| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211019144655.3483197-1-maximmi@nvidia.com>
Date: Tue, 19 Oct 2021 17:46:45 +0300
From: Maxim Mikityanskiy <maximmi@...dia.com>
To: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>
CC: Eric Dumazet <edumazet@...gle.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>,
Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
David Ahern <dsahern@...nel.org>,
"Jesper Dangaard Brouer" <hawk@...nel.org>,
Nathan Chancellor <nathan@...nel.org>,
"Nick Desaulniers" <ndesaulniers@...gle.com>,
Brendan Jackman <jackmanb@...gle.com>,
Florent Revest <revest@...omium.org>,
Joe Stringer <joe@...ium.io>,
Lorenz Bauer <lmb@...udflare.com>,
Tariq Toukan <tariqt@...dia.com>, <netdev@...r.kernel.org>,
<bpf@...r.kernel.org>, <clang-built-linux@...glegroups.com>,
Maxim Mikityanskiy <maximmi@...dia.com>
Subject: [PATCH bpf-next 00/10] New BPF helpers to accelerate synproxy
This series starts with some cleanup and bugfixing in the existing BPF
helpers for SYN cookies. The second half adds new functionality that
allows XDP to accelerate iptables synproxy.
struct nf_conn is exposed to BPF, new helpers are added to query
conntrack info by 5-tuple. The only field exposed for now is status, but
it can be extended easily in the future.
New helpers are added to issue SYN and timestamp cookies and to check
SYN cookies without binding to a socket, which is useful in the synproxy
scenario.
Finally, a sample XDP and userspace program is added that show how all
components work together. The XDP program uses socketless SYN cookie
helpers and queries conntrack status instead of socket status. A demo
script shows how to deploy the synproxy+XDP solution.
The draft of the new functionality was presented on Netdev 0x15:
https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP
Maxim Mikityanskiy (10):
bpf: Use ipv6_only_sock in bpf_tcp_gen_syncookie
bpf: Support dual-stack sockets in bpf_tcp_check_syncookie
bpf: Use EOPNOTSUPP in bpf_tcp_check_syncookie
bpf: Make errors of bpf_tcp_check_syncookie distinguishable
bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie
bpf: Expose struct nf_conn to BPF
bpf: Add helpers to query conntrack info
bpf: Add helpers to issue and check SYN cookies in XDP
bpf: Add a helper to issue timestamp cookies in XDP
bpf: Add sample for raw syncookie helpers
include/linux/bpf.h | 46 +++
include/net/tcp.h | 2 +
include/uapi/linux/bpf.h | 193 ++++++++++-
kernel/bpf/verifier.c | 104 +++++-
net/core/filter.c | 433 +++++++++++++++++++++++-
net/ipv4/syncookies.c | 60 ++++
net/ipv4/tcp_input.c | 3 +-
samples/bpf/.gitignore | 1 +
samples/bpf/Makefile | 3 +
samples/bpf/syncookie_kern.c | 591 +++++++++++++++++++++++++++++++++
samples/bpf/syncookie_test.sh | 55 +++
samples/bpf/syncookie_user.c | 388 ++++++++++++++++++++++
scripts/bpf_doc.py | 1 +
tools/include/uapi/linux/bpf.h | 193 ++++++++++-
14 files changed, 2047 insertions(+), 26 deletions(-)
create mode 100644 samples/bpf/syncookie_kern.c
create mode 100755 samples/bpf/syncookie_test.sh
create mode 100644 samples/bpf/syncookie_user.c
--
2.30.2
Powered by blists - more mailing lists