lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 17 Mar 2020 18:10:16 -0700
From:   Joe Stringer <joe@...d.net.nz>
To:     Lorenz Bauer <lmb@...udflare.com>
Cc:     Joe Stringer <joe@...d.net.nz>, Martin KaFai Lau <kafai@...com>,
        bpf <bpf@...r.kernel.org>, netdev <netdev@...r.kernel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Alexei Starovoitov <ast@...nel.org>,
        Eric Dumazet <eric.dumazet@...il.com>
Subject: Re: [PATCH bpf-next 3/7] bpf: Add socket assign support

On Tue, Mar 17, 2020 at 3:10 AM Lorenz Bauer <lmb@...udflare.com> wrote:
>
> On Tue, 17 Mar 2020 at 03:06, Joe Stringer <joe@...d.net.nz> wrote:
> >
> > On Mon, Mar 16, 2020 at 3:58 PM Martin KaFai Lau <kafai@...com> wrote:
> > >
> > > On Thu, Mar 12, 2020 at 04:36:44PM -0700, Joe Stringer wrote:
> > > > Add support for TPROXY via a new bpf helper, bpf_sk_assign().
> > > >
> > > > This helper requires the BPF program to discover the socket via a call
> > > > to bpf_sk*_lookup_*(), then pass this socket to the new helper. The
> > > > helper takes its own reference to the socket in addition to any existing
> > > > reference that may or may not currently be obtained for the duration of
> > > > BPF processing. For the destination socket to receive the traffic, the
> > > > traffic must be routed towards that socket via local route, the socket
> > > I also missed where is the local route check in the patch.
> > > Is it implied by a sk can be found in bpf_sk*_lookup_*()?
> >
> > This is a requirement for traffic redirection, it's not enforced by
> > the patch. If the operator does not configure routing for the relevant
> > traffic to ensure that the traffic is delivered locally, then after
> > the eBPF program terminates, it will pass up through ip_rcv() and
> > friends and be subject to the whims of the routing table. (or
> > alternatively if the BPF program redirects somewhere else then this
> > reference will be dropped).
>
> Can you elaborate what "an appropriate routing configuration" would be?
> I'm not well versed with how routing works, sorry.

Maybe I should add this into the git commit message :-)

The simplest version of it is demonstrated in patch 6:
https://www.spinics.net/lists/netdev/msg637176.html

$ ip route add local default dev lo

Depending on your use case, you may want to be more specific on the
matches, eg using a specific CIDR rather than setting a default route.

> Do you think being subject to the routing table is desirable, or is it an
> implementation trade-off?

I think it's an implementation trade-off.

> >
> > I think this is a general bpf_sk*_lookup_*() question, previous
> > discussion[0] settled on avoiding that complexity before a use case
> > arises, for both TC and XDP versions of these helpers; I still don't
> > have a specific use case in mind for such functionality. If we were to
> > do it, I would presume that the socket lookup caller would need to
> > pass a dedicated flag (supported at TC and likely not at XDP) to
> > communicate that SO_ATTACH_REUSEPORT_EBPF progs should be respected
> > and used to select the reuseport socket.
>
> I was surprised that both TC and XDP don't run the reuseport program!

FWIW this is explicitly documented in the helper man pages for
sk_lookup_tcp() and friends:
http://man7.org/linux/man-pages/man7/bpf-helpers.7.html

> So far I assumed that TC did pass the skb. I understand that you don't want
> to tackle this issue, but is it possible to reject reuseport sockets from
> sk_assign in that case?

What if users don't attach a reuseport BPF program, but rely on the
standard hashing mechanism? Then we would be artificially limiting
that case.

What do you have in mind for the motivation of this, are you concerned
about feature probing or something else?

> --
> Lorenz Bauer  |  Systems Engineer
> 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK
>
> www.cloudflare.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ