lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <595d79aa-5960-71a2-0299-c69a38bb287d@iogearbox.net>
Date:   Fri, 25 Sep 2020 00:19:40 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     David Ahern <dsahern@...il.com>, ast@...nel.org
Cc:     john.fastabend@...il.com, netdev@...r.kernel.org,
        bpf@...r.kernel.org
Subject: Re: [PATCH bpf-next 3/6] bpf: add redirect_neigh helper as redirect
 drop-in

On 9/25/20 12:12 AM, David Ahern wrote:
> On 9/24/20 12:21 PM, Daniel Borkmann wrote:
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index 0f913755bcba..19caa2fc21e8 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -2160,6 +2160,205 @@ static int __bpf_redirect(struct sk_buff *skb, struct net_device *dev,
>>   		return __bpf_redirect_no_mac(skb, dev, flags);
>>   }
>>   
>> +#if IS_ENABLED(CONFIG_IPV6)
>> +static int bpf_out_neigh_v6(struct net *net, struct sk_buff *skb)
>> +{
>> +	struct dst_entry *dst = skb_dst(skb);
>> +	struct net_device *dev = dst->dev;
>> +	const struct in6_addr *nexthop;
>> +	struct neighbour *neigh;
>> +
>> +	if (dev_xmit_recursion())
>> +		goto out_rec;
>> +	skb->dev = dev;
>> +	rcu_read_lock_bh();
>> +	nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr);
>> +	neigh = __ipv6_neigh_lookup_noref_stub(dev, nexthop);
>> +	if (unlikely(!neigh))
>> +		neigh = __neigh_create(ipv6_stub->nd_tbl, nexthop, dev, false);
> 
> the last 3 lines can be replaced with ip_neigh_gw6.

Ah, nice, I wasn't aware of that one. I'll take it. :)

>> +	if (likely(!IS_ERR(neigh))) {
>> +		int ret;
>> +
>> +		sock_confirm_neigh(skb, neigh);
>> +		dev_xmit_recursion_inc();
>> +		ret = neigh_output(neigh, skb, false);
>> +		dev_xmit_recursion_dec();
>> +		rcu_read_unlock_bh();
>> +		return ret;
>> +	}
>> +	rcu_read_unlock_bh();
>> +	IP6_INC_STATS(dev_net(dst->dev),
>> +		      ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
>> +out_drop:
>> +	kfree_skb(skb);
>> +	return -EINVAL;
>> +out_rec:
>> +	net_crit_ratelimited("bpf: recursion limit reached on datapath, buggy bpf program?\n");
>> +	goto out_drop;
>> +}
>> +
> 
> ...
> 
>> +#if IS_ENABLED(CONFIG_INET)
>> +static int bpf_out_neigh_v4(struct net *net, struct sk_buff *skb)
>> +{
>> +	struct dst_entry *dst = skb_dst(skb);
>> +	struct rtable *rt = (struct rtable *)dst;
> 
> please use container_of here; I'd like to see the typecasts get removed.

Will do, thx!

>> +	struct net_device *dev = dst->dev;
>> +	u32 hh_len = LL_RESERVED_SPACE(dev);
>> +	struct neighbour *neigh;
>> +	bool is_v6gw = false;
>> +
>> +	if (dev_xmit_recursion())
>> +		goto out_rec;

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ