lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e1c747a9-64b7-471b-8fb8-093b8f080490@linux.alibaba.com>
Date: Tue, 20 Feb 2024 15:16:01 +0800
From: "D. Wythe" <alibuda@...ux.alibaba.com>
To: Pablo Neira Ayuso <pablo@...filter.org>, Quentin Deslandes <qde@...cy.de>
Cc: kadlec@...filter.org, fw@...len.de, bpf@...r.kernel.org,
 linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
 coreteam@...filter.org, netfilter-devel@...r.kernel.org,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, ast@...nel.org
Subject: Re: [RFC nf-next v5 0/2] netfilter: bpf: support prog update



On 2/15/24 12:41 AM, Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2024 at 05:10:46PM +0100, Quentin Deslandes wrote:
>> On 2024-01-02 07:11, D. Wythe wrote:
>>> From: "D. Wythe" <alibuda@...ux.alibaba.com>
>>>
>>> This patches attempt to implements updating of progs within
>>> bpf netfilter link, allowing user update their ebpf netfilter
>>> prog in hot update manner.
>>>
>>> Besides, a corresponding test case has been added to verify
>>> whether the update works.
>>> --
>>> v1:
>>> 1. remove unnecessary context, access the prog directly via rcu.
>>> 2. remove synchronize_rcu(), dealloc the nf_link via kfree_rcu.
>>> 3. check the dead flag during the update.
>>> --
>>> v1->v2:
>>> 1. remove unnecessary nf_prog, accessing nf_link->link.prog in direct.
>>> --
>>> v2->v3:
>>> 1. access nf_link->link.prog via rcu_dereference_raw to avoid warning.
>>> --
>>> v3->v4:
>>> 1. remove mutex for link update, as it is unnecessary and can be replaced
>>> by atomic operations.
>>> --
>>> v4->v5:
>>> 1. fix error retval check on cmpxhcg
>>>
>>> D. Wythe (2):
>>>    netfilter: bpf: support prog update
>>>    selftests/bpf: Add netfilter link prog update test
>>>
>>>   net/netfilter/nf_bpf_link.c                        | 50 ++++++++-----
>>>   .../bpf/prog_tests/netfilter_link_update_prog.c    | 83 ++++++++++++++++++++++
>>>   .../bpf/progs/test_netfilter_link_update_prog.c    | 24 +++++++
>>>   3 files changed, 141 insertions(+), 16 deletions(-)
>>>   create mode 100644 tools/testing/selftests/bpf/prog_tests/netfilter_link_update_prog.c
>>>   create mode 100644 tools/testing/selftests/bpf/progs/test_netfilter_link_update_prog.c
>>>
>> It seems this patch has been forgotten, hopefully this answer
>> will give it more visibility.
>>
>> I've applied this change on 6.8.0-rc4 and tested BPF_LINK_UPDATE
>> with bpfilter and everything seems alright.
> Just post it without RFC tag.

Glad to know that, I will send a formal version soon.

D. Wythe







Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ