lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Jun 2024 21:56:26 +0200
From: Lorenzo Bianconi <lorenzo@...nel.org>
To: bpf@...r.kernel.org
Cc: pablo@...filter.org, kadlec@...filter.org, davem@...emloft.net,
	edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	ast@...nel.org, daniel@...earbox.net, andrii@...nel.org,
	martin.lau@...ux.dev, eddyz87@...il.com,
	lorenzo.bianconi@...hat.com, toke@...hat.com, fw@...len.de,
	hawk@...nel.org, horms@...nel.org, donhunte@...hat.com,
	memxor@...il.com
Subject: Re: [PATCH v5 bpf-next 0/3] netfilter: Add the capability to offload
 flowtable in XDP layer

> Introduce bpf_xdp_flow_lookup kfunc in order to perform the lookup of
> a given flowtable entry based on the fib tuple of incoming traffic.
> bpf_xdp_flow_lookup can be used as building block to offload in XDP
> the sw flowtable processing when the hw support is not available.
> 
> This series has been tested running the xdp_flowtable_offload eBPF program
> on an ixgbe 10Gbps NIC (eno2) in order to XDP_REDIRECT the TCP traffic to
> a veth pair (veth0-veth1) based on the content of the nf_flowtable as soon
> as the TCP connection is in the established state:
> 
> [tcp client] (eno1) == LAN == (eno2) xdp_flowtable_offload [XDP_REDIRECT] --> veth0 == veth1 [tcp server]
> 
> table inet filter {
> 	flowtable ft {
> 		hook ingress priority filter
> 		devices = { eno2, veth0 }
> 	}
> 	chain forward {
> 		type filter hook forward priority filter
> 		meta l4proto { tcp, udp } flow add @ft
> 	}
> }
> 
> -  sw flowtable [1 TCP stream, T = 300s]: ~ 6.2 Gbps
> - xdp flowtable [1 TCP stream, T = 300s]: ~ 7.6 Gbps
> 
> -  sw flowtable [3 TCP stream, T = 300s]: ~ 7.7 Gbps
> - xdp flowtable [3 TCP stream, T = 300s]: ~ 8.8 Gbps
> 
> Changes since v4:
> - add missing BPF_NO_KFUNC_PROTOTYPES macro to selftest
> Changes since v3:
> - move flowtable map utilities in nf_flow_table_xdp.c
> Changes since v2:
> - introduce bpf_flowtable_opts struct in bpf_xdp_flow_lookup signature
> - get rid of xdp_flowtable_offload bpf sample
> - get rid of test_xdp_flowtable.sh for selftest and rely on prog_tests instead
> - rename bpf_xdp_flow_offload_lookup in bpf_xdp_flow_lookup
> Changes since v1:
> - return NULL in bpf_xdp_flow_offload_lookup kfunc in case of error
> - take into account kfunc registration possible failures
> Changes since RFC:
> - fix compilation error if BTF is not enabled

Hi all,

Looking at patchwork this series is marked as 'Archived' even if the eBPF bits
have been acked by Alexei while netfilter ones have been acked by Pablo.
Am I missing something? Do I need to repost?

Regards,
Lorenzo

> 
> Akced-by: Pablo Neira Ayuso <pablo@...filter.org>
> 
> Florian Westphal (1):
>   netfilter: nf_tables: add flowtable map for xdp offload
> 
> Lorenzo Bianconi (2):
>   netfilter: add bpf_xdp_flow_lookup kfunc
>   selftests/bpf: Add selftest for bpf_xdp_flow_lookup kfunc
> 
>  include/net/netfilter/nf_flow_table.h         |  18 ++
>  net/netfilter/Makefile                        |   7 +-
>  net/netfilter/nf_flow_table_bpf.c             | 117 ++++++++++++
>  net/netfilter/nf_flow_table_inet.c            |   2 +-
>  net/netfilter/nf_flow_table_offload.c         |   6 +-
>  net/netfilter/nf_flow_table_xdp.c             | 163 +++++++++++++++++
>  tools/testing/selftests/bpf/config            |  13 ++
>  .../selftests/bpf/prog_tests/xdp_flowtable.c  | 168 ++++++++++++++++++
>  .../selftests/bpf/progs/xdp_flowtable.c       | 146 +++++++++++++++
>  9 files changed, 636 insertions(+), 4 deletions(-)
>  create mode 100644 net/netfilter/nf_flow_table_bpf.c
>  create mode 100644 net/netfilter/nf_flow_table_xdp.c
>  create mode 100644 tools/testing/selftests/bpf/prog_tests/xdp_flowtable.c
>  create mode 100644 tools/testing/selftests/bpf/progs/xdp_flowtable.c
> 
> -- 
> 2.45.1
> 

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ