subject:"Re\: \[PATCH v5 0\/6\] Add eBPF hooks for cgroups"

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-20 Thread Daniel Mack

On 09/19/2016 11:53 PM, Sargun Dhillon wrote: > On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote: >> On 09/16/2016 09:57 PM, Sargun Dhillon wrote: >>> Now, with this patch, we don't have that, but I think we can reasonably add >>> some >>> flag like "no override" when applying

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-19 Thread Sargun Dhillon

On Mon, Sep 19, 2016 at 06:34:28PM +0200, Daniel Mack wrote: > Hi, > > On 09/16/2016 09:57 PM, Sargun Dhillon wrote: > > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > >> I have no idea what makes you think this is limited to systemd. As I > >> said, I provided an example for

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-19 Thread Daniel Mack

Hi, On 09/16/2016 09:57 PM, Sargun Dhillon wrote: > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: >> I have no idea what makes you think this is limited to systemd. As I >> said, I provided an example for userspace that works from the command >> line. The same limitation apply as

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-18 Thread Sargun Dhillon

On Fri, Sep 16, 2016 at 12:57:29PM -0700, Sargun Dhillon wrote: > On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > > Hi Pablo, > > > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > > >> On 09/13/2016 01:56 PM,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-16 Thread Sargun Dhillon

On Wed, Sep 14, 2016 at 01:13:16PM +0200, Daniel Mack wrote: > Hi Pablo, > > On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-15 Thread Daniel Mack

On 09/15/2016 08:36 AM, Vincent Bernat wrote: > ❦ 12 septembre 2016 18:12 CEST, Daniel Mack : > >> * The sample program learned to support both ingress and egress, and >> can now optionally make the eBPF program drop packets by making it >> return 0. > > Ability to lock

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-15 Thread Vincent Bernat

❦ 12 septembre 2016 18:12 CEST, Daniel Mack : > * The sample program learned to support both ingress and egress, and > can now optionally make the eBPF program drop packets by making it > return 0. Ability to lock the eBPF program to avoid modification from a later

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Alexei Starovoitov

On Wed, Sep 14, 2016 at 01:42:49PM +0200, Daniel Borkmann wrote: > >As I said, I'm open to discussing that. In order to make it work for L3, > >the LL_OFF issues need to be solved, as Daniel explained. Daniel, > >Alexei, any idea how much work that would be? > > Not much. You simply need to

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Borkmann

On 09/14/2016 01:13 PM, Daniel Mack wrote: On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Borkmann

On 09/14/2016 12:30 PM, Pablo Neira Ayuso wrote: On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: [...] For us this cgroup+bpf is _not_ for filterting and _not_ for security. If your goal is monitoring, then convert these hooks not to allow to issue a verdict on the packet,

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Daniel Mack

Hi Pablo, On 09/13/2016 07:24 PM, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: >> On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: >>> On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set to allow eBPF programs

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Thomas Graf

On 09/14/16 at 12:30pm, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: > [...] > > For us this cgroup+bpf is _not_ for filterting and _not_ for security. > > If your goal is monitoring, then convert these hooks not to allow to > issue a verdict on

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Pablo Neira Ayuso

On Tue, Sep 13, 2016 at 09:42:19PM -0700, Alexei Starovoitov wrote: [...] > For us this cgroup+bpf is _not_ for filterting and _not_ for security. If your goal is monitoring, then convert these hooks not to allow to issue a verdict on the packet, so this becomes inoquous in the same fashion as

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-14 Thread Thomas Graf

[Sorry for the repost, gmail decided to start sending HTML crap along overnight for some reason] On 09/13/16 at 09:42pm, Alexei Starovoitov wrote: > On Tue, Sep 13, 2016 at 07:24:08PM +0200, Pablo Neira Ayuso wrote: > > Then you have to explain me how can anyone else than systemd use this > >

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Alexei Starovoitov

On Tue, Sep 13, 2016 at 07:24:08PM +0200, Pablo Neira Ayuso wrote: > On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > > Hi, > > > > On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > > > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > > >> This is v5 of the patch set

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Pablo Neira Ayuso

On Tue, Sep 13, 2016 at 03:31:20PM +0200, Daniel Mack wrote: > Hi, > > On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > >> This is v5 of the patch set to allow eBPF programs for network > >> filtering and accounting to be attached

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Daniel Borkmann

On 09/13/2016 03:31 PM, Daniel Mack wrote: On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: This is v5 of the patch set to allow eBPF programs for network filtering and accounting to be attached to cgroups, so that they apply to all

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Daniel Mack

Hi, On 09/13/2016 01:56 PM, Pablo Neira Ayuso wrote: > On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: >> This is v5 of the patch set to allow eBPF programs for network >> filtering and accounting to be attached to cgroups, so that they apply >> to all sockets of all tasks placed in

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

2016-09-13 Thread Pablo Neira Ayuso

Hi, On Mon, Sep 12, 2016 at 06:12:09PM +0200, Daniel Mack wrote: > This is v5 of the patch set to allow eBPF programs for network > filtering and accounting to be attached to cgroups, so that they apply > to all sockets of all tasks placed in that cgroup. The logic also > allows to be extendeded

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

Re: [PATCH v5 0/6] Add eBPF hooks for cgroups

19 matches

Site Navigation

Mail list logo

Footer information