| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Dec 2019 15:27:52 +0100
From: Jesper Dangaard Brouer <jbrouer@...hat.com>
To: Prashant Bhole <prashantbhole.linux@...il.com>
Cc: "David S . Miller" <davem@...emloft.net>,
"Michael S . Tsirkin" <mst@...hat.com>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
David Ahern <dahern@...italocean.com>,
Jason Wang <jasowang@...hat.com>,
David Ahern <dsahern@...il.com>,
Jakub Kicinski <jakub.kicinski@...ronome.com>,
John Fastabend <john.fastabend@...il.com>,
Toshiaki Makita <toshiaki.makita1@...il.com>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
Andrii Nakryiko <andriin@...com>, netdev@...r.kernel.org
Subject: Re: [RFC v2 net-next 01/12] net: introduce BPF_XDP_EGRESS attach
type for XDP
On Thu, 26 Dec 2019 11:31:49 +0900
Prashant Bhole <prashantbhole.linux@...il.com> wrote:
> This patch introduces a new bpf attach type BPF_XDP_EGRESS. Programs
> having this attach type will be allowed to run in the tx path. It is
> because we need to prevent the programs from accessing rxq info when
> they are running in tx path. Verifier can reject the programs those
> have this attach type and trying to access rxq info.
>
> Patch also introduces a new netlink attribute IFLA_XDP_TX which can
> be used for setting XDP program in tx path and to get information of
> such programs.
>
> Drivers those want to support tx path XDP needs to handle
> XDP_SETUP_PROG_TX and XDP_QUERY_PROG_TX cases in their ndo_bpf.
Why do you keep the "TX" names, when you introduce the "EGRESS"
attachment type?
Netlink attribute IFLA_XDP_TX is particularly confusing.
I personally like that this is called "*_XDP_EGRESS" to avoid confusing
with XDP_TX action.
BTW, should the XDP_EGRESS program also inspect XDP_TX packets?
> Signed-off-by: David Ahern <dahern@...italocean.com>
> Co-developed-by: Prashant Bhole <prashantbhole.linux@...il.com>
> Signed-off-by: Prashant Bhole <prashantbhole.linux@...il.com>
> ---
> include/linux/netdevice.h | 4 +-
> include/uapi/linux/bpf.h | 1 +
> include/uapi/linux/if_link.h | 1 +
> net/core/dev.c | 34 +++++++---
> net/core/filter.c | 8 +++
> net/core/rtnetlink.c | 112 ++++++++++++++++++++++++++++++++-
> tools/include/uapi/linux/bpf.h | 1 +
> 7 files changed, 150 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 469a297b58c0..ac3e88d86581 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -865,8 +865,10 @@ enum bpf_netdev_command {
> */
> XDP_SETUP_PROG,
> XDP_SETUP_PROG_HW,
> + XDP_SETUP_PROG_TX,
> XDP_QUERY_PROG,
> XDP_QUERY_PROG_HW,
> + XDP_QUERY_PROG_TX,
> /* BPF program for offload callbacks, invoked at program load time. */
> BPF_OFFLOAD_MAP_ALLOC,
> BPF_OFFLOAD_MAP_FREE,
> @@ -3725,7 +3727,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *skb, struct net_device *dev,
>
> typedef int (*bpf_op_t)(struct net_device *dev, struct netdev_bpf *bpf);
> int dev_change_xdp_fd(struct net_device *dev, struct netlink_ext_ack *extack,
> - int fd, u32 flags);
> + int fd, u32 flags, bool tx);
> u32 __dev_xdp_query(struct net_device *dev, bpf_op_t xdp_op,
> enum bpf_netdev_command cmd);
> int xdp_umem_query(struct net_device *dev, u16 queue_id);
> diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> index dbbcf0b02970..23c1841c8086 100644
> --- a/include/uapi/linux/bpf.h
> +++ b/include/uapi/linux/bpf.h
> @@ -203,6 +203,7 @@ enum bpf_attach_type {
> BPF_TRACE_RAW_TP,
> BPF_TRACE_FENTRY,
> BPF_TRACE_FEXIT,
> + BPF_XDP_EGRESS,
> __MAX_BPF_ATTACH_TYPE
> };
>
> diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
> index 1d69f637c5d6..be97c9787140 100644
> --- a/include/uapi/linux/if_link.h
> +++ b/include/uapi/linux/if_link.h
> @@ -170,6 +170,7 @@ enum {
> IFLA_PROP_LIST,
> IFLA_ALT_IFNAME, /* Alternative ifname */
> IFLA_PERM_ADDRESS,
> + IFLA_XDP_TX,
> __IFLA_MAX
> };
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Principal Kernel Engineer at Red Hat
LinkedIn: http://www.linkedin.com/in/brouer
Powered by blists - more mailing lists