On Fri, Sep 14, 2018 at 2:47 PM, Y Song wrote:
> On Fri, Sep 14, 2018 at 12:24 PM Alexei Starovoitov
> wrote:
>>
>> On Fri, Sep 14, 2018 at 07:46:17AM -0700, Petar Penkov wrote:
>> > From: Petar Penkov
>> >
>> > This patch series hardens th
From: Petar Penkov
Adds a test that sends different types of packets over multiple
tunnels and verifies that valid packets are dissected correctly. To do
so, a tc-flower rule is added to drop packets on UDP src port 9, and
packets are sent from ports 8, 9, and 10. Only the packets on port 9
From: Petar Penkov
This eBPF program extracts basic/control/ip address/ports keys from
incoming packets. It supports recursive parsing for IP encapsulation,
and VLAN, along with IPv4/IPv6 and extension headers. This program is
meant to show how flow dissection and key extraction can be done
From: Petar Penkov
This patch syncs tools/include/uapi/linux/bpf.h with the flow dissector
definitions from include/uapi/linux/bpf.h
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
tools/include/uapi/linux/bpf.h | 26 ++
1 file changed, 26 insertions
From: Petar Penkov
This patch extends libbpf and bpftool to work with programs of type
BPF_PROG_TYPE_FLOW_DISSECTOR.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
tools/bpf/bpftool/prog.c | 1 +
tools/lib/bpf/libbpf.c | 2 ++
2 files changed, 3 insertions(+)
diff --git
From: Petar Penkov
This patch series hardens the RX stack by allowing flow dissection in BPF,
as previously discussed [1]. Because of the rigorous checks of the BPF
verifier, this provides significant security guarantees. In particular, the
BPF flow dissector cannot get inside of an infinite
From: Petar Penkov
Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
path. The BPF program is per-network namespace.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
include/linux/bpf.h
From: Petar Penkov
This patch series hardens the RX stack by allowing flow dissection in BPF,
as previously discussed [1]. Because of the rigorous checks of the BPF
verifier, this provides significant security guarantees. In particular, the
BPF flow dissector cannot get inside of an infinite
From: Petar Penkov
This patch syncs tools/include/uapi/linux/bpf.h with the flow dissector
definitions from include/uapi/linux/bpf.h
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
tools/include/uapi/linux/bpf.h | 26 ++
1 file changed, 26 insertions
From: Petar Penkov
This patch extends libbpf and bpftool to work with programs of type
BPF_PROG_TYPE_FLOW_DISSECTOR.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
tools/bpf/bpftool/prog.c | 1 +
tools/lib/bpf/libbpf.c | 2 ++
2 files changed, 3 insertions(+)
diff --git
From: Petar Penkov
Adds a test that sends different types of packets over multiple
tunnels and verifies that valid packets are dissected correctly. To do
so, a tc-flower rule is added to drop packets on UDP src port 9, and
packets are sent from ports 8, 9, and 10. Only the packets on port 9
From: Petar Penkov
This eBPF program extracts basic/control/ip address/ports keys from
incoming packets. It supports recursive parsing for IP encapsulation,
and VLAN, along with IPv4/IPv6 and extension headers. This program is
meant to show how flow dissection and key extraction can be done
From: Petar Penkov
Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
path. The BPF program is per-network namespace.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
include/linux/bpf.h
From: Petar Penkov
This eBPF program extracts basic/control/ip address/ports keys from
incoming packets. It supports recursive parsing for IP encapsulation,
and VLAN, along with IPv4/IPv6 and extension headers. This program is
meant to show how flow dissection and key extraction can be done
From: Petar Penkov
Adds a test that sends different types of packets over multiple
tunnels and verifies that valid packets are dissected correctly. To do
so, a tc-flower rule is added to drop packets on UDP src port 9, and
packets are sent from ports 8, 9, and 10. Only the packets on port 9
From: Petar Penkov
This patch series hardens the RX stack by allowing flow dissection in BPF,
as previously discussed [1]. Because of the rigorous checks of the BPF
verifier, this provides significant security guarantees. In particular, the
BPF flow dissector cannot get inside of an infinite
From: Petar Penkov
Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
path. The BPF program is per-network namespace.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
include/linux/bpf.h
On Mon, Sep 3, 2018 at 1:54 PM, Petar Penkov wrote:
>
> On Sun, Sep 2, 2018 at 2:03 PM, Daniel Borkmann wrote:
> > On 08/30/2018 08:22 PM, Petar Penkov wrote:
> >> From: Petar Penkov
> >>
> >> Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR
On Sun, Sep 2, 2018 at 2:03 PM, Daniel Borkmann wrote:
> On 08/30/2018 08:22 PM, Petar Penkov wrote:
>> From: Petar Penkov
>>
>> Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
>> attach type BPF_FLOW_DISSECTOR that is executed in the flow dissect
From: Petar Penkov
Adds a test that sends different types of packets over multiple
tunnels and verifies that valid packets are dissected correctly. To do
so, a tc-flower rule is added to drop packets on UDP src port 9, and
packets are sent from ports 8, 9, and 10. Only the packets on port 9
From: Petar Penkov
This eBPF program extracts basic/control/ip address/ports keys from
incoming packets. It supports recursive parsing for IP encapsulation,
and VLAN, along with IPv4/IPv6 and extension headers. This program is
meant to show how flow dissection and key extraction can be done
From: Petar Penkov
Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
path. The BPF program is per-network namespace.
Signed-off-by: Petar Penkov
Signed-off-by: Willem de Bruijn
---
include/linux/bpf.h
From: Petar Penkov
This patch series hardens the RX stack by allowing flow dissection in BPF,
as previously discussed [1]. Because of the rigorous checks of the BPF
verifier, this provides significant security guarantees. In particular, the
BPF flow dissector cannot get inside of an infinite
On Wed, Aug 22, 2018 at 12:28 AM, Daniel Borkmann wrote:
> "On 08/22/2018 09:22 AM, Daniel Borkmann wrote:
>> On 08/22/2018 02:19 AM, Petar Penkov wrote:
>>> On Mon, Aug 20, 2018 at 1:52 PM, Alexei Starovoitov
>>> wrote:
>>>> On Thu, Aug 16,
On Mon, Aug 20, 2018 at 1:52 PM, Alexei Starovoitov
wrote:
> On Thu, Aug 16, 2018 at 09:44:20AM -0700, Petar Penkov wrote:
>> From: Petar Penkov
>>
>> This patch series hardens the RX stack by allowing flow dissection in BPF,
>> as previously discussed [1]. Bec
On Thu, Aug 16, 2018 at 3:40 PM, Song Liu wrote:
>
> On Thu, Aug 16, 2018 at 9:44 AM, Petar Penkov wrote:
> > From: Petar Penkov
> >
> > Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
> > attach type BPF_FLOW_DISSECTOR that is executed in the fl
From: Petar Penkov
Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and
attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector
path. The BPF program is kept as a global variable so it is
accessible to all flow dissectors.
Signed-off-by: Petar Penkov
Signed-off
From: Petar Penkov
This eBPF program extracts basic/control/ip address/ports keys from
incoming packets. It supports recursive parsing for IP
encapsulation, MPLS, GUE, and VLAN, along with IPv4/IPv6 and extension
headers. This program is meant to show how flow dissection and key
extraction can
From: Petar Penkov
Adds a test that sends different types of packets over multiple
tunnels and verifies that valid packets are dissected correctly. To do
so, a tc-flower rule is added to drop packets on UDP src port 9, and
packets are sent from ports 8, 9, and 10. Only the packets on port 9
From: Petar Penkov
This patch series hardens the RX stack by allowing flow dissection in BPF,
as previously discussed [1]. Because of the rigorous checks of the BPF
verifier, this provides significant security guarantees. In particular, the
BPF flow dissector cannot get inside of an infinite
of these are explicit requirements for correct
operation in this mode.
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will...@google.com>
Cc: da...@davemloft.net
:
napi_gro_receive(): 4.90s
netif_rx_ni(): 4.90s
netif_receive_skb():7.20s
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will.
and
IFF_TAP) are met before opening/attaching rather than after.
If they are not, change the behavior from discarding the
flag to rejecting the command with EINVAL.
Petar Penkov (2):
tun: enable NAPI for TUN/TAP driver
tun: enable napi_gro_frags() for TUN/TAP driver
drivers
On Fri, Sep 22, 2017 at 9:51 AM, Mahesh Bandewar (महेश बंडेवार)
wrote:
> On Fri, Sep 22, 2017 at 7:06 AM, Willem de Bruijn
> wrote:
>>> @@ -2061,6 +2174,9 @@ static int tun_set_iff(struct net *net, struct file
>>> *file, struct ifreq *ifr)
of these are explicit requirements for correct
operation in this mode.
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will...@google.com>
Cc: da...@davemloft.net
IFF_NAPI_FRAGS to 0x0020 to accommodate for IFF_NAPI,
Require capable(CAP_NET_ADMIN) to set IFF_NAPI_FRAGS.
Petar Penkov (2):
tun: enable NAPI for TUN/TAP driver
tun: enable napi_gro_frags() for TUN/TAP driver
drivers/net/tun.c | 258
:
napi_gro_receive(): 4.90s
netif_rx_ni(): 4.90s
netif_receive_skb():7.20s
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will.
On Tue, Sep 19, 2017 at 4:01 PM, David Miller <da...@davemloft.net> wrote:
> From: Petar Penkov <peterpenko...@gmail.com>
> Date: Tue, 19 Sep 2017 00:34:00 -0700
>
>> The following patches address this by providing the user(syzkaller)
>> with the abi
napi_gro_receive()
Patch 2/ Use NAPI skb and napi_gro_frags(), exercise flow
dissector, and allow custom skbs.
Petar Penkov (2):
tun: enable NAPI for TUN/TAP driver
tun: enable napi_gro_frags() for TUN/TAP driver
drivers/net/Kconfig | 8 ++
drivers/net/tun.c
.
This is imposed because this mode is intended for testing via tools like
syzkaller and packetdrill, and the increased flexibility it provides can
introduce security vulnerabilities.
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Ba
:
napi_gro_receive(): 4.90s
netif_rx_ni(): 4.90s
netif_receive_skb():7.20s
Signed-off-by: Petar Penkov <peterpenko...@gmail.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will.
(), exercise flow dissector,
and allow custom skbs.
Petar Penkov (2):
tun: enable NAPI for TUN/TAP driver
tun: enable napi_gro_frags() for TUN/TAP driver
drivers/net/Kconfig | 8 ++
drivers/net/tun.c | 251 +---
include/uapi
.
This is imposed because this mode is intended for testing via tools like
syzkaller and packetdrill, and the increased flexibility it provides can
introduce security vulnerabilities.
Signed-off-by: Petar Penkov <ppen...@google.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Ba
:
napi_gro_receive(): 4.90s
netif_rx_ni(): 4.90s
netif_receive_skb():7.20s
Signed-off-by: Petar Penkov <ppen...@google.com>
Cc: Eric Dumazet <eduma...@google.com>
Cc: Mahesh Bandewar <mahe...@google.com>
Cc: Willem de Bruijn <will.
44 matches
Mail list logo