lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220413134120.3253433-1-maximmi@nvidia.com> Date: Wed, 13 Apr 2022 16:41:14 +0300 From: Maxim Mikityanskiy <maximmi@...dia.com> To: <bpf@...r.kernel.org>, Alexei Starovoitov <ast@...nel.org>, "Daniel Borkmann" <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, <netdev@...r.kernel.org> CC: Tariq Toukan <tariqt@...dia.com>, Martin KaFai Lau <kafai@...com>, "Song Liu" <songliubraving@...com>, Yonghong Song <yhs@...com>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Petar Penkov <ppenkov@...gle.com>, Lorenz Bauer <lmb@...udflare.com>, Eric Dumazet <edumazet@...gle.com>, Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>, "David Ahern" <dsahern@...nel.org>, Shuah Khan <shuah@...nel.org>, "Jesper Dangaard Brouer" <hawk@...nel.org>, Nathan Chancellor <nathan@...nel.org>, "Nick Desaulniers" <ndesaulniers@...gle.com>, Joe Stringer <joe@...ium.io>, "Florent Revest" <revest@...omium.org>, <linux-kselftest@...r.kernel.org>, Toke Høiland-Jørgensen <toke@...e.dk>, "Kumar Kartikeya Dwivedi" <memxor@...il.com>, Florian Westphal <fw@...len.de>, "Maxim Mikityanskiy" <maximmi@...dia.com> Subject: [PATCH bpf-next v5 0/5] New BPF helpers to accelerate synproxy The first patch of this series is an improvement to the existing syncookie BPF helper. The second patch is a documentation fix. The third patch allows BPF helpers to accept memory regions of fixed size without doing runtime size checks. The two last patches add new functionality that allows XDP to accelerate iptables synproxy. v1 of this series [1] used to include a patch that exposed conntrack lookup to BPF using stable helpers. It was superseded by series [2] by Kumar Kartikeya Dwivedi, which implements this functionality using unstable helpers. The fourth patch adds new helpers to issue and check SYN cookies without binding to a socket, which is useful in the synproxy scenario. The fifth patch adds a selftest, which consists of a script, an XDP program and a userspace control application. The XDP program uses socketless SYN cookie helpers and queries conntrack status instead of socket status. The userspace control application allows to tune parameters of the XDP program. This program also serves as a minimal example of usage of the new functionality. The draft of the new functionality was presented on Netdev 0x15 [3]. v2 changes: Split into two series, submitted bugfixes to bpf, dropped the conntrack patches, implemented the timestamp cookie in BPF using bpf_loop, dropped the timestamp cookie patch. v3 changes: Moved some patches from bpf to bpf-next, dropped the patch that changed error codes, split the new helpers into IPv4/IPv6, added verifier functionality to accept memory regions of fixed size. v4 changes: Converted the selftest to the test_progs runner. Replaced some deprecated functions in xdp_synproxy userspace helper. v5 changes: Fixed a bug in the selftest. Added questionable functionality to support new helpers in TC BPF, added selftests for it. [1]: https://lore.kernel.org/bpf/20211020095815.GJ28644@breakpoint.cc/t/ [2]: https://lore.kernel.org/bpf/20220114163953.1455836-1-memxor@gmail.com/ [3]: https://netdevconf.info/0x15/session.html?Accelerating-synproxy-with-XDP Maxim Mikityanskiy (6): bpf: Use ipv6_only_sock in bpf_tcp_gen_syncookie bpf: Fix documentation of th_len in bpf_tcp_{gen,check}_syncookie bpf: Allow helpers to accept pointers with a fixed size bpf: Add helpers to issue and check SYN cookies in XDP bpf: Add selftests for raw syncookie helpers bpf: Allow the new syncookie helpers to work with SKBs include/linux/bpf.h | 10 + include/net/tcp.h | 1 + include/uapi/linux/bpf.h | 100 ++- kernel/bpf/verifier.c | 26 +- net/core/filter.c | 136 ++- net/ipv4/tcp_input.c | 3 +- scripts/bpf_doc.py | 4 + tools/include/uapi/linux/bpf.h | 100 ++- tools/testing/selftests/bpf/.gitignore | 1 + tools/testing/selftests/bpf/Makefile | 2 +- .../selftests/bpf/prog_tests/xdp_synproxy.c | 144 +++ .../selftests/bpf/progs/xdp_synproxy_kern.c | 819 ++++++++++++++++++ tools/testing/selftests/bpf/xdp_synproxy.c | 466 ++++++++++ 13 files changed, 1790 insertions(+), 22 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_synproxy.c create mode 100644 tools/testing/selftests/bpf/progs/xdp_synproxy_kern.c create mode 100644 tools/testing/selftests/bpf/xdp_synproxy.c -- 2.30.2
Powered by blists - more mailing lists