| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Dec 2023 16:10:18 -0800 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: Daniel Xu <dxu@...uu.xyz> Cc: Network Development <netdev@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, bpf <bpf@...r.kernel.org>, clang-built-linux <llvm@...ts.linux.dev>, "open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>, Steffen Klassert <steffen.klassert@...unet.com>, antony.antony@...unet.com, Yonghong Song <yonghong.song@...ux.dev>, Eddy Z <eddyz87@...il.com>, devel@...ux-ipsec.org Subject: Re: [PATCH ipsec-next v3 0/9] Add bpf_xdp_get_xfrm_state() kfunc On Fri, Dec 1, 2023 at 12:23 PM Daniel Xu <dxu@...uu.xyz> wrote: > > This patchset adds two kfunc helpers, bpf_xdp_get_xfrm_state() and > bpf_xdp_xfrm_state_release() that wrap xfrm_state_lookup() and > xfrm_state_put(). The intent is to support software RSS (via XDP) for > the ongoing/upcoming ipsec pcpu work [0]. Recent experiments performed > on (hopefully) reproducible AWS testbeds indicate that single tunnel > pcpu ipsec can reach line rate on 100G ENA nics. > > Note this patchset only tests/shows generic xfrm_state access. The > "secret sauce" (if you can really even call it that) involves accessing > a soon-to-be-upstreamed pcpu_num field in xfrm_state. Early example is > available here [1]. > > [0]: https://datatracker.ietf.org/doc/draft-ietf-ipsecme-multi-sa-performance/03/ > [1]: https://github.com/danobi/xdp-tools/blob/e89a1c617aba3b50d990f779357d6ce2863ecb27/xdp-bench/xdp_redirect_cpumap.bpf.c#L385-L406 > > Changes from v2: > * Fix/simplify BPF_CORE_WRITE_BITFIELD() algorithm > * Added verifier tests for bitfield writes > * Fix state leakage across test_tunnel subtests > > Changes from v1: > * Move xfrm tunnel tests to test_progs > * Fix writing to opts->error when opts is invalid > * Use __bpf_kfunc_start_defs() > * Remove unused vxlanhdr definition > * Add and use BPF_CORE_WRITE_BITFIELD() macro > * Make series bisect clean > > Changes from RFCv2: > * Rebased to ipsec-next > * Fix netns leak > > Changes from RFCv1: > * Add Antony's commit tags > * Add KF_ACQUIRE and KF_RELEASE semantics > > Daniel Xu (9): > bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc > bpf: xfrm: Add bpf_xdp_xfrm_state_release() kfunc > libbpf: Add BPF_CORE_WRITE_BITFIELD() macro > bpf: selftests: test_loader: Support __btf_path() annotation > libbpf: selftests: Add verifier tests for CO-RE bitfield writes > bpf: selftests: test_tunnel: Setup fresh topology for each subtest > bpf: selftests: test_tunnel: Use vmlinux.h declarations > bpf: selftests: Move xfrm tunnel test to test_progs > bpf: xfrm: Add selftest for bpf_xdp_get_xfrm_state() > > include/net/xfrm.h | 9 + > net/xfrm/Makefile | 1 + > net/xfrm/xfrm_policy.c | 2 + > net/xfrm/xfrm_state_bpf.c | 128 ++++++++++++++ > tools/lib/bpf/bpf_core_read.h | 34 ++++ > .../selftests/bpf/prog_tests/test_tunnel.c | 162 +++++++++++++++++- > .../selftests/bpf/prog_tests/verifier.c | 2 + > tools/testing/selftests/bpf/progs/bpf_misc.h | 1 + > .../selftests/bpf/progs/bpf_tracing_net.h | 1 + > .../selftests/bpf/progs/test_tunnel_kern.c | 138 ++++++++------- > .../bpf/progs/verifier_bitfield_write.c | 100 +++++++++++ > tools/testing/selftests/bpf/test_loader.c | 7 + > tools/testing/selftests/bpf/test_tunnel.sh | 92 ---------- > 13 files changed, 522 insertions(+), 155 deletions(-) I really think this should go via bpf-next tree. The bpf changes are much bigger than ipsec.
Powered by blists - more mailing lists