| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170209.204811.352646130146676206.davem@davemloft.net> Date: Thu, 09 Feb 2017 20:48:11 -0500 (EST) From: David Miller <davem@...emloft.net> To: tom@...bertland.com Cc: netdev@...r.kernel.org, kernel-team@...com Subject: Re: [PATCH RFC v2 1/8] xdp: Infrastructure to generalize XDP From: Tom Herbert <tom@...bertland.com> Date: Thu, 9 Feb 2017 15:08:22 -0800 > Okay, how about this... I'll add a configuration option like > XDP_ALLOW_OTHER_HOOKS. The default will be to disallow setting any > hook other than a BPF. If it is set, then we'll accept other hooks > to be run. This way mostly restrict the interface by default, but > still allow experimentation with other hook types like I need with > TXDP or maybe the netfilter guys might want to fastpath netfilter > etc. When we we bring a working robust implementation to netdev that > show clear benefits then we can add those to BPF as the "allowed" > hooks at that time. So this strictly controls the interfaces, but > still also allows room for innovation. Anyone is allowed to "innovate" in their own private kernel tree. But I'm not unleashing that upstream. The only reason I accepted XDP is entirely because it is limited in scope to eBPF. All eBPF programs execute in finite time, cannot loop, cannot deadlock, cannot access arbitrary pieces of kernel memory and datastructures. It is a well defined, constrained, and incredibly tightly controlled execution environment for implementing policy, monitoring and control.
Powered by blists - more mailing lists