| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Mar 2019 09:53:58 +0800
From: Lorenz Bauer <lmb@...udflare.com>
To: ast@...nel.org, daniel@...earbox.net, netdev@...r.kernel.org,
bpf@...r.kernel.org
Cc: kafai@...com, Lorenz Bauer <lmb@...udflare.com>
Subject: [PATCH bpf-next v3 0/8] Allow checking SYN cookies from XDP and tc cls act
This series adds the necessary helpers to determine wheter a given
(encapsulated) TCP packet belongs to a connection known to the network stack.
* bpf_skc_lookup_tcp gives access to request and timewait sockets
* bpf_tcp_check_syncookie identifies the final 3WHS ACK when syncookies
are enabled
The goal is to be able to implement load-balancing approaches like
glb-director [1] or Beamer [2] in pure eBPF. Specifically, we'd like to replace
the functionality of the glb-redirect kernel module [3] by an XDP program or
tc classifier.
Changes in v3:
* Fix missing check for ip4->ihl
* Only cast to unsigned long in BPF_CALLs
Changes in v2:
* Rename bpf_sk_check_syncookie to bpf_tcp_check_syncookie.
* Add bpf_skc_lookup_tcp. Without it bpf_tcp_check_syncookie doesn't make sense.
* Check tcp_synq_no_recent_overflow() in bpf_tcp_check_syncookie.
* Check th->syn in bpf_tcp_check_syncookie.
* Require CONFIG_IPV6 to be a built in.
1: https://github.com/github/glb-director
2: https://www.usenix.org/conference/nsdi18/presentation/olteanu
3: https://github.com/github/glb-director/tree/master/src/glb-redirect
Lorenz Bauer (8):
bpf: track references based on is_acquire_func
bpf: allow helpers to return PTR_TO_SOCK_COMMON
bpf: add skc_lookup_tcp helper
bpf: add helper to check for a valid SYN cookie
tools: update include/uapi/linux/bpf.h
selftests/bpf: allow specifying helper for BPF_SK_LOOKUP
selftests/bpf: test references to sock_common
selftests/bpf: add tests for bpf_tcp_check_syncookie and
bpf_skc_lookup_tcp
include/linux/bpf.h | 1 +
include/uapi/linux/bpf.h | 36 ++-
kernel/bpf/verifier.c | 33 +--
net/core/filter.c | 216 ++++++++++++++++--
tools/include/uapi/linux/bpf.h | 36 ++-
tools/testing/selftests/bpf/.gitignore | 1 +
tools/testing/selftests/bpf/Makefile | 5 +-
tools/testing/selftests/bpf/bpf_helpers.h | 8 +
.../bpf/progs/test_tcp_check_syncookie_kern.c | 129 +++++++++++
.../selftests/bpf/test_tcp_check_syncookie.sh | 81 +++++++
.../bpf/test_tcp_check_syncookie_user.c | 212 +++++++++++++++++
tools/testing/selftests/bpf/test_verifier.c | 6 +-
.../selftests/bpf/verifier/ref_tracking.c | 126 ++++++----
tools/testing/selftests/bpf/verifier/unpriv.c | 8 +-
14 files changed, 811 insertions(+), 87 deletions(-)
create mode 100644 tools/testing/selftests/bpf/progs/test_tcp_check_syncookie_kern.c
create mode 100755 tools/testing/selftests/bpf/test_tcp_check_syncookie.sh
create mode 100644 tools/testing/selftests/bpf/test_tcp_check_syncookie_user.c
--
2.19.1
Powered by blists - more mailing lists