[Kernel-packages] [Bug 1934499] Re: New BPF helpers to query conntrack and to generate/validate SYN cookies

Tue, 13 Jul 2021 01:00:59 -0700 

** Also affects: linux-bluefield (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: linux-bluefield (Ubuntu Focal)
   Importance: Undecided => Medium

** Changed in: linux-bluefield (Ubuntu Focal)
       Status: New => Fix Committed

** Changed in: linux-bluefield (Ubuntu Focal)
     Assignee: (unassigned) => Bodong Wang (bodong-wang)

** Changed in: linux-bluefield (Ubuntu)
       Status: In Progress => Invalid

** Changed in: linux-bluefield (Ubuntu)
     Assignee: Bodong Wang (bodong-wang) => (unassigned)

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1934499

Title:
  New BPF helpers to query conntrack and to generate/validate SYN
  cookies

Status in linux-bluefield package in Ubuntu:
  Invalid
Status in linux-bluefield source package in Focal:
  Fix Committed

Bug description:
  Ticket for the patch series that adds new BPF helpers to query
  conntrack and to generate SYN cookies for forwarded connections.

  * Explain the bug(s)

  This patch series aims to accelerate iptables synproxy module with
  XDP. The stage that generates and checks SYN cookies is stateless and
  can be implemented in XDP.

  * Brief explanation of fixes

  The series first cherry picked multiple upstream patches from xdp/bpf to 
support
  the new BPF helpers.

  Then it adds new BPF helpers on top of those upstream patches.

  * bpf_ct_lookup_tcp to lookup CT status of a TCP connection.

  * bpf_tcp_raw_gen_syncookie to generate SYN cookies without a listening
  socket on the same host (to be used with iptables synproxy module).

  * bpf_tcp_raw_check_syncookie to check SYN cookies generated by the
  previos helper (to be used with iptables synproxy module).

  * bpf_tcp_raw_gen_tscookie to generate timestamp cookies, which encode
  additional information like SACK permission, ECN support, window scale.
  The format is compatible with iptables synproxy module.

  These new helpers allow to accelerate the iptables synproxy module. This
  series also includes some dependency patches backported from upstream.

  * How to test

  Use an XDP application that generates and checks SYN cookies,
  leveraging the new helpers.

  * What it could break.

  Nothing should be broken, only new functionality is added, and some
  patches are backported from upstream.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1934499/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to