lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87pncsj0hv.fsf@toke.dk>
Date:   Tue, 31 Mar 2020 12:13:16 +0200
From:   Toke Høiland-Jørgensen <toke@...hat.com>
To:     Andrii Nakryiko <andrii.nakryiko@...il.com>
Cc:     Alexei Starovoitov <alexei.starovoitov@...il.com>,
        John Fastabend <john.fastabend@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        Andrii Nakryiko <andriin@...com>,
        "David S. Miller" <davem@...emloft.net>,
        Jesper Dangaard Brouer <brouer@...hat.com>,
        Lorenz Bauer <lmb@...udflare.com>,
        Andrey Ignatov <rdna@...com>,
        Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>
Subject: Re: [PATCH bpf-next 1/4] xdp: Support specifying expected existing program when attaching XDP

Andrii Nakryiko <andrii.nakryiko@...il.com> writes:

>> > So you install your libxdp-based firewalls and are happy. Then you
>> > decide to install this awesome packet analyzer, which doesn't know
>> > about libxdp yet. Suddenly, you get all packets analyzer, but no more
>> > firewall, until users somehow notices that it's gone. Or firewall
>> > periodically checks that it's still runinng. Both not great, IMO, but
>> > might be acceptable for some users, I guess. But imagine all the
>> > confusion for user, especially if he doesn't give a damn about XDP and
>> > other buzzwords, but only needs a reliable firewall :)
>>
>> Yes, whereas if the firewall is using bpf_link, then the packet analyser
>> will be locked out and can't do its thing. Either way you end up with a
>> broken application; it's just moving the breakage. In the case of
>
> Hm... In one case firewall installation reported success and stopped
> working afterwards with no notification and user having no clue. In
> another, packet analyzer refused to start and reported error to user.
> Let's agree to disagree that those are not at all equivalent. To me
> silent failure is so much worse, than application failing to start in
> the first place.

Oh, sure, obvious failures are preferable to silent ones, do doubt about
that. But for things to actually *work*, both applications need to agree
on how to do things, which in practice means they'll need to use the
same library. At which point you can solve this problem in the
library.

So again, I'm not saying the two are equivalent, I am just disagreeing
with you about how big the benefit is. And sure, we can agree to
disagree on that :)

-Toke

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ