| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Mar 2019 10:52:36 +0800
From: Lorenz Bauer <lmb@...udflare.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org,
bpf@...r.kernel.org, Martin Lau <kafai@...com>
Subject: Re: [PATCH bpf-next v3 4/8] bpf: add helper to check for a valid SYN cookie
Ha! I did that because __cookie_v4(6)_check is marked GPL only. I'm
happy for the helper to be more permissive if that is possible.
On Fri, 22 Mar 2019 at 10:06, Alexei Starovoitov
<alexei.starovoitov@...il.com> wrote:
>
> On Fri, Mar 22, 2019 at 09:54:02AM +0800, Lorenz Bauer wrote:
> > Using bpf_skc_lookup_tcp it's possible to ascertain whether a packet
> > belongs to a known connection. However, there is one corner case: no
> > sockets are created if SYN cookies are active. This means that the final
> > ACK in the 3WHS is misclassified.
> >
> > Using the helper, we can look up the listening socket via
> > bpf_skc_lookup_tcp and then check whether a packet is a valid SYN
> > cookie ACK.
> >
> > Signed-off-by: Lorenz Bauer <lmb@...udflare.com>
> ...
> > +static const struct bpf_func_proto bpf_tcp_check_syncookie_proto = {
> > + .func = bpf_tcp_check_syncookie,
> > + .gpl_only = true,
>
> you really want your employer to open source the load balancer :)
> Fine by me.
>
> The series applied to bpf-next.
>
--
Lorenz Bauer | Systems Engineer
25 Lavington St., London SE1 0NZ
www.cloudflare.com
Powered by blists - more mailing lists