lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <52307d0d-7bfc-c2c9-428c-751844c69a69@iogearbox.net>
Date:   Thu, 24 May 2018 12:12:25 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Mathieu Xhonneux <m.xhonneux@...il.com>, netdev@...r.kernel.org
Cc:     dlebrun@...gle.com, alexei.starovoitov@...il.com
Subject: Re: [PATCH bpf-next v7 0/6] ipv6: sr: introduce seg6local End.BPF
 action

On 05/20/2018 03:58 PM, Mathieu Xhonneux wrote:
> As of Linux 4.14, it is possible to define advanced local processing for
> IPv6 packets with a Segment Routing Header through the seg6local LWT
> infrastructure. This LWT implements the network programming principles
> defined in the IETF “SRv6 Network Programming” draft.
> 
> The implemented operations are generic, and it would be very interesting to
> be able to implement user-specific seg6local actions, without having to
> modify the kernel directly. To do so, this patchset adds an End.BPF action
> to seg6local, powered by some specific Segment Routing-related helpers,
> which provide SR functionalities that can be applied on the packet. This
> BPF hook would then allow to implement specific actions at native kernel
> speed such as OAM features, advanced SR SDN policies, SRv6 actions like
> Segment Routing Header (SRH) encapsulation depending on the content of
> the packet, etc.
> 
> This patchset is divided in 6 patches, whose main features are :
> 
> - A new seg6local action End.BPF with the corresponding new BPF program
>   type BPF_PROG_TYPE_LWT_SEG6LOCAL. Such attached BPF program can be
>   passed to the LWT seg6local through netlink, the same way as the LWT
>   BPF hook operates.
> - 3 new BPF helpers for the seg6local BPF hook, allowing to edit/grow/
>   shrink a SRH and apply on a packet some of the generic SRv6 actions.
> - 1 new BPF helper for the LWT BPF IN hook, allowing to add a SRH through
>   encapsulation (via IPv6 encapsulation or inlining if the packet contains
>   already an IPv6 header).
> 
> As this patchset adds a new LWT BPF hook, I took into account the result of
> the discussions when the LWT BPF infrastructure got merged. Hence, the
> seg6local BPF hook doesn’t allow write access to skb->data directly, only
> the SRH can be modified through specific helpers, which ensures that the
> integrity of the packet is maintained.
> More details are available in the related patches messages.
> 
> The performances of this BPF hook have been assessed with the BPF JIT
> enabled on an Intel Xeon X3440 processors with 4 cores and 8 threads
> clocked at 2.53 GHz. No throughput losses are noted with the seg6local
> BPF hook when the BPF program does nothing (440kpps). Adding a 8-bytes
> TLV (1 call each to bpf_lwt_seg6_adjust_srh and bpf_lwt_seg6_store_bytes)
> drops the throughput to 410kpps, and inlining a SRH via
> bpf_lwt_seg6_action drops the throughput to 420kpps.
> All throughputs are stable.
> 
> -------
> v2: move the SRH integrity state from skb->cb to a per-cpu buffer
> v3: - document helpers in man-page style
>     - fix kbuild bugs
>     - un-break BPF LWT out hook
>     - bpf_push_seg6_encap is now static
>     - preempt_enable is now called when the packet is dropped in
>       input_action_end_bpf
> v4: fix kbuild bugs when CONFIG_IPV6=m
> v5: fix kbuild sparse warnings when CONFIG_IPV6=m
> v6: fix skb pointers-related bugs in helpers
> v7: - fix memory leak in error path of End.BPF setup
>     - add freeing of BPF data in seg6_local_destroy_state
>     - new enums SEG6_LOCAL_BPF_* instead of re-using ones of lwt bpf for
>       netlink nested bpf attributes
>     - SEG6_LOCAL_BPF_PROG attr now contains prog->aux->id when dumping
>       state
> 
> Thanks.
> 
> Mathieu Xhonneux (6):
>   ipv6: sr: make seg6.h includable without IPv6
>   ipv6: sr: export function lookup_nexthop
>   bpf: Add IPv6 Segment Routing helpers
>   bpf: Split lwt inout verifier structures
>   ipv6: sr: Add seg6local action End.BPF
>   selftests/bpf: test for seg6local End.BPF action
> 
>  include/linux/bpf_types.h                         |   5 +-
>  include/net/seg6.h                                |   7 +-
>  include/net/seg6_local.h                          |  32 ++
>  include/uapi/linux/bpf.h                          |  97 ++++-
>  include/uapi/linux/seg6_local.h                   |  12 +
>  kernel/bpf/verifier.c                             |   1 +
>  net/core/filter.c                                 | 393 ++++++++++++++++---
>  net/ipv6/Kconfig                                  |   5 +
>  net/ipv6/seg6_local.c                             | 190 +++++++++-
>  tools/include/uapi/linux/bpf.h                    |  97 ++++-
>  tools/lib/bpf/libbpf.c                            |   1 +
>  tools/testing/selftests/bpf/Makefile              |   6 +-
>  tools/testing/selftests/bpf/bpf_helpers.h         |  12 +
>  tools/testing/selftests/bpf/test_lwt_seg6local.c  | 437 ++++++++++++++++++++++
>  tools/testing/selftests/bpf/test_lwt_seg6local.sh | 140 +++++++
>  15 files changed, 1363 insertions(+), 72 deletions(-)
>  create mode 100644 include/net/seg6_local.h
>  create mode 100644 tools/testing/selftests/bpf/test_lwt_seg6local.c
>  create mode 100755 tools/testing/selftests/bpf/test_lwt_seg6local.sh

Applied to bpf-next, thanks Mathieu!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ