Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-20 Thread Daniel Mack
On 09/19/2016 11:53 PM, Sargun Dhillon wrote: > On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote: >> On 09/16/2016 09:57 PM, Sargun Dhillon wrote: >>> Now, with this patch, we don't have that, but I think we can reasonably add >>> some >>> flag like "no override" when applying

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-19 Thread Sargun Dhillon
On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote: > Hi, > > On 09/16/2016 09:57 PM, Sargun Dhillon wrote: > > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > >> I have no idea what makes you think this is limited to systemd. As I > >> said, I provided an example for

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-19 Thread Daniel Mack
Hi, On 09/16/2016 09:57 PM, Sargun Dhillon wrote: > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: >> I have no idea what makes you think this is limited to systemd. As I >> said, I provided an example for userspace that works from the command >> line. The same limitation apply as

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-18 Thread Sargun Dhillon
On Fri, Sep 16, 2016 at 12:57:29PM -0700, Sargun Dhillon wrote: > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > Hi Pablo, > > > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > > >> On 09/13/2016 01:56 PM,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-16 Thread Sargun Dhillon
On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > Hi Pablo, > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-15 Thread Daniel Mack
On 09/15/2016 08:36 AM, Vincent Bernat wrote: > ❦ 12 septembre 2016 18:12 CEST, Daniel Mack : > >> * The sample program learned to support both ingress and egress, and >> can now optionally make the eBPF program drop packets by making it >> return 0. > > Ability to lock

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-15 Thread Vincent Bernat
❦ 12 septembre 2016 18:12 CEST, Daniel Mack  : > * The sample program learned to support both ingress and egress, and > can now optionally make the eBPF program drop packets by making it > return 0. Ability to lock the eBPF program to avoid modification from a later

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Alexei Starovoitov
On Wed, Sep 14, 2016 at 01:42:49PM +0200, Daniel Borkmann wrote: > >As I said, I'm open to discussing that. In order to make it work for L3, > >the LL_OFF issues need to be solved, as Daniel explained. Daniel, > >Alexei, any idea how much work that would be? > > Not much. You simply need to

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Borkmann
On 09/14/2016 01:13 PM, Daniel Mack wrote: On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Borkmann
On 09/14/2016 12:30 PM, Pablo Neira Ayuso wrote: On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: [...] For us this cgroup+bpf is _not_ for filterting and _not_ for security. If your goal is monitoring, then convert these hooks not to allow to issue a verdict on the packet,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Mack
Hi Pablo, On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set to allow eBPF programs

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Thomas Graf
On 09/14/16 at 12:30pm, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: > [...] > > For us this cgroup+bpf is _not_ for filterting and _not_ for security. > > If your goal is monitoring, then convert these hooks not to allow to > issue a verdict on

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Pablo Neira Ayuso
On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: [...] > For us this cgroup+bpf is _not_ for filterting and _not_ for security. If your goal is monitoring, then convert these hooks not to allow to issue a verdict on the packet, so this becomes inoquous in the same fashion as

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Thomas Graf
[Sorry for the repost, gmail decided to start sending HTML crap along overnight for some reason] On 09/13/16 at 09:42pm, Alexei Starovoitov wrote: > On Tue, Sep 13, 2016 at 07:24:08PM +0200, Pablo Neira Ayuso wrote: > > Then you have to explain me how can anyone else than systemd use this > >

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Alexei Starovoitov
On Tue, Sep 13, 2016 at 07:24:08PM +0200, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > > Hi, > > > > On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > > > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > > >> This is v5 of the patch set

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Pablo Neira Ayuso
On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > Hi, > > On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > >> This is v5 of the patch set to allow eBPF programs for network > >> filtering and accounting to be attached

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Daniel Borkmann
On 09/13/2016 03:31 PM, Daniel Mack wrote: On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set to allow eBPF programs for network filtering and accounting to be attached to cgroups, so that they apply to all

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Daniel Mack
Hi, On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: >> This is v5 of the patch set to allow eBPF programs for network >> filtering and accounting to be attached to cgroups, so that they apply >> to all sockets of all tasks placed in

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Pablo Neira Ayuso
Hi, On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > This is v5 of the patch set to allow eBPF programs for network > filtering and accounting to be attached to cgroups, so that they apply > to all sockets of all tasks placed in that cgroup. The logic also > allows to be extendeded

[PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-12 Thread Daniel Mack
This is v5 of the patch set to allow eBPF programs for network filtering and accounting to be attached to cgroups, so that they apply to all sockets of all tasks placed in that cgroup. The logic also allows to be extendeded for other cgroup based eBPF logic. After chatting with Daniel Borkmann