lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180220105822.54birmgmr4r24kox@salvia>
Date:   Tue, 20 Feb 2018 11:58:22 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     netfilter-devel@...r.kernel.org, davem@...emloft.net,
        netdev@...r.kernel.org, laforge@...filter.org, fw@...len.de,
        alexei.starovoitov@...il.com
Subject: Re: [PATCH RFC PoC 0/3] nftables meets bpf

Hi Daniel,

On Mon, Feb 19, 2018 at 08:57:39PM +0100, Daniel Borkmann wrote:
> On 02/19/2018 05:37 PM, Pablo Neira Ayuso wrote:
> [...]
> > * Simplified infrastructure: We don't need the ebpf verifier complexity
> >   either given we trust the code we generate from the kernel. We don't
> >   need any complex userspace tooling either, just libnftnl and nft
> >   userspace binaries.
> > 
> > * Hardware offload: We can use this to offload rulesets to the only
> >   smartnic driver that we have in the tree that already implements bpf
> >   offload, hence, we can reuse this work already in place.
> 
> In addition Dave's points, regarding the above two, this will also only
> work behind the verifier since NIC offloading piggy-backs on the verifier's
> program analysis to prepare and generate a dev specific JITed BPF
> prog, so it's not the same as normal host JITs (and there, the cBPF ->
> eBPF in kernel migration adds a lot of headaches already due to
> different underlying assumptions coming from the two flavors, even
> if both are eBPF insns in the end), and given this, offloading will
> also only work for eBPF and not cBPF.

We also have a large range of TCAM based hardware offload outthere
that will _not_ work with your BPF HW offload infrastructure. What
this bpf infrastructure pushes into the kernel is just a blob
expressing things in a very low-level instruction-set: trying to find
a mapping of that to typical HW intermediate representations in the
TCAM based HW offload world will be simply crazy.

> There's a lot more the verifier is doing internally, like performing
> various different program rewrites from the context, for helpers
> (e.g. inlining), and for internal insn mappings that are not exposed
> (e.g. in calls), so we definitely need to go through it.

If we need to call the verifier from the kernel for the code that we
generate there for this initial stage, that should be not an issue.

The BPF interface is lacking many of the features and flexibility we
have in netlink these days, and it is only allowing for monolitic
ruleset replacement. This approach also loses internal rule stateful
information that we're doing in the packet path when updating the
ruleset. So it's taking us back to exactly the same mistakes we made
in iptables back in the 90s as it's been mentioned already.

So I just wish I can count with your help in this process, we can get
the best of the two worlds by providing a subsystem that allows users
to configure packet classification through one single interface, no
matter if the policy representation ends up being in software or HW
offloads, either TCAM or smartnic.

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ