runtime altering
> which could influence eBPF program behaviour (f.e. different run-time
> classifications, skb modifications, ...), dumping of statistics, etc.
> 
> Reference: http://thread.gmane.org/gmane.linux.network/357471/focus=357860
> Suggested-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
> Signed-off-by: Daniel Borkmann <daniel@...earbox.net>
> Reviewed-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
> Acked-by: Alexei Starovoitov <ast@...mgrid.com>

Cool but a little hard to explain and awkward to use.
I see no reason not to put it in, might be useful and doesn't interfere
with basic usage.

This will go in for 4.1 version of iproute2.

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ