| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180507013326.xpm73j6egieo77dd@ast-mbp> Date: Sun, 6 May 2018 18:33:28 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Mathieu Xhonneux <m.xhonneux@...il.com> Cc: netdev@...r.kernel.org, dlebrun@...gle.com Subject: Re: [PATCH bpf-next v3 0/6] ipv6: sr: introduce seg6local End.BPF action On Sun, May 06, 2018 at 06:27:28PM +0100, Mathieu Xhonneux wrote: > As of Linux 4.14, it is possible to define advanced local processing for > IPv6 packets with a Segment Routing Header through the seg6local LWT > infrastructure. This LWT implements the network programming principles > defined in the IETF “SRv6 Network Programming” draft. > > The implemented operations are generic, and it would be very interesting to > be able to implement user-specific seg6local actions, without having to > modify the kernel directly. To do so, this patchset adds an End.BPF action > to seg6local, powered by some specific Segment Routing-related helpers, > which provide SR functionalities that can be applied on the packet. This > BPF hook would then allow to implement specific actions at native kernel > speed such as OAM features, advanced SR SDN policies, SRv6 actions like > Segment Routing Header (SRH) encapsulation depending on the content of > the packet, etc ... > > This patchset is divided in 6 patches, whose main features are : > > - A new seg6local action End.BPF with the corresponding new BPF program > type BPF_PROG_TYPE_LWT_SEG6LOCAL. Such attached BPF program can be > passed to the LWT seg6local through netlink, the same way as the LWT > BPF hook operates. > - 3 new BPF helpers for the seg6local BPF hook, allowing to edit/grow/ > shrink a SRH and apply on a packet some of the generic SRv6 actions. > - 1 new BPF helper for the LWT BPF IN hook, allowing to add a SRH through > encapsulation (via IPv6 encapsulation or inlining if the packet contains > already an IPv6 header). > > As this patchset adds a new LWT BPF hook, I took into account the result of > the discussions when the LWT BPF infrastructure got merged. Hence, the > seg6local BPF hook doesn’t allow write access to skb->data directly, only > the SRH can be modified through specific helpers, which ensures that the > integrity of the packet is maintained. > More details are available in the related patches messages. > > The performances of this BPF hook have been assessed with the BPF JIT > enabled on a Intel Xeon X3440 processors with 4 cores and 8 threads > clocked at 2.53 GHz. No throughput losses are noted with the seg6local > BPF hook when the BPF program does nothing (440kpps). Adding a 8-bytes > TLV (1 call each to bpf_lwt_seg6_adjust_srh and bpf_lwt_seg6_store_bytes) > drops the throughput to 410kpps, and inlining a SRH via > bpf_lwt_seg6_action drops the throughput to 420kpps. > All throughputs are stable. > > ------- > v2: move the SRH integrity state from skb->cb to a per-cpu buffer > v3: - document helpers in man-page style > - fix kbuild bugs > - un-break BPF LWT out hook > - bpf_push_seg6_encap is now static > - preempt_enable is now called when the packet is dropped in > input_action_end_bpf Please fix build issue that 0bot caught and resubmit. Thanks
Powered by blists - more mailing lists