Re: [bpf-next, v4 0/5] Introduce eBPF flow dissector

On Fri, Sep 14, 2018 at 2:47 PM, Y Song wrote: > On Fri, Sep 14, 2018 at 12:24 PM Alexei Starovoitov > wrote: >> >> On Fri, Sep 14, 2018 at 07:46:17AM -0700, Petar Penkov wrote: >> > From: Petar Penkov >> > >> > This patch series hardens th

[bpf-next, v4 5/5] selftests/bpf: test bpf flow dissection

From: Petar Penkov Adds a test that sends different types of packets over multiple tunnels and verifies that valid packets are dissected correctly. To do so, a tc-flower rule is added to drop packets on UDP src port 9, and packets are sent from ports 8, 9, and 10. Only the packets on port 9

[bpf-next, v4 4/5] flow_dissector: implements eBPF parser

From: Petar Penkov This eBPF program extracts basic/control/ip address/ports keys from incoming packets. It supports recursive parsing for IP encapsulation, and VLAN, along with IPv4/IPv6 and extension headers. This program is meant to show how flow dissection and key extraction can be done

[bpf-next, v4 2/5] bpf: sync bpf.h uapi with tools/

From: Petar Penkov This patch syncs tools/include/uapi/linux/bpf.h with the flow dissector definitions from include/uapi/linux/bpf.h Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- tools/include/uapi/linux/bpf.h | 26 ++ 1 file changed, 26 insertions

[bpf-next, v4 3/5] bpf: support flow dissector in libbpf and bpftool

From: Petar Penkov This patch extends libbpf and bpftool to work with programs of type BPF_PROG_TYPE_FLOW_DISSECTOR. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- tools/bpf/bpftool/prog.c | 1 + tools/lib/bpf/libbpf.c | 2 ++ 2 files changed, 3 insertions(+) diff --git

[bpf-next, v4 0/5] Introduce eBPF flow dissector

From: Petar Penkov This patch series hardens the RX stack by allowing flow dissection in BPF, as previously discussed [1]. Because of the rigorous checks of the BPF verifier, this provides significant security guarantees. In particular, the BPF flow dissector cannot get inside of an infinite

[bpf-next, v4 1/5] flow_dissector: implements flow dissector BPF hook

From: Petar Penkov Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is per-network namespace. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- include/linux/bpf.h

[bpf-next, v3 0/5] Introduce eBPF flow dissector

From: Petar Penkov This patch series hardens the RX stack by allowing flow dissection in BPF, as previously discussed [1]. Because of the rigorous checks of the BPF verifier, this provides significant security guarantees. In particular, the BPF flow dissector cannot get inside of an infinite

[bpf-next, v3 2/5] bpf: sync bpf.h uapi with tools/

From: Petar Penkov This patch syncs tools/include/uapi/linux/bpf.h with the flow dissector definitions from include/uapi/linux/bpf.h Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- tools/include/uapi/linux/bpf.h | 26 ++ 1 file changed, 26 insertions

[bpf-next, v3 3/5] bpf: support flow dissector in libbpf and bpftool

From: Petar Penkov This patch extends libbpf and bpftool to work with programs of type BPF_PROG_TYPE_FLOW_DISSECTOR. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- tools/bpf/bpftool/prog.c | 1 + tools/lib/bpf/libbpf.c | 2 ++ 2 files changed, 3 insertions(+) diff --git

[bpf-next, v3 5/5] selftests/bpf: test bpf flow dissection

From: Petar Penkov Adds a test that sends different types of packets over multiple tunnels and verifies that valid packets are dissected correctly. To do so, a tc-flower rule is added to drop packets on UDP src port 9, and packets are sent from ports 8, 9, and 10. Only the packets on port 9

[bpf-next, v3 4/5] flow_dissector: implements eBPF parser

From: Petar Penkov This eBPF program extracts basic/control/ip address/ports keys from incoming packets. It supports recursive parsing for IP encapsulation, and VLAN, along with IPv4/IPv6 and extension headers. This program is meant to show how flow dissection and key extraction can be done

[bpf-next, v3 1/5] flow_dissector: implements flow dissector BPF hook

From: Petar Penkov Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is per-network namespace. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- include/linux/bpf.h

[bpf-next, v2 2/3] flow_dissector: implements eBPF parser

From: Petar Penkov This eBPF program extracts basic/control/ip address/ports keys from incoming packets. It supports recursive parsing for IP encapsulation, and VLAN, along with IPv4/IPv6 and extension headers. This program is meant to show how flow dissection and key extraction can be done

[bpf-next, v2 3/3] selftests/bpf: test bpf flow dissection

From: Petar Penkov Adds a test that sends different types of packets over multiple tunnels and verifies that valid packets are dissected correctly. To do so, a tc-flower rule is added to drop packets on UDP src port 9, and packets are sent from ports 8, 9, and 10. Only the packets on port 9

[bpf-next, v2 0/3] Introduce eBPF flow dissector

From: Petar Penkov This patch series hardens the RX stack by allowing flow dissection in BPF, as previously discussed [1]. Because of the rigorous checks of the BPF verifier, this provides significant security guarantees. In particular, the BPF flow dissector cannot get inside of an infinite

[bpf-next, v2 1/3] flow_dissector: implements flow dissector BPF hook

From: Petar Penkov Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is per-network namespace. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- include/linux/bpf.h

Re: [bpf-next 1/3] flow_dissector: implements flow dissector BPF hook

On Mon, Sep 3, 2018 at 1:54 PM, Petar Penkov wrote: > > On Sun, Sep 2, 2018 at 2:03 PM, Daniel Borkmann wrote: > > On 08/30/2018 08:22 PM, Petar Penkov wrote: > >> From: Petar Penkov > >> > >> Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR

Re: [bpf-next 1/3] flow_dissector: implements flow dissector BPF hook

On Sun, Sep 2, 2018 at 2:03 PM, Daniel Borkmann wrote: > On 08/30/2018 08:22 PM, Petar Penkov wrote: >> From: Petar Penkov >> >> Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and >> attach type BPF_FLOW_DISSECTOR that is executed in the flow dissect

[bpf-next 3/3] selftests/bpf: test bpf flow dissection

From: Petar Penkov Adds a test that sends different types of packets over multiple tunnels and verifies that valid packets are dissected correctly. To do so, a tc-flower rule is added to drop packets on UDP src port 9, and packets are sent from ports 8, 9, and 10. Only the packets on port 9

[bpf-next 2/3] flow_dissector: implements eBPF parser

From: Petar Penkov This eBPF program extracts basic/control/ip address/ports keys from incoming packets. It supports recursive parsing for IP encapsulation, and VLAN, along with IPv4/IPv6 and extension headers. This program is meant to show how flow dissection and key extraction can be done

[bpf-next 1/3] flow_dissector: implements flow dissector BPF hook

From: Petar Penkov Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is per-network namespace. Signed-off-by: Petar Penkov Signed-off-by: Willem de Bruijn --- include/linux/bpf.h

[bpf-next 0/3] Introduce eBPF flow dissector

From: Petar Penkov This patch series hardens the RX stack by allowing flow dissection in BPF, as previously discussed [1]. Because of the rigorous checks of the BPF verifier, this provides significant security guarantees. In particular, the BPF flow dissector cannot get inside of an infinite

Re: [bpf-next RFC 0/3] Introduce eBPF flow dissector

On Wed, Aug 22, 2018 at 12:28 AM, Daniel Borkmann wrote: > "On 08/22/2018 09:22 AM, Daniel Borkmann wrote: >> On 08/22/2018 02:19 AM, Petar Penkov wrote: >>> On Mon, Aug 20, 2018 at 1:52 PM, Alexei Starovoitov >>> wrote: >>>> On Thu, Aug 16,

Re: [bpf-next RFC 0/3] Introduce eBPF flow dissector

On Mon, Aug 20, 2018 at 1:52 PM, Alexei Starovoitov wrote: > On Thu, Aug 16, 2018 at 09:44:20AM -0700, Petar Penkov wrote: >> From: Petar Penkov >> >> This patch series hardens the RX stack by allowing flow dissection in BPF, >> as previously discussed [1]. Bec

Re: [bpf-next RFC 1/3] flow_dissector: implements flow dissector BPF hook

On Thu, Aug 16, 2018 at 3:40 PM, Song Liu wrote: > > On Thu, Aug 16, 2018 at 9:44 AM, Petar Penkov wrote: > > From: Petar Penkov > > > > Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and > > attach type BPF_FLOW_DISSECTOR that is executed in the fl

[bpf-next RFC 1/3] flow_dissector: implements flow dissector BPF hook

From: Petar Penkov Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is kept as a global variable so it is accessible to all flow dissectors. Signed-off-by: Petar Penkov Signed-off

[bpf-next RFC 2/3] flow_dissector: implements eBPF parser

From: Petar Penkov This eBPF program extracts basic/control/ip address/ports keys from incoming packets. It supports recursive parsing for IP encapsulation, MPLS, GUE, and VLAN, along with IPv4/IPv6 and extension headers. This program is meant to show how flow dissection and key extraction can

[bpf-next RFC 3/3] selftests/bpf: test bpf flow dissection

From: Petar Penkov Adds a test that sends different types of packets over multiple tunnels and verifies that valid packets are dissected correctly. To do so, a tc-flower rule is added to drop packets on UDP src port 9, and packets are sent from ports 8, 9, and 10. Only the packets on port 9

[bpf-next RFC 0/3] Introduce eBPF flow dissector

From: Petar Penkov This patch series hardens the RX stack by allowing flow dissection in BPF, as previously discussed [1]. Because of the rigorous checks of the BPF verifier, this provides significant security guarantees. In particular, the BPF flow dissector cannot get inside of an infinite

[PATCH,v3,net-next 2/2] tun: enable napi_gro_frags() for TUN/TAP driver

of these are explicit requirements for correct operation in this mode. Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will...@google.com> Cc: da...@davemloft.net

[PATCH,v3,net-next 1/2] tun: enable NAPI for TUN/TAP driver

: napi_gro_receive(): 4.90s netif_rx_ni(): 4.90s netif_receive_skb():7.20s Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will.

[PATCH,v3,net-next 0/2] Improve code coverage of syzkaller

and IFF_TAP) are met before opening/attaching rather than after. If they are not, change the behavior from discarding the flag to rejecting the command with EINVAL. Petar Penkov (2): tun: enable NAPI for TUN/TAP driver tun: enable napi_gro_frags() for TUN/TAP driver drivers

Re: [PATCH,v2,net-next 2/2] tun: enable napi_gro_frags() for TUN/TAP driver

On Fri, Sep 22, 2017 at 9:51 AM, Mahesh Bandewar (महेश बंडेवार) wrote: > On Fri, Sep 22, 2017 at 7:06 AM, Willem de Bruijn > wrote: >>> @@ -2061,6 +2174,9 @@ static int tun_set_iff(struct net *net, struct file >>> *file, struct ifreq *ifr)

[PATCH,v2,net-next 2/2] tun: enable napi_gro_frags() for TUN/TAP driver

of these are explicit requirements for correct operation in this mode. Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will...@google.com> Cc: da...@davemloft.net

[PATCH,v2,net-next 0/2] Improve code coverage of syzkaller

IFF_NAPI_FRAGS to 0x0020 to accommodate for IFF_NAPI, Require capable(CAP_NET_ADMIN) to set IFF_NAPI_FRAGS. Petar Penkov (2): tun: enable NAPI for TUN/TAP driver tun: enable napi_gro_frags() for TUN/TAP driver drivers/net/tun.c | 258

[PATCH,v2,net-next 1/2] tun: enable NAPI for TUN/TAP driver

: napi_gro_receive(): 4.90s netif_rx_ni(): 4.90s netif_receive_skb():7.20s Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will.

Re: [PATCH,net-next,0/2] Improve code coverage of syzkaller

On Tue, Sep 19, 2017 at 4:01 PM, David Miller <da...@davemloft.net> wrote: > From: Petar Penkov <peterpenko...@gmail.com> > Date: Tue, 19 Sep 2017 00:34:00 -0700 > >> The following patches address this by providing the user(syzkaller) >> with the abi

[PATCH,net-next,0/2] Improve code coverage of syzkaller

napi_gro_receive() Patch 2/ Use NAPI skb and napi_gro_frags(), exercise flow dissector, and allow custom skbs. Petar Penkov (2): tun: enable NAPI for TUN/TAP driver tun: enable napi_gro_frags() for TUN/TAP driver drivers/net/Kconfig | 8 ++ drivers/net/tun.c

[PATCH,net-next,2/2] tun: enable napi_gro_frags() for TUN/TAP driver

. This is imposed because this mode is intended for testing via tools like syzkaller and packetdrill, and the increased flexibility it provides can introduce security vulnerabilities. Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Ba

[PATCH,net-next,1/2] tun: enable NAPI for TUN/TAP driver

: napi_gro_receive(): 4.90s netif_rx_ni(): 4.90s netif_receive_skb():7.20s Signed-off-by: Petar Penkov <peterpenko...@gmail.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will.

[PATCH net-next RFC 0/2] Improve code coverage of syzkaller

(), exercise flow dissector, and allow custom skbs. Petar Penkov (2): tun: enable NAPI for TUN/TAP driver tun: enable napi_gro_frags() for TUN/TAP driver drivers/net/Kconfig | 8 ++ drivers/net/tun.c | 251 +--- include/uapi

[PATCH net-next RFC 2/2] tun: enable napi_gro_frags() for TUN/TAP driver

. This is imposed because this mode is intended for testing via tools like syzkaller and packetdrill, and the increased flexibility it provides can introduce security vulnerabilities. Signed-off-by: Petar Penkov <ppen...@google.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Ba

[PATCH net-next RFC 1/2] tun: enable NAPI for TUN/TAP driver

: napi_gro_receive(): 4.90s netif_rx_ni(): 4.90s netif_receive_skb():7.20s Signed-off-by: Petar Penkov <ppen...@google.com> Cc: Eric Dumazet <eduma...@google.com> Cc: Mahesh Bandewar <mahe...@google.com> Cc: Willem de Bruijn <will.