| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20180219.135334.93041549091981531.davem@davemloft.net>
Date: Mon, 19 Feb 2018 13:53:34 -0500 (EST)
From: David Miller <davem@...emloft.net>
To: pablo@...filter.org
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
laforge@...filter.org, fw@...len.de, daniel@...earbox.net,
alexei.starovoitov@...il.com
Subject: Re: [PATCH RFC 3/3] netfilter: nf_tables: add BPF-based jit
infrastructure
From: Pablo Neira Ayuso <pablo@...filter.org>
Date: Mon, 19 Feb 2018 17:37:06 +0100
> From nf_tables_newrule(), this calls nft_jit_rule() that transforms
> our internal expression structure layout to abstract syntax tree, then
> we walk over this syntax tree to generate the BPF instructions that are
> placed in the rule jit buffer. From the commit phase, collect all jit
> buffers, place them in a BPF program that gets attached to the chain.
>
> This should be good enough to test simple payload and meta match. For
> more sophisticated stuff, we may use internal bpf helpers to call our
> _eval() functions.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
I'm very suprised that this is generating classical BPF filters.
We have native eBPF and that is what anything generating new code
should be using, rather than the 20+ year old CBPF.
Furthermore, we should not ever generate and use bpf code snippets to
use directly in the kernel.
Instead, all BPF code should be given to the kernel from userspace
through the bpf syscall interface, so that the boundry is distinct and
the verifier can be run properly on all pieces of eBPF code before the
kernel uses it.
Powered by blists - more mailing lists